Search code examples
powershellactive-directorygroup-policy

Remove Group Policy Permissions


PowerShell for Active Directory Group Policy has a couple of ways to get permissions: if you get the GPO with Get-GPO, then $_.GetSecurityInfo() returns permissions objects. Also, Get-GPPermission will get the same objects. You can write the permissions with $_.SetSecurityInfo() and with Set-GPPermissions. But how do you simply remove a permissions object, e.g. where the $_.trustee.sidtype is Unknown? You cannot use Set-GPPermission, because it requires a TargetType. 'Unknown' is not a valid TargetType. The SetSecurityInfo() method has no documentation that I can find. So, the question is, given the existing permissions of a GPO, how do you remove the permission object where the $_.SidType is Unknown?

The method to remove a permission with unknown SID is undocumented.


Solution

  • GetSecurityInfo() returns a GPPermissionCollection object.

    Remove the appropriate entries from the collection:

    # fetch current permission entries
    $perms = $gpo.GetSecurityInfo()
    
    # identify trustees to be removed
    $trusteesToRemove = $perms.Trustee |Where { $_.SidType -eq 'Unknown' }
    
    # remove them from perm collection
    $trusteesToRemove |ForEach-Object {
      $perms.RemoveTrustee($_.Sid)
    }
    

    Once modified, pass the collection object back to SetSecurityInfo():

    $gpo.SetSecurityInfo($perms)