Skip to main content

Register-DMGPPermission

SYNOPSIS

Registers a GP permission as the desired state.

SYNTAX

ExplicitNoChange

Register-DMGPPermission -GpoName <string> -NoPermissionChange [-Managed] [-ContextName <string>]
[<CommonParameters>]

Explicit

Register-DMGPPermission -GpoName <string> -Identity <string> -ObjectClass <string>
-Permission <string> [-Deny] [-Managed] [-ContextName <string>] [<CommonParameters>]

FilterNoChange

Register-DMGPPermission -Filter <string> -NoPermissionChange [-Managed] [-ContextName <string>]
[<CommonParameters>]

Filter

Register-DMGPPermission -Filter <string> -Identity <string> -ObjectClass <string>
-Permission <string> [-Deny] [-Managed] [-ContextName <string>] [<CommonParameters>]

AllNoChange

Register-DMGPPermission -All -NoPermissionChange [-Managed] [-ContextName <string>]
[<CommonParameters>]

All

Register-DMGPPermission -All -Identity <string> -ObjectClass <string> -Permission <string> [-Deny]
[-Managed] [-ContextName <string>] [<CommonParameters>]

DESCRIPTION

Registers a GP permission as the desired state.

Permissions can be applied in three ways:

  • Explicitly to a specific GPO
  • To ALL GPOs
  • To GPOs that match a specific filter string.

For defining filter conditions, see the help on Register-DMGPPermissionFilter.

Another important concept is the "Managed" concept. By default, all GPOs are considered unmanaged, where GP Permissions are concerned. This means, any additional permissionss that have been applied are ok. By setting a GPO's permissions under management - by applying a permission rule that uses the -Managed parameter - any permissions not defined for it will be removed.

EXAMPLES

EXAMPLE 1

Get-Content .\gpopermissions.json | ConvertFrom-Json | Write-Output | Register-DMGPPermission

Reads all settings from the provided json file and registers them.

PARAMETERS

-All

This access rule applies to ALL GPOs.

Type: System.Management.Automation.SwitchParameter
DefaultValue: False
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: AllNoChange
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: All
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-ContextName

The name of the context defining the setting. This allows determining the configuration set that provided this setting. Used by the ADMF, available to any other configuration management solution.

Type: System.String
DefaultValue: <Undefined>
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: false
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Deny

Whether to create a Deny rule, rather than an Allow rule.

Type: System.Management.Automation.SwitchParameter
DefaultValue: False
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: All
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: Filter
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: Explicit
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Filter

The filter condition governing, what GPOs these permissions apply to. A filter string can consist of the following elements:

  • Names of filter conditions
  • Logical operators
  • Parenthesis

Example filter strings:

  • 'IsManaged'
  • 'IsManaged -and -not (IsDomainDefault -or IsDomainControllerDefault)'
  • '-not (IsManaged) -and (IsTier1 -or IsSupport)'
Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: FilterNoChange
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: Filter
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-GpoName

Name of the GPO this permission applies to. Subject to string insertion.

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: ExplicitNoChange
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: Explicit
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Identity

The group or user to assign permissions to. Subject to string insertion.

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: All
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: Filter
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: Explicit
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Managed

Whether the affected GPOs should be considered "Under Management". A GPO "Under Management" will have all non-defined permissions removed.

Type: System.Management.Automation.SwitchParameter
DefaultValue: False
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-NoPermissionChange

Disable application of a set of permissions. Setting this flag allows defining a rule that only applies the "Managed" state (see below).

Type: System.Management.Automation.SwitchParameter
DefaultValue: False
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: AllNoChange
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: FilterNoChange
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: ExplicitNoChange
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-ObjectClass

What kind of object the assigned identity is. Can be any legal object class in AD. Only object classes that have a SID should be chosen though (otherwise, assigning permissions to it gets kind of difficult).

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: All
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: Filter
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: Explicit
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

-Permission

What kind of permission to grant.

Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: All
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: Filter
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
- Name: Explicit
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.