Setting GPO security filter with powershell Set-GPPermissions cmdlet
According to Microsoft the cmdlet Set-GPPermissions accepts the option "-replace":
"This ensures that the existing permission level is replaced by the new permission level."
I import a GPO from PowerShell. After that I want to set the security filters. After importing, before setting the security filter, the Security Filtering of the GPO is "Authenticated Users". Now I want to remove that filter option and replace it with "myGroup". To do so I use the following command:
Set-GPPermissions -Name "myGPO" -PermissionLevel GpoApply -TargetName "myGroup" -TargetType Group -replace
The results are that there is a new security filter added which references "myGroup", but the Group "Authenticated Users" is not being removed. The Powershell cmdlet is not replacing the filter, it's adding it.
Hints?
Thanks in advance!
Answer
As documented on the page you referenced, the command would replace already existing permissions of a group "myGroup". It won't replace permissions for a group "Authenticated Users" with permissions for a group "myGroup". Quoting from Technet:
-Replace < SwitchParameter >
Specifies that the existing permission level for the group or user is removed before the new permission level is set.
You'll have to use Set-GPPermissions to grant permissions to "myGroup" and Set-GPPermissions -TargetName "Authenticated Users -PermissionLevel None to remove permissions for "Authenticated Users".