If you can view permissions via PowerShell, you should be able to configure new GPO permissions via PowerShell as well, correct? Absolutely right. While this is slightly more difficult than viewing permissions because you need to know the special syntax for which permission type is going to accomplish what you are looking for, permissions are added into GPO Delegation by simple, single PowerShell cmdlets. This is akin to configuring permissions for users or groups via the Delegation tab inside GPMC.
Before jumping into a sample command, let's discuss what the various PermissionLevel settings are when working with Group Policy permissions inside PowerShell:
- None: No permissions. As we experienced earlier when removing Authenticated Users from the Security Filtering section of our GPO, we can utilize PermissionLevel=None to remove a user or group from having permissions inside GPO Delegation.
- GpoRead: Grants a user or group Read access to the GPO.
- GpoApply: Grants the Apply group policy rights. Remember that this one is necessary for a user, group, or computer to successfully apply the GPO.
- GpoEdit: Grants permission to edit a GPO.
- GpoEditDeleteModifySecurity: This one is kind of a mouthful. It grants someone access to do pretty much whatever they want with a GPO, including editing as well as deleting it or configuring permissions on it later. Keep in mind that this delegation does not include GpoApply rights. This is a nice way to grant an administrator access to tweak or modify a GPO, without causing the GPO to automatically start applying to their user account when they log into a computer.
If you were to add a new permission to the Delegation tab inside GPMC, you'll notice that three of these permissions are more or less exactly the same as the options provided to you in the drop-down box:
Let's try modifying permissions from PowerShell. I want to grant a user named Grace the ability to edit, delete, or in any other way modify my GPO called MyNewGPO. Here is the command for accomplishing such a task:
Set-GPPermissions –Name MyNewGPO –PermissionLevel GpoEditDeleteModifySecurity -TargetType User –TargetName "Grace"