[英]Setting GPO security filter with powershell Set-GPPermissions cmdlet
According to Microsoft the cmdlet Set-GPPermissions accepts the option "-replace": 根据Microsoft的说法,cmdlet Set-GPPermissions接受选项“-replace”:
"This ensures that the existing permission level is replaced by the new permission level."
“这可确保现有权限级别被新的权限级别替换。”
I import a GPO from PowerShell. 我从PowerShell导入GPO。 After that I want to set the security filters.
之后我想设置安全过滤器。 After importing, before setting the security filter, the Security Filtering of the GPO is "Authenticated Users".
导入之后,在设置安全筛选器之前,GPO的安全筛选是“经过身份验证的用户”。 Now I want to remove that filter option and replace it with "myGroup".
现在我想删除该过滤器选项并将其替换为“myGroup”。 To do so I use the following command:
为此,我使用以下命令:
Set-GPPermissions -Name "myGPO" -PermissionLevel GpoApply -TargetName "myGroup" -TargetType Group -replace
The results are that there is a new security filter added which references "myGroup", but the Group "Authenticated Users" is not being removed. 结果是添加了一个引用“myGroup”的新安全筛选器,但未删除“Authenticated Users”组。 The Powershell cmdlet is not replacing the filter, it's adding it.
Powershell cmdlet不会替换过滤器,而是添加它。
Hints? 提示?
Thanks in advance! 提前致谢!
As documented on the page you referenced, the command would replace already existing permissions
of a group "myGroup". 如您引用的页面上所述,该命令将替换组“myGroup”的现有
permissions
。 It won't replace permissions for a group "Authenticated Users" with permissions for a group "myGroup". 它不会替换具有“myGroup”组权限的“Authenticated Users”组的权限。 Quoting from Technet :
引自Technet :
-Replace < SwitchParameter >
- 替换<SwitchParameter>
Specifies that the existing permission level for the group or user is removed before the new permission level is set.
指定在设置新权限级别之前删除组或用户的现有权限级别。
You'll have to use Set-GPPermissions
to grant permissions to "myGroup" and Set-GPPermissions -TargetName "Authenticated Users -PermissionLevel None
to remove permissions for "Authenticated Users". 您必须使用
Set-GPPermissions
向“myGroup”授予权限,并使用Set-GPPermissions -TargetName "Authenticated Users -PermissionLevel None
以删除“Authenticated Users”的权限。
I found that it's sufficient to set the Authenticated User permissionlevel to none like this: 我发现将Authenticated User权限级别设置为none就足够了:
Set-GPPermissions -Name "MyGPO" -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group
That removed the "Authenticated Users" security filter. 这删除了“Authenticated Users”安全过滤器。
I think you should have accepted Ansgar's or user1458620's answer; 我想你应该接受Ansgar或者用户1458620的答案; they're correct.
他们是对的。 Here is a final solution incorporating the same:
以下是包含相同内容的最终解决方案:
$gpo | Set-GPPermissions -Replace -PermissionLevel None -TargetName 'Authenticated Users' -TargetType group
$gpo | Set-GPPermissions -PermissionLevel gpoapply -TargetName 'MyGroup' -TargetType group
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.