top of page

How to Create GPOs with Restricted Groups using PowerShell.

Updated: Oct 9, 2023

If you have ever tried 'PowerShell'ing' Group Policies, you know that support from Microsoft is sub-optimal, meaning that there is no support, of course, to fill this gap there are paid 3rd party offerings.

The Task at Hand:

A new 'Member Server' OU and various sub-OU's are needed, as well as their corresponding Group Policies, AD Groups and Restricted Groups. This feels like the millionth time I've manually accomplished this task and it's fairly repetitive and time consuming, alternatively, I can crack open PowerShell. The mantra is 'Why point and click when there's PowerShell' so let's get creative.

Components of a Domain GPO:

A Group Policy Object (GPO) is made up of various file types, strangely enough, the same as local GPO's configured via GPEdit.msc. Having scripted SecEdit, updating both User Rights AssignmenPats (URA) and Services previously the 'ask' should be straightforward.

Basic file layout of a Domain GPO:




Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Machine\Microsoft\Windows NT\Audit\Audit.csv

GPO security settings are written to GptTmpl.inf, an example of a GptTmpl.inf with Restricted Groups and User Rights Assignments from an SCCM installation including a SQL Member Server.

The above looks a little confusing and here's a quick breakdown to help:


The SID of a Service Account

[Group Membership]

*S-1-5-32-544__Memberof =

*S-1-5-32-544__Members = *S-1-5-21-4000739697-4006183653-2191022337-1143

*S-1-5-32-544 = Builtin\Administrators Group

*S-1-5-32-573__Memberof =

*S-1-5-32-573__Members = *S-1-5-21-4000739697-4006183653-2191022337-1171

*S-1-5-32-573 = Builtin\Event Log Readers

*S-1-5-32-559__Memberof =

*S-1-5-32-559__Members = *S-1-5-21-4000739697-4006183653-2191022337-1171

*S-1-5-32-559 = Builtin\Performance Log Users

[Privilege Rights]

SeServiceLogonRight = *S-1-5-21-4000739697-4006183653-2191022337-1170

SeServiceLogonRight = Log on as a service

SeInteractiveLogonRight = *S-1-5-21-4000739697-4006183653-2191022337-1169

SeInteractiveLogonRight = Allow log on locally

SeBatchLogonRight = *S-1-5-21-4000739697-4006183653-2191022337-1187

SeBatchLogonRight = Log on as Batch

Overview of script actions:

Execute the script directly on the Domain Controller with the PDC role. The script will create a 'Resources' OU off the root of the Domain, then sub-ou's 'Member Servers' and 'Restricted Groups'. For each application service eg Exchange, SharePoint etc, an additional OU is then created with corresponding AD groups for both Administrator and Remote Desktop User Groups. Finally, GPOs are created for each OU and the AD Groups SID are assigned to both the Restricted Groups and Remote Interactive User Rights Assignment.

The script:

Script Breakdown:

The following are extracts from the script that is accessible from Github.

Resolve the Domain Naming Context.

$rootDSE = (Get-ADRootDSE).rootDomainNamingContext

Resolve the path to Sysvol, just in case it was moved during Domain Controler installation.

$smbSysvol = ((Get-SmbShare -name "sysvol").path).replace("SYSVOL\sysvol","sysvol")

Set 'Resource' OU as a root for all subsequent OU's for member servers etc.

$resRoot = "Resources"

Stitch or join the Root DN and variables to create OU Distinguished Names.

$resourceOU = "OU=$($resRoot),$($rootDSE)"

$memSrvOU = "OU=$($memSrvRoot),OU=$($resRoot),$($rootDSE)"

$ResGroupOU = "OU=$($ResGroupRoot),OU=$($resRoot),$($rootDSE)"

Create an OU called 'Resources' as a top-level OU.

New-ADOrganizationalUnit -Name $resRoot #-ProtectedFromAccidentalDeletion $false

Create a variable based on the OU name for creating an AD group name.

$rgRtAdminGp = "RG_$($MemSrvRoot)_Admin"

Create a new Domain Global group based on the OU name for Admin and Remote user groups. Groups are created in the 'Restricted Groups' OU.

New-ADGroup -Name $rgRtAdminGp –groupscope Global -Path $ResGroupOU -Description $rgRtAdminDescrip

Get the SID of the new Group.

$getRtRGAdminSid = $getRtRGAdmin.SID.Value

Declare the variable for creating an OU.

$GPOName = "GPO_$($MemSrvRoot)_RestrictedGroup"

Create a new OU based on the variable and link to OU.

New-GPO -Name $GPOName | New-GPLink -Target $getOUMS.DistinguishedName

Set delegation permission on the OU so the AD group can edit their own policy.

Set-GPPermission -Guid $getGpoId -PermissionLevel GpoEditDeleteModifySecurity -TargetType Group -TargetName $rgAdminGp

Declared the path to the GPO directory.

$sysvol = "$($smbSysvol)\domain\Policies\{$($getGpoId)}\Machine\Microsoft\Windows NT\SecEdit"

Create a directory and GptTmpl.inf file.

New-Item -Path $sysvol -ItemType Directory -Force

New-Item -Path $sysvol -Name GptTmpl.inf -ItemType File -Force

Declare variables based on the Group SIDs for Admin and Remote Groups.

$addConAdmin = "*S-1-5-32-544__Members = *$($getRtRGAdminSid)"

$addConRDP = "*S-1-5-32-555__Members = *$($getRtRGRDPSid)"

$addConURARemote = "SeRemoteInteractiveLogonRight = *$($getRtRGAdminSid),*$($getRtRGRDPSid)"

Update GptTmpl.inf.

Add-Content -Path $gptFile -Value '[Group Membership]'

Add-Content -Path $gptFile -Value '*S-1-5-32-544__Memberof ='

Add-Content -Path $gptFile -Value $addConAdmin

Add-Content -Path $gptFile -Value $addConURARemote

Write the GPCMachineExtensionName attribute with the Client-Side Extension GUID of the areas of the GPO setting for the GPO. If not the settings won't display in the GPO Management tool and the target server won't be able to read the GPO.

Set-ADObject -Identity $getGPOPath -Replace @{gPCMachineExtensionNames="[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"}

The Client-Side Extensions GUID can be extracted from Polices, there's no need to try and discover those GUIDS. Set the required policies and copy the GUIDs.

The initial scenario of creating Restricted Groups GPO's is complete, with a few alterations, Administrative Template settings could be set by copying Registry.pol into the GPO. A better use would be setting up URAs for service accounts eg SQL and the Logon as a Service right dynamically as part of an automatic installation of Microsoft SQL Server.

Enjoy and hope it proves useful and do give it a go prior to paying for a 3rd party tool.

The script:

Security Identities:

Mapping User Rights Assignments:

1,062 views1 comment

1 Comment

Rated 0 out of 5 stars.
No ratings yet

Add a rating
Jan 30
Rated 5 out of 5 stars.

This script is cool, thank you for posting it with a great writeup too.

bottom of page