How to list delegation settings for "Group Policy Objects" (PowerShell)

John 26 Reputation points
2022-10-04T16:54:01.933+00:00

Hello,

I am using Windows Server 2019.

Using Powershell, I want to list the users/groups which can be found here:

Group Policy Management Console > Group Policy Objects > Delegation

Here is a screenshot:

247462-grafik.png

I can list the delegations for individual GPOs using this command: Get-GPPermission -Name "Policy Name" -All

However, I cannot find a command to list the settings for the "Group Policy Objects" tab.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,448 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,733 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,105 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,358 questions
0 comments
Accepted answer
  1. Gary Reynolds 9,391 Reputation points
    2022-10-05T09:53:53.833+00:00

    Hi @John

    I don't think there is a GPO command to return the permissions of the 'Group Policy Objects'. The tab is showing a filtered view of the permissions assigned to the Policies container in the AD i.e. CN=Policies,CN=System,DC=w2k12,DC=local.

    The tab will only show the permissions that have permissions to create GPO objects.

    247751-image.png

    247687-image.png

    Gary.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vamdev Mishra 10 Reputation points
    2023-11-22T04:30:27.8066667+00:00

    Hi John/anyone, who still have this ask, feel free to use below script which I have created to provide you detailed report on all GPOs permissions/delegation in your domain, it also uses get-gppermissions cmdlet but gives u nicer output with GPO Name in it.

    User's image

    https://github.com/vamdevmishra/MyScripts/blob/master/gpopermsreport.ps1

    2 people found this answer helpful.
    0 comments
  2. Aditya 10 Reputation points
    2023-03-17T12:03:08.9833333+00:00

    You can find below script :-

    $gpos = Get-GPO -All

    foreach ($gpo in $gpos) { Write-Output "GPO: $($gpo.DisplayName)"

    try {

    $permissions = Get-GPPermissions -Guid $gpo.Id -All

if ($permissions) {

    foreach ($permission in $permissions) {

        Write-Output "`t $($permission.Trustee.Name)"

    }

}

else {

    Write-Output "`t No members found."

}

    } catch {

    Write-Output "`t Error retrieving permissions: $($_.Exception.Message)"

    }

    Write-Output ""

    }

    0 comments