Get-GPPermissions

  • Article

Get-GPPermissions

Gets the permission level for one or more security principals on a specified GPO.

Syntax

Get-GPPermissions [-Name] <string> [-TargetName <string>] [-TargetType {<Computer> | <User> | <Group>}] [-Domain <string>] [-Server <string>] [<CommonParameters>]


Get-GPPermissions -All [-Domain <string>] [-Server <string>] [<CommonParameters>]


Get-GPPermissions -Guid <Guid> [-TargetName <string>] [-TargetType {<Computer> | <User> | <Group>}] [-Domain <string>] [-Server <string>] [<CommonParameters>]

Detailed Description

Gets the permission level for one or more security principals on the specified GPO. You can use the TargetName and TargetType parameters to specify a user, security group, or computer for which to retrieve the permission level. You can use the All parameter to retrieve the permission level for each security principal (user, security group, or computer) that has permissions on the GPO. You can specify the GPO by its display name or by its GUID.

Parameters

-All <SwitchParameter>

Gets the permission level for each user, group, or computer that has permissions on the GPO.

Attributes

Name Value

Required?

true

Accept wildcard characters?

false

Accept Pipeline Input?

false

Position?

named

-Domain <string>

Specifies the domain for this cmdlet. You must specify the fully qualified domain name (FQDN) of the domain (for example: sales.contoso.com).

For the Get-GPPermissions cmdlet, the GPO for which to get the permission level must exist in this domain.

If you do not specify the Domain parameter, the domain of the user that is running the current session is used. (If the cmdlet is being executed from a computer startup or shutdown script, the domain of the computer is used.) For more information, see the Notes section in the full Help.

If you specify a domain that is different from the domain of the user that is running the current session (or, for a startup or shutdown script, the computer), a trust must exist between that domain and the domain of the user (or the computer).

You can also refer to Domain by its built-in alias, "domainname". For more information, see about_Aliases.

Attributes

Name Value

Required?

false

Accept wildcard characters?

false

Accept Pipeline Input?

true (ByPropertyName)

Position?

named

-Guid <Guid>

Specifies the GPO from which to retrieve the permission level by its globally unique identifier (GUID). The GUID uniquely identifies the GPO.

You can also refer to the Guid parameter by its built-in alias, "id". For more information, see about_Aliases.

Attributes

Name Value

Required?

true

Accept wildcard characters?

false

Accept Pipeline Input?

true (ByPropertyName)

Position?

named

-Name <string>

Specifies the GPO from which to retrieve the permission level by its display name.

The display name is not guaranteed to be unique in the domain. If another GPO with the same display name exists in the domain an error occurs. You can use the Guid parameter to uniquely identify a GPO.

You can also refer to the Name parameter by its built-in alias, "displayname". For more information, see about_Aliases.

Attributes

Name Value

Required?

true

Accept wildcard characters?

false

Accept Pipeline Input?

true (ByPropertyName)

Position?

1

-Server <string>

Specifies the name of the domain controller that this cmdlet contacts to complete the operation. You can specify either the fully qualified domain name (FQDN) or the host name. For example:

FQDN: DomainController1.sales.contoso.com
Host Name: DomainController1

If you do not specify the name by using the Server parameter, the PDC emulator is contacted.

You can also refer to the Server parameter by its built-in alias, "dc". For more information, see about_Aliases.

Attributes

Name Value

Required?

false

Accept wildcard characters?

false

Accept Pipeline Input?

false

Position?

named

-TargetName <string>

The name of the security principal for which to retrieve the permission level. You can specify a user, a security group, or a computer. You can use either the domain-qualified name of the security principal (domain\account) or just its name.

For example, in the contoso.com domain, to specify:
-- The user "someuser", use "contoso\someuser" or "someuser".
-- The Domain Admins security group, use "contoso\Domain Admins" or "Domain Admins".
-- The computer "computer-01", use "contoso\computer-01" or "computer-01".

Attributes

Name Value

Required?

false

Accept wildcard characters?

false

Accept Pipeline Input?

false

Position?

named

-TargetType <PermissionTrusteeType>

The type of security principal for which to retrieve the permission level. You must specify Computer, User, or Group.

The following values are permitted for this object type.

  • Computer **

  • User **

  • Group **

Attributes

Name Value

Required?

false

Accept wildcard characters?

false

Accept Pipeline Input?

false

Position?

named

-CommonParameter

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see About Common Parameter

Input and Return Types

The input type is the type of the objects that you can pipe to the cmdlet. The return type is the type of the objects that the cmdlet emits.

Input Type

Microsoft.GroupPolicy.Gpo. A GPO for which to retrieve the permission level. Collections that contain GPOs from different domains are not supported.

Return Type

Microsoft.GroupPolicy.GPPermission. Get-GPPermissions returns an object that represents permissions for the specified security principal (user, group, or computer) on the GPO.

Notes

  • You can use the Domain parameter to explicitly specify the domain for this cmdlet.

    If you do not explicitly specify the domain, the cmdlet uses a default domain. The default domain is the domain that is used to access network resources by the security context under which the current session is running. This domain is typically the domain of the user that is running the session. For example, the domain of the user who started the session by opening Windows PowerShell from the Program Files menu, or the domain of a user that is specified in a runas command. However, computer startup and shutdown scripts execute under the context of the LocalSystem account. The LocalSystem account is a built-in local account, and it accesses network resources under the context of the computer account. Therefore, when this cmdlet is executed from a startup or shutdown script, the default domain is the domain to which the computer is joined.

Examples

EXAMPLE 1

C:\PS>

Get-GPPermissions -Name TestGpo -TargetName "Domain Users" -TargetType Group



Trustee         : Domain Users

TrusteeType     : Group

PermissionLevel : GpoRead

Inherited       : False

Description

-----------

This command gets the permission level for the "Domain Users" group on the GPO named TestGpo.

EXAMPLE 2

C:\PS>

Get-GPPermissions -Domain sales.contoso.com -Server DC1 -GUID fa4a9473-6e2a-4b87-ab78-175e68d97bde -TargetName "Domain Admins" -TargetType Group

Description

-----------

This command gets the permission level for the "Domain Admins" group on the GPO with the GUID fa4a9473-6e2a-4b78-175e68d97bde in the Sales.Contoso.com domain. The DC1.sales.contoso.com domain controller is contacted to complete the operation.

If the domain of the user that is running the session (or, for startup and shutdown scripts, the computer) is different from the sales.contoso.com domain, a trust must exist between the two domains, or the command fails.

EXAMPLE 3

C:\PS>

Get-GPPermissions -Name TestGPO -All



Trustee     : Authenticated Users

TrusteeType : WellKnownGroup

Permission  : GpoApply

Inherited   : False



Trustee     : Domain Admins

TrusteeType : Group

Permission  : GpoEditDeleteModifySecurity

Inherited   : False



Trustee     : Enterprise Admins

TrusteeType : Group

Permission  : GpoEditDeleteModifySecurity

Inherited   : False



Trustee     : ENTERPRISE DOMAIN CONTROLLERS

TrusteeType : WellKnownGroup

Permission  : GpoRead

Inherited   : False



Trustee     : SYSTEM

TrusteeType : WellKnownGroup

Permission  : GpoEditDeleteModifySecurity

Inherited   : False

Description

-----------

This command gets the permission level for each security principal that has permissions on the GPO.

EXAMPLE 4

C:\PS>

Get-GPO -All | foreach-object { if($_ | Get-GPPermissions -TargetName "contoso\Domain Admins" -TargetType Group -ErrorAction SilentlyContinue) {$_.DisplayName}}



Default Domain Policy

TestGPO-1

TestGPO-2

Default Domain Controllers Policy

Internet Security

TestGPO

Description

-----------

This command lists the display name of each GPO (in the domain) on which the specified security principal has permissions.

First, Get-GPO is used to retrieve all the GPOs in the domain (Get-GPO -All). Then, the collection is piped into the foreach-object command. As each GPO is evaluated, it is piped into Get-GPPermissions. If a permission level is returned, the DisplayName property of the GPO is printed ($_.DisplayName).

Note: The ErrorAction parameter is set to SilentlyContinue for Get-GPPermissions. This is because a non-terminating error occurs if the specified security principal does not have permissions on the GPO. Specifying the ErrorAction as SilentlyContinue prevents the error messages from being printed for GPOS on which the security principal does not have permissions. For more information about the ErrorAction parameter, see about_CommonParameters.

See Also

Reference

Set-GPPermissions