Description
There seems to be some undocumented behaviour in the way that Group Policy permissions are Get and Set.
If you use Get-GPPermissions with the -All parameter, you might get two permission objects for the same trustee. For example, a trustee might have both a "GpoApply" permission object, and a "GpoEdit". The difference seems to relate to "Apply" permissions and "Delegation" permissions. "Apply" is Apply or Deny, while Delegation is Read, Edit, or EditDeleteModifySecurity. This corresponds to Security Filtering, and Delegation, in the GUI.
When you use Set-GPPermission, you need to specify the trustee (both the "targetName" and the "targetType", e.g. "Domain Admins, Group). But if permissions are already set, which of the two permissions would it target? If you set -PermissionLevel to be GpoRead, would this overwrite the Apply permission or the GpoEdit permission?
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: 4bd298c8-2295-4e08-1eb8-9bdd8ee3638a
- Version Independent ID: 5975ed60-c9af-e80a-5289-a904fc5ec2aa
- Content: Set-GPPermission (GroupPolicy)
- Content Source: docset/winserver2022-ps/grouppolicy/Set-GPPermission.md
- Product: w10
- GitHub Login: @JasonGerend
- Microsoft Alias: jgerend