使用powershell Set-GPPermissions cmdlet设置GPO安全筛选器
[英]Setting GPO security filter with powershell Set-GPPermissions cmdlet
问题描述
According to Microsoft the cmdlet Set-GPPermissions accepts the option "-replace": 
根据Microsoft的说法,cmdlet Set-GPPermissions接受选项“-replace”:
"This ensures that the existing permission level is replaced by the new permission level."
I import a GPO from PowerShell. 我从PowerShell导入GPO。 After that I want to set the security filters. 之后我想设置安全过滤器。 After importing, before setting the security filter, the Security Filtering of the GPO is "Authenticated Users". 导入之后,在设置安全筛选器之前,GPO的安全筛选是“经过身份验证的用户”。 Now I want to remove that filter option and replace it with "myGroup". 现在我想删除该过滤器选项并将其替换为“myGroup”。 To do so I use the following command: 为此,我使用以下命令:
Set-GPPermissions -Name "myGPO" -PermissionLevel GpoApply -TargetName "myGroup" -TargetType Group -replace
The results are that there is a new security filter added which references "myGroup", but the Group "Authenticated Users" is not being removed. 结果是添加了一个引用“myGroup”的新安全筛选器,但未删除“Authenticated Users”组。 The Powershell cmdlet is not replacing the filter, it's adding it. Powershell cmdlet不会替换过滤器,而是添加它。
Hints? 提示?
Thanks in advance! 提前致谢!
3 个解决方案
解决方案1
3 2012-09-03 18:02:16
As documented on the page you referenced, the command would replace already existing permissions of a group "myGroup". 如您引用的页面上所述,该命令将替换组“myGroup”的现有permissions 。 It won't replace permissions for a group "Authenticated Users" with permissions for a group "myGroup". 它不会替换具有“myGroup”组权限的“Authenticated Users”组的权限。 Quoting from Technet : 引自Technet :
-Replace < SwitchParameter >
Specifies that the existing permission level for the group or user is removed before the new permission level is set.
You'll have to use Set-GPPermissions to grant permissions to "myGroup" and Set-GPPermissions -TargetName "Authenticated Users -PermissionLevel None to remove permissions for "Authenticated Users". 您必须使用Set-GPPermissions向“myGroup”授予权限,并使用Set-GPPermissions -TargetName "Authenticated Users -PermissionLevel None以删除“Authenticated Users”的权限。
解决方案2
2 2012-09-04 06:24:41
I found that it's sufficient to set the Authenticated User permissionlevel to none like this: 我发现将Authenticated User权限级别设置为none就足够了:
Set-GPPermissions -Name "MyGPO" -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group
That removed the "Authenticated Users" security filter. 这删除了“Authenticated Users”安全过滤器。
解决方案3
1 2013-08-30 19:04:58
I think you should have accepted Ansgar's or user1458620's answer; 我想你应该接受Ansgar或者用户1458620的答案; they're correct. 他们是对的。 Here is a final solution incorporating the same: 以下是包含相同内容的最终解决方案:
$gpo | Set-GPPermissions -Replace -PermissionLevel None -TargetName 'Authenticated Users' -TargetType group
$gpo | Set-GPPermissions -PermissionLevel gpoapply -TargetName 'MyGroup' -TargetType group
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.