01 Mar 2021

Adjusting Group Policy (Deny "Apply GPO") ACE's via PowerShell

I think i’ll be able to use this again for other things, but the use case i needed to solve looked like this:

  • A group policy to enforce some behaviour in the environment already exists; lets say - GPO to apply a default wallpaper.
  • I want to allow exceptions to the GPO via Pull Request on a Github repo
  • (The reason for this approach: removes the need to let lots of people near gpmc; instead we just use a PR with an approval workflow tied to it)

Because i am looking to exclude computers from applying GPO i’ll need to set a DENY on the “Apply Group Policy” extended right: https://docs.microsoft.com/en-us/windows/win32/adschema/r-apply-group-policy

exceptions.json:


[
        {
                computername: "bob-machine1",
                expires:"1/1/2022"
        },
        {
                computername: "bob-machine2",
                expires:"1/1/2022"
        }
]

worker.ps1:

$EXCEPTIONS_FILE = "c:\automation\repo-name\exceptions.json"
$TARGET_GPO_GUID = "bd782ff6-907e-4346-8452-1751957cb35e"
$DOMAIN_DN = "DC=testdomain,DC=local"

# Import the exceptions list from the JSON input:

$Exceptions = Get-Content -Raw -Path $EXCEPTIONS_FILE | ConvertFrom-Json

# Safety first:
if ($Exceptions.Count -lt 1 -or $Exceptions.Count -gt 100)
{
    $ExCount = $Exceptions.Count
    Write-Error "Number of exceptions is out of acceptable range. Count was $ExCount"
    Exit(1)    
}

# Adjust the group policy ACL
ForEach ($ComputerEntry in $Exceptions)
{
    $computer = get-adcomputer $ComputerEntry.computername
    $computer_SID = [System.Security.Principal.SecurityIdentifier] $computer.SID
    $computer_identity = [System.Security.Principal.IdentityReference] $computer_SID

    $GPO = Get-GPO -Guid $TARGET_GPO_GUID
    $GPO_ADSI = [ADSI]"LDAP://CN=`{$($GPO.Id)`},CN=Policies,CN=System,$DOMAIN_DN"
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                $computer_identity,
                "ExtendedRight",
                "Deny",
                [Guid]"edacfd8f-ffb3-11d1-b41d-00a0c968f939" # Apply GPO Extended Right. https://docs.microsoft.com/en-us/windows/win32/adschema/r-apply-group-policy
        )
    $ACL = $GPO_ADSI.ObjectSecurity
    $ACL.AddAccessRule($ACE)
    $GPO_ADSI.CommitChanges()
}
Thanks!
Chad Duffey

Security Engineer