top of page
Search

How to Create GPOs with Restricted Groups using PowerShell.

If you have ever tried 'PowerShell'ing' Group Policies, you know that support from Microsoft is sub-optimal, meaning that there is no support, of course, to fill this gap there are paid 3rd party offerings.


The Task at Hand:

Either, create with point and click 'Member Servers' OU and various Sub-OU's for services and their corresponding Group Policies, AD Groups and Restricted Groups, which feels like the millionth time I've manually accomplished this task or crack open PowerShell. The mantra is 'Why point and click when there's PowerShell' so let's get creative.


Components of a Domain GPO:

A Group Policy Object (GPO) is made up of various file types, strangely enough, the same as local GPO's configured via GPEdit.msc. Having scripted SecEdit, updating both User Rights AssignmenPats (URA) and Services previously the 'ask' should be straightforward.


Basic file layout of a Domain GPO:

C:\Windows\SYSVOL\domain\Policies\{GUID}\

Machine\Registry.pol

User\Registry.pol

Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Machine\Microsoft\Windows NT\Audit\Audit.csv


GPO security settings are written to GptTmpl.inf, an example of a GptTmpl.inf with Restricted Groups and User Rights Assignments from an SCCM installation including a SQL Member Server.

The above looks a little confusing and here's a quick breakdown to help:


*S-1-5-21-4000739697-4006183653-2191022337-1143

The SID of a Service Account


[Group Membership]

*S-1-5-32-544__Memberof =

*S-1-5-32-544__Members = *S-1-5-21-4000739697-4006183653-2191022337-1143

*S-1-5-32-544 = Builtin\Administrators Group


*S-1-5-32-573__Memberof =

*S-1-5-32-573__Members = *S-1-5-21-4000739697-4006183653-2191022337-1171

*S-1-5-32-573 = Builtin\Event Log Readers


*S-1-5-32-559__Memberof =

*S-1-5-32-559__Members = *S-1-5-21-4000739697-4006183653-2191022337-1171

*S-1-5-32-559 = Builtin\Performance Log Users


[Privilege Rights]

SeServiceLogonRight = *S-1-5-21-4000739697-4006183653-2191022337-1170

SeServiceLogonRight = Log on as a service


SeInteractiveLogonRight = *S-1-5-21-4000739697-4006183653-2191022337-1169

SeInteractiveLogonRight = Allow log on locally


SeBatchLogonRight = *S-1-5-21-4000739697-4006183653-2191022337-1187

SeBatchLogonRight = Log on as Batch


Overview of script actions:

Execute the script directly on the Domain Controller. The script will create a 'Resources' OU off the root of the Domain, then sub-ou's 'Member Servers' and 'Restricted Groups'. For each application service eg Exchange, SharePoint etc, an additional OU is then created with corresponding AD groups for both Administrator and Remote Desktop User Groups. Finally, GPOs are created for each OU and the AD Groups SID are assigned to both the Restricted Groups and Remote Interactive User Rights Assignment.

The script:

https://github.com/Tenaka/GPOs


Script Breakdown:

The following are extracts from the script that is accessible from Github.


Resolve the Domain Naming Context.

$rootDSE = (Get-ADRootDSE).rootDomainNamingContext


Resolve the path to Sysvol, just in case it was moved during Domain Controler installation.

$smbSysvol = ((Get-SmbShare -name "sysvol").path).replace("SYSVOL\sysvol","sysvol")


Set 'Resource' OU as a root for all subsequent OU's for member servers etc.

$resRoot = "Resources"


Stitch or join the Root DN and variables to create OU Distinguished Names.

$resourceOU = "OU=$($resRoot),$($rootDSE)"

$memSrvOU = "OU=$($memSrvRoot),OU=$($resRoot),$($rootDSE)"

$ResGroupOU = "OU=$($ResGroupRoot),OU=$($resRoot),$($rootDSE)"


Create an OU called 'Resources' as a top-level OU.

New-ADOrganizationalUnit -Name $resRoot #-ProtectedFromAccidentalDeletion $false


Create a variable based on the OU name for creating an AD group name.

$rgRtAdminGp = "RG_$($MemSrvRoot)_Admin"


Create a new Domain Global group based on the OU name for Admin and Remote user groups. Groups are created in the 'Restricted Groups' OU.

New-ADGroup -Name $rgRtAdminGp –groupscope Global -Path $ResGroupOU -Description $rgRtAdminDescrip

Get the SID of the new Group.

$getRtRGAdminSid = $getRtRGAdmin.SID.Value


Declare the variable for creating an OU.

$GPOName = "GPO_$($MemSrvRoot)_RestrictedGroup"


Create a new OU based on the variable and link to OU.

New-GPO -Name $GPOName | New-GPLink -Target $getOUMS.DistinguishedName


Set delegation permission on the OU so the AD group can edit their own policy.

Set-GPPermission -Guid $getGpoId -PermissionLevel GpoEditDeleteModifySecurity -TargetType Group -TargetName $rgAdminGp


Declared the path to the GPO directory.

$sysvol = "$($smbSysvol)\domain\Policies\{$($getGpoId)}\Machine\Microsoft\Windows NT\SecEdit"


Create a directory and GptTmpl.inf file.

New-Item -Path $sysvol -ItemType Directory -Force

New-Item -Path $sysvol -Name GptTmpl.inf -ItemType File -Force


Declare variables based on the Group SIDs for Admin and Remote Groups.

$addConAdmin = "*S-1-5-32-544__Members = *$($getRtRGAdminSid)"

$addConRDP = "*S-1-5-32-555__Members = *$($getRtRGRDPSid)"

$addConURARemote = "SeRemoteInteractiveLogonRight = *$($getRtRGAdminSid),*$($getRtRGRDPSid)"


Update GptTmpl.inf.

Add-Content -Path $gptFile -Value '[Group Membership]'

Add-Content -Path $gptFile -Value '*S-1-5-32-544__Memberof ='

Add-Content -Path $gptFile -Value $addConAdmin

Add-Content -Path $gptFile -Value $addConURARemote


Write the GPCMachineExtensionName attribute with the Client-Side Extension GUID of the areas of the GPO setting for the GPO. If not the settings won't display in the GPO Management tool and the target server won't be able to read the GPO.

Set-ADObject -Identity $getGPOPath -Replace @{gPCMachineExtensionNames="[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"}


The Client-Side Extensions GUID can be extracted from Polices, there's no need to try and discover those GUIDS. Set the required policies and copy the GUIDs.

The initial scenario of creating Restricted Groups GPO's is complete, with a few alterations, Administrative Template settings could be set by copying Registry.pol into the GPO. A better use would be setting up URAs for service accounts eg SQL and the Logon as a Service right dynamically as part of an automatic installation of Microsoft SQL Server.


Enjoy and hope it proves useful and do give it a go prior to paying for a 3rd party tool.


The script:

https://github.com/Tenaka/GPOs


Security Identities:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers


Mapping User Rights Assignments:

https://www.tenaka.net/post/translate-user-rights-assignments-from-guids-to-group-names







16 views0 comments

Recent Posts

See All

Living off the land is a technique used by attackers to compromise IT systems without using malicious software. Instead, they use legitimate but vulnerable applications and services to gain access to

ChatGPT is an Artificial Intelligence (AI) chatbot that has been developed to create conversations with people. It is powered by a deep learning model called a Generative Pre-trained Transformer (GPT)

bottom of page