Configuration driven Active Directory management.
Registers a GP permission as the desired state.
Register-DMGPPermission -GpoName <String> [-NoPermissionChange] [-Managed] [-ContextName <String>]
[<CommonParameters>]
Register-DMGPPermission -GpoName <String> -Identity <String> -ObjectClass <String> -Permission <String> [-Deny]
[-Managed] [-ContextName <String>] [<CommonParameters>]
Register-DMGPPermission -Filter <String> [-NoPermissionChange] [-Managed] [-ContextName <String>]
[<CommonParameters>]
Register-DMGPPermission -Filter <String> -Identity <String> -ObjectClass <String> -Permission <String> [-Deny]
[-Managed] [-ContextName <String>] [<CommonParameters>]
Register-DMGPPermission [-All] [-NoPermissionChange] [-Managed] [-ContextName <String>] [<CommonParameters>]
Register-DMGPPermission [-All] -Identity <String> -ObjectClass <String> -Permission <String> [-Deny] [-Managed]
[-ContextName <String>] [<CommonParameters>]
Registers a GP permission as the desired state.
Permissions can be applied in three ways:
For defining filter conditions, see the help on Register-DMGPPermissionFilter.
Another important concept is the “Managed” concept. By default, all GPOs are considered unmanaged, where GP Permissions are concerned. This means, any additional permissionss that have been applied are ok. By setting a GPO’s permissions under management - by applying a permission rule that uses the -Managed parameter - any permissions not defined for it will be removed.
Get-Content .\gpopermissions.json | ConvertFrom-Json | Write-Output | Register-DMGPPermission
Reads all settings from the provided json file and registers them.
Name of the GPO this permission applies to. Subject to string insertion.
Type: String
Parameter Sets: ExplicitNoChange, Explicit
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The filter condition governing, what GPOs these permissions apply to. A filter string can consist of the following elements:
Example filter strings:
Type: String
Parameter Sets: FilterNoChange, Filter
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
This access rule applies to ALL GPOs.
Type: SwitchParameter
Parameter Sets: AllNoChange, All
Aliases:
Required: True
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The group or user to assign permissions to. Subject to string insertion.
Type: String
Parameter Sets: Explicit, Filter, All
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
What kind of object the assigned identity is. Can be any legal object class in AD. Only object classes that have a SID should be chosen though (otherwise, assigning permissions to it gets kind of difficult).
Type: String
Parameter Sets: Explicit, Filter, All
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
What kind of permission to grant.
Type: String
Parameter Sets: Explicit, Filter, All
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Whether to create a Deny rule, rather than an Allow rule.
Type: SwitchParameter
Parameter Sets: Explicit, Filter, All
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Disable application of a set of permissions. Setting this flag allows defining a rule that only applies the “Managed” state (see below).
Type: SwitchParameter
Parameter Sets: ExplicitNoChange, FilterNoChange, AllNoChange
Aliases:
Required: True
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Whether the affected GPOs should be considered “Under Management”. A GPO “Under Management” will have all non-defined permissions removed.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The name of the context defining the setting. This allows determining the configuration set that provided this setting. Used by the ADMF, available to any other configuration management solution.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: <Undefined>
Accept pipeline input: False
Accept wildcard characters: False
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.