5

According to Microsoft the cmdlet Set-GPPermissions accepts the option "-replace":

"This ensures that the existing permission level is replaced by the new permission level."

I import a GPO from PowerShell. After that I want to set the security filters. After importing, before setting the security filter, the Security Filtering of the GPO is "Authenticated Users". Now I want to remove that filter option and replace it with "myGroup". To do so I use the following command:

Set-GPPermissions -Name "myGPO" -PermissionLevel GpoApply -TargetName "myGroup" -TargetType Group -replace

The results are that there is a new security filter added which references "myGroup", but the Group "Authenticated Users" is not being removed. The Powershell cmdlet is not replacing the filter, it's adding it.

Hints?

Thanks in advance!

user1458620
  • 205
  • 1
  • 4
  • 12

3 Answers3

3

As documented on the page you referenced, the command would replace already existing permissions of a group "myGroup". It won't replace permissions for a group "Authenticated Users" with permissions for a group "myGroup". Quoting from Technet:

-Replace < SwitchParameter >

Specifies that the existing permission level for the group or user is removed before the new permission level is set.

You'll have to use Set-GPPermissions to grant permissions to "myGroup" and Set-GPPermissions -TargetName "Authenticated Users -PermissionLevel None to remove permissions for "Authenticated Users".

Community
  • 1
  • 1
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
2

I found that it's sufficient to set the Authenticated User permissionlevel to none like this: 

Set-GPPermissions -Name "MyGPO" -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group

That removed the "Authenticated Users" security filter.

user1458620
  • 205
  • 1
  • 4
  • 12
2

I think you should have accepted Ansgar's or user1458620's answer; they're correct. Here is a final solution incorporating the same:

$gpo | Set-GPPermissions -Replace -PermissionLevel None -TargetName 'Authenticated Users' -TargetType group 
$gpo | Set-GPPermissions -PermissionLevel gpoapply -TargetName 'MyGroup' -TargetType group
Andrey
  • 4,216
  • 1
  • 23
  • 31
  • 1
    If you are getting a confirmation prompt and want to get rid of it, use `dsacls` instead, see [this answer](https://stackoverflow.com/a/60371989/11942268). – stackprotector Apr 19 '22 at 14:23