Since these permissions are native to Microsoft AD, we recommend that you configure the permissions using scripts from the Microsoft GPMC site.
|
Task |
GPMC Script URL |
Example |
|---|---|---|
|
Create GPOs in the domain |
Setting Permissions to Create GPOs: https://msdn.microsoft.com/en-us/library/aa814151(v=vs.85).aspx#_win32_setting_gpo_permission |
SetGPOCreationPermissions.wsf "Export Only Account" |
|
Modify GPO Link |
Setting Policy-related Permissions on a SOM: https://msdn.microsoft.com/en-us/library/aa814151(v=vs.85).aspx#_win32_setting_policy_related_permissions_on_a_som |
SetSOMPermission.wsf MyOU "Export Only Account" /Permission:LinkGPOs |
|
Modify GP Option |
No script available. You need to use GP Explorer or the GPMC user interface. Note that it is only required if someone wants to modify the “Block Inheritance” status of an OU when a GPO is exported. |
|
|
Full Edit permission in the GPO (for existing GPOs in AD) |
Setting GPO Permissions: https://msdn.microsoft.com/en-us/library/aa814151(v=vs.85).aspx#_win32_setting_gpo_permissions |
SetGPOPermission.wsf {73624CC9-E8F2-4F05-88D2-193FAE8773CE} "Export Only Account" /Permission:FullEdit /Replace /Domain:example.microsoft.com |