This
script grants the specified security permission level to a user or
group for all GPOs in the domain, even GPOs not linked to an Active
Directory node. The Replace switch is very useful—it can remove the
existing permissions and replace them with new permissions. If you
specify a permission for a security group that already exists on the
permission list for the GPO, the higher of the two permissions will be placed on the security group (unless you used the Replace switch).
Usage: GrantPermissionOnAllGPOs.wsf GroupName /Permission:value [/Replace] [/Q]
[/Domain:value]
GroupName: Security principal to grant permissions to.
Permission: Permission level to set. Can be "Read," "Apply," "Edit," "FullEdit," or "None."
Replace: Specifies that any existing permissions should be replaced.
Q: Quiet mode - no warning will be displayed before executing the script.
Domain: DNS name of domain.
2. SetGPOCreationPermissions.wsf
This script grants or removes the ability to create GPOs in a domain for a given security group or user.
Syntax
Usage: SetGPOCreationPermissions.wsf Group [/Remove] [/Domain:value]
Group: Security group to grant GPO creation rights to.
Remove: Removes the permission instead of granting it.
Domain: DNS name of domain.
Example & Output
This script grants the GPO Admins security group the ability to create GPOs in the domain.
cscript SetGPOCreationPermissions.wsf "GPO Admins"
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Added 'GPO Admins' as having GPO creation rights in Fabrikam.com.
This script configures the GPO Admins security group with Edit permission on all GPOs in the domain.
cscript GrantPermissionOnAllGPOs.wsf "GPO Admins" /Permission:Edit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Warning! By executing this script, all GPOs in the target domain will be updated with the
desired security setting.
Both the Active Directory and Sysvol portions of the GPO will be updated. This will result in
the Sysvol contents of every GPO being copied to all replica domain controllers, and may cause
excessive replication traffic in your domain.
If you have slow network links or restricted bandwidth between your domain controllers, you
should check the amount of data on the Sysvol that would be replicated before performing
this task.
Do you want to proceed? [Y/N] y
Updated GPO 'Default Domain Policy' to 'Edit' for GPO Admins
Updated GPO 'Default Domain Controllers Policy' to 'Edit' for GPO Admins
3. SetGPOPermissions.wsf
This
script sets permissions on the defined GPO for the defined group. This
script will error out if you do not define the arguments for it. All of
the other scripts will list the script’s syntax or generate the output.
Syntax
Usage: SetGPOPermissions.wsf <GPOName> <GroupName> /Permission:<PermissionLevel> [/Replace]
[/Domain:<DNSDomainName>]
GPOName: The name of the GPO to process.
GroupName: The security principal to grant permissions to.
Permission: Permission level to set. Can be "Read," "Apply," "Edit," "FullEdit," or "None."
"Replace: Specifies that any existing permissions should be replaced.
Domain: DNS name of domain.
Example & Output
This script configures the Server Operators security group with Edit permission only on the GPO named Hardened Server GPO.
cscript SetGPOPermissions.wsf "Hardened Server GPO" "Server Operators" /Permission:Edit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Modified GPO Hardened Server GPO to give Server Operators Edit rights.
