Windows Server 2003's Microsoft Management Console (MMC) Group Policy Management Console (GPMC) snap-in installs COM objects that support automation through scripting, opening up a world of possibilities when dealing with Active Directory (AD) Group Policy Objects (GPOs). (For details about the GPMC, see "Related Reading," page 6.) Building on the capabilities I discuss in "Scripting Group Policy Searches," November 2003, http://www.winnetmag.com/windowsscripting, InstantDoc ID 40231, and "Scripting Group Policy Objects," October 2003, InstantDoc ID 39856, you can use GPM objects to add or remove the Read and Apply Group Policy permissions for security principals on AD objects such as GPOs, Scope of Management (SOM) objects, and Windows Management Instrumentation (WMI) filters. (To set Deny or Custom permissions on these objects, you still need to use Active Directory Service Interfaces—ADSI—tools such as IADsSecurityDescriptor or Microsoft's adssecurity.dll.)
Setting Permissions on a GPO
Let's begin by using GPM objects to set permissions on a GPO's ACL, which defines which users and computers have permissions to apply the GPO. The ability to use the GPM objects to grant Read and Apply Group Policy permissions according to security-group membership can be extremely useful. For example, suppose you want a security group containing several computers in an organizational unit (OU) in your domain to have access to a GPO linked to that OU. Currently, those computers are denied access to the GPO. The script that Listing 1 shows, SettingGPOPermissions.vbs, creates a new set of Read and Apply Group Policy permissions for the group, connects to the GPO, removes the existing permissions for the group (including the ones that deny the group access to the GPO), and applies the new set of permissions.
The code at callout A in Listing 1 defines constants that you'll need to change to suit your environment: the GPO's globally unique identifier (GUID), the domain name, and the security group. The script then connects to the domain and the GPO and retrieves a reference to the GPM object's constants.
Next, the script uses the GPM object's CreatePermission method to create the new permissions; I recommend that you use this method anytime you want to script GPM to create a permission object for a GPO, SOM, or WMI filter. The method takes three parameters. The first parameter represents the trustee (i.e., the AD user, computer, or security group to which the permission applies). The second parameter represents the permission to be applied, using the defined constants and beginning with the Perm prefix. The third parameter is a Boolean value indicating whether child objects (e.g., lower-level OUs) should inherit the permission. SettingGPOPermissions.vbs passes the name of the trustee (i.e., the GROUP security group), a constant representing the Read and Apply Group Policy permissions (i.e., PermGPOApply), and the Boolean value TRUE (indicating that child objects should inherit the permissions).
The script then uses the GPMGPO object's GetSecurityInfo method to retrieve the GPO's existing GPMSecurityInfo collection. This collection might contain many permissions, so you need to remove and replace only the specific permissions you're interested in, rather than simply inserting a new collection. To remove the permissions that apply to the group, SettingGPOPermissions.vbs uses the GPMSecurityInfo object's RemoveTrustee method, simply passing the group's SAM name (i.e., domain\name) to this method. If you don't want to use the group's SAM name—for example, because you want to remove all trustees from a GPO—you can use the trustee's unique SID instead. Use the GPMPermission object's Trustee method to read the trustee from the GPMPermission object, then use the resulting GPMTrustee object with the GPMTrustee object's TrusteeSid property method to retrieve the trustee's unique SID. In this type of situation, replace the code at callout B in Listing 1 with the following two lines of code:
strSID =
gpmPerm.Trustee.TrusteeSid
gpmSecInfo.RemoveTrustee strSID
(Be aware that you can't use the GPMTrustee object's TrusteeName method in a similar manner because this method doesn't return the name in SAM format.)
The script then uses the GPMSecurityInfo object's Add method to add the new permissions to the collection, then ends by using the GPMGPO object's SetSecurityInfo method to commit the changed collection of permissions to the GPO.
You can modify the script to use the GPM object's CreatePermission method to give a trustee Read access only, to allow a trustee to Read and Edit the policy settings in the GPO, or to allow a trustee to Modify the GPO's permissions (so that you can script delegation of administration). You can combine these capabilities with the capabilities I describe in the previous articles in this series to search for some or all GPOs in a domain, then apply a set of permissions to those GPOs.