azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0b98f769ea97f103e85d48e3fa3fa42e45f577d
claudetools/.claude/temp/frd-scope-zachary.ps1
Howard Enos bc984d9c78 sync: auto-sync from HOWARD-HOME at 2026-05-20 17:08:25 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-20 17:08:25
2026-05-20 17:08:29 -07:00

57 lines
2.2 KiB
PowerShell
Raw Blame History

$domain = 'cascades.local'
$gpoName = 'CSC - Folder Redirection'
# Security filter: remove Authenticated Users, add zachary.nelson
$gpo = Get-GPO -Name $gpoName -Domain $domain
Write-Output "GPO: $($gpo.DisplayName)$($gpo.Id)"
# Remove Authenticated Users from Security Filtering
try {
Set-GPPermission -Name $gpoName -Domain $domain -PermissionLevel None -TargetName 'Authenticated Users' -TargetType Group -EA Stop
Write-Output "[OK] Removed Authenticated Users from security filter"
} catch {
Write-Output "[WARN] Remove Authenticated Users: $($_.Exception.Message)"
}
# Grant zachary.nelson Apply Group Policy permission
try {
Set-GPPermission -Name $gpoName -Domain $domain -PermissionLevel GpoApply -TargetName 'zachary.nelson' -TargetType User -EA Stop
Write-Output "[OK] Added zachary.nelson with GpoApply"
} catch {
Write-Output "[ERROR] Add zachary.nelson: $($_.Exception.Message)"
}
# Also ensure Domain Admins can still read/edit the GPO
try {
Set-GPPermission -Name $gpoName -Domain $domain -PermissionLevel GpoEditDeleteModifySecurity -TargetName 'Domain Admins' -TargetType Group -EA Stop
Write-Output "[OK] Domain Admins GpoEditDeleteModifySecurity confirmed"
} catch {
Write-Output "[WARN] Domain Admins: $($_.Exception.Message)"
}
# Link GPO to OU=Administrative
$ouDN = 'OU=Administrative,OU=Departments,DC=cascades,DC=local'
try {
$link = New-GPLink -Name $gpoName -Domain $domain -Target $ouDN -LinkEnabled Yes -EA Stop
Write-Output "[OK] Linked to $ouDN"
} catch {
if ($_.Exception.Message -like '*already exists*') {
Write-Output "[INFO] Link already exists — enabling it"
Set-GPLink -Name $gpoName -Domain $domain -Target $ouDN -LinkEnabled Yes -EA SilentlyContinue
Write-Output "[OK] Link enabled"
} else {
Write-Output "[ERROR] Link: $($_.Exception.Message)"
}
}
Write-Output ""
Write-Output "=== GPO Scope after changes ==="
Get-GPPermission -Name $gpoName -Domain $domain -All | ForEach-Object {
Write-Output " $($_.Trustee.Name)$($_.Permission)"
}
Write-Output ""
Write-Output "=== GPO Links ==="
(Get-GPO -Name $gpoName -Domain $domain).GpoLinks | ForEach-Object {
Write-Output " $($_.SomName) — Enabled: $($_.Enabled)"
}
Reference in New Issue View Git Blame Copy Permalink