22 Mar 2021

Scripting big GPO ACL changes based on groups

Sometime’s it makes sense to remove the “Apply Group Policy” right from the everyone group and slowly add users from specific groups as a way to roll out the change.

For this example, i want to add all the computers for all folk from my bacon-tasters group, i’d also like to not include stale machines:

$GP_NAME = "Workstations - Company Wallpaper"

$group_members = Get-ADGroupMember "CN=bacon-tasters,OU=Standard Groups,DC=chadduffey,DC=local"

$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
$windows_computers = Get-ADComputer -filter {((Name -like "*-WIN10") -or (Name -like "*-WINVM")) -and (LastLogonTimeStamp -gt $time)} -Properties WhenChanged

foreach ($user in $group_members)
{
    foreach ($computer in $windows_computers)
    {
        if ($computer.Name.split('-')[0] -eq $user.SamAccountName)
        {
            write-host "Adding: " $computer.Name
            Set-GPPermission -Name $GP_NAME -TargetName $computer.Name -TargetType Computer -PermissionLevel GPOApply
        }
    }   
}
Thanks!
Chad Duffey

Security Engineer