PowerShell for Active Directory Group Policy has a couple of ways to get permissions: if you get the GPO with Get-GPO, then $_.GetSecurityInfo()
returns permissions objects. Also, Get-GPPermission
will get the same objects. You can write the permissions with $_.SetSecurityInfo()
and with Set-GPPermissions
. But how do you simply remove a permissions object, e.g. where the $_.trustee.sidtype
is Unknown? You cannot use Set-GPPermission
, because it requires a TargetType. 'Unknown' is not a valid TargetType. The SetSecurityInfo()
method has no documentation that I can find. So, the question is, given the existing permissions of a GPO, how do you remove the permission object where the $_.SidType
is Unknown?
The method to remove a permission with unknown SID is undocumented.
GetSecurityInfo()
returns a GPPermissionCollection
object.
Remove the appropriate entries from the collection:
# fetch current permission entries
$perms = $gpo.GetSecurityInfo()
# identify trustees to be removed
$trusteesToRemove = $perms.Trustee |Where { $_.SidType -eq 'Unknown' }
# remove them from perm collection
$trusteesToRemove |ForEach-Object {
$perms.RemoveTrustee($_.Sid)
}
Once modified, pass the collection object back to SetSecurityInfo()
:
$gpo.SetSecurityInfo($perms)