Here's a quick and easy way to delegate the management of existing Group Policy Objects in your domain.
Set-GPPermission-All-Domain"halo.net"-TargetTypeGroup-TargetName"Domain Local - Halo GPO Edit 1"-PermissionLevelGpoEdit
What's going on here then?
-All... well, that tells Set-GPPermission to apply the new Access Control Entry (ACE) to all the GPOs in the domain
-Domain... our target domain
-TargetType... the security principal associated with the new delegated permission (User / Group / Computer)
-TargetName... the name of the security principal
-PermissionLevel... the delegated permission granted to the security principal
The values accepted by the -PermissionLevel parameter are listed below:
- GpoApply
- GpoEdit
- GpoEditDeleteModifySecurity
- GpoRead
- None
If a permission level already exists on your GPOs for your target security principal then you can use the -Replace switch to update the existing permission with the new permission.
Here's how to set the permission on a single GPO. This time the -All parameter is replaced by -Name and the name of the target GPO is supplied. You can also use -Guid rather than -Name.
Set-GPPermission-Name"Test_GPO"-Domain"halo.net"-TargetTypeGroup-TargetName"Domain Local - Halo GPO Read 1"-PermissionLevelGpoRead
TTFN!