This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 65%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Not able to grant user rights assignment in group policy object using PowerShell
Is there any way or command to add user rights in group policy?
Manual steps:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 63%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I realise this post is quite old, but there is a post that talks about a way you could do this by building up a GPO, the same way the export/import GPO works in Powershell:
https://jigsolving.com/gpo-deep-dive-part-1/
Within that article, there's a bare bones example of this on Github:
https://github.com/Jigsolving/powershell/blob/main/User%20Rights%20Assignment%20GPO/create-customURAGPO.ps1
It definitely works, and this is just one way it can be done. The article focuses on basically building up the raw bones of a GPO that resembles what an exported GPO looks like, and then imports it.
Thanks @MotoX80 for sharing this module
Tried this module but it didn't work as per my expectations
I am looking to add user rights in group policy in group policy management of domain controller but this module gives user rights in local policy.
If you have another module or command please share
I also tried Set-GPPermission but it is giving user permission to edit settings, delete, modify security.
I no longer have access to an AD environment, so I am not able to test. Perhaps another forum user can provide assistance.
Have you seen this page?
https://www.ntweekly.com/2020/08/07/configure-a-group-policy-with-powershell/
Yes, already seen these pages
And as per https://www.microsoft.com/en-au/download/details.aspx?id=25250 this link/sheet user rights assignment don't have registry keys.
Random thoughts from a retired sysadmin....
Well it has to be stored somewhere on the DC.
https://techgenix.com/group-policy-settings-part1/
Make a change to one policy and then search the sysvol folder and see if you can find the file that contains your update. If that's a text based file (not in binary format) then you might be able to update the policy just like you would update the content of any other text file.
I assume that you have already done the "Import-Module GroupPolicy" and searched for "GP" related commands as that page described. If you haven't, then you should start there.
d
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 22%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELB%3C/text%3E%3C/svg%3E)
Hi @ArpitShivhare-6858
I've had to do something similar in the past with automatic GPO generation, and the below was the only way I could find to do so. It basically creates the GPO manually, but it should work for your purposes
#Get details of user(s)
$user = Get-ADUser *username*
#Create text required for GptTmpl.inf file for the GPO, inserting the SIDs of the user(s) found previously
$text = "[Unicode]
Unicode=yes
[Version]
signature=`"`$CHICAGO$`"
Revision=1
[Privilege Rights]
SeTcbPrivilege = *$($user.SID)
SeIncreaseQuotaPrivilege = *$($user.SID)
SeChangeNotifyPrivilege = *$($user.SID)
SeBatchLogonRight = *$($user.SID)
SeServiceLogonRight = *$($user.SID)
SeManageVolumePrivilege = *$($user.SID)
SeAssignPrimaryTokenPrivilege = *$($user.SID)"
#Get domain controller to run all commands against
$dc = Get-ADDomainController
#Create new GPO
$newGPO = New-GPO -Name "Your GPO Name" -Server $dc
#Create new SecEdit directory in the GPO folder in SYSVOL
New-Item "\\EXAMPLE.COM\SYSVOL\EXAMPLE.COM\Policies\{$($newGPO.id)}\Machine\Microsoft\Windows NT\SecEdit" -ItemType Directory
#Create GptTmpl.inf file in SecEdit folder
$text | Out-File "\\EXAMPLE.COM\SYSVOL\EXAMPLE.COM\Policies\{$($newGPO.id)}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
#Set CSEs for new GPO - NB! otherwise settings won't be picked up by either the Group Policy Management console or the client
Set-ADObject "CN={$($newGPO.id)},CN=Policies,CN=System,DC=EXAMPLE,DC=COM" -Replace @{gPCMachineExtensionNames="[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"} -Server $dc
#Force AD to process new GPO
$newGPO | Set-GPRegistryValue -Key HKLM\SOFTWARE -ValueName "Default" -Value "" -Type String -Server $dc
$newGPO | Remove-GPRegistryValue -Key HKLM\SOFTWARE -ValueName "Default" -Server $dc
To add additional fields or users to the Local User Rights Assignments, I would recommend creating the GPO manually, then taking a look at the GptTmpl.inf file to see what format, values and syntax of the fields required. From my testing it uses SIDs, not the SamAccountName value, so you will have to pull the SID for each user that you need to add