@@ -48,9 +48,9 @@ Get-GPPermission -Name "TestGpo" -TargetName "Domain Users" -TargetType Group
4848```
4949
5050``` Output
51- Trustee : Domain Users
52- TrusteeType : Group
53- PermissionLevel : GpoRead
51+ Trustee : Domain Users
52+ TrusteeType : Group
53+ PermissionLevel : GpoRead
5454Inherited : False
5555```
5656
@@ -73,50 +73,50 @@ This command gets the permission level for the Domain Admins group on the GPO wi
7373` fa4a9473-6e2a-4b78-175e68d97bde ` in the ` Sales.Contoso.com ` domain. The ` DC1.sales.contoso.com `
7474domain controller is contacted to complete the operation.
7575
76- If the domain of the user that is running the session (or, for startup and shutdown scripts, the
77- computer) is different from the sales.contoso.com domain, a trust must exist between the two
76+ If the domain of the user that's running the session (or, for startup and shutdown scripts, the
77+ computer) is different from the ` sales.contoso.com ` domain, a trust must exist between the two
7878domains, or the command fails.
7979
8080### Example 3: Get the permission level for all security principals on the specified GPO
8181
8282``` powershell
83- Get-GPPermission -Name "TestGPO" -All
83+ Get-GPPermission -Name "TestGPO" -All
8484```
8585
8686``` Output
87- Trustee : Authenticated Users
88- TrusteeType : WellKnownGroup
89- Permission : GpoApply
90- Inherited : False
91-
92- Trustee : Domain Admins
93- TrusteeType : Group
94- Permission : GpoEditDeleteModifySecurity
95- Inherited : False
96-
97- Trustee : Enterprise Admins
98- TrusteeType : Group
99- Permission : GpoEditDeleteModifySecurity
100- Inherited : False
101-
102- Trustee : ENTERPRISE DOMAIN CONTROLLERS
103- TrusteeType : WellKnownGroup
104- Permission : GpoRead
105- Inherited : False
106-
107- Trustee : SYSTEM
108- TrusteeType : WellKnownGroup
109- Permission : GpoEditDeleteModifySecurity
87+ Trustee : Authenticated Users
88+ TrusteeType : WellKnownGroup
89+ Permission : GpoApply
90+ Inherited : False
91+
92+ Trustee : Domain Admins
93+ TrusteeType : Group
94+ Permission : GpoEditDeleteModifySecurity
95+ Inherited : False
96+
97+ Trustee : Enterprise Admins
98+ TrusteeType : Group
99+ Permission : GpoEditDeleteModifySecurity
100+ Inherited : False
101+
102+ Trustee : ENTERPRISE DOMAIN CONTROLLERS
103+ TrusteeType : WellKnownGroup
104+ Permission : GpoRead
105+ Inherited : False
106+
107+ Trustee : SYSTEM
108+ TrusteeType : WellKnownGroup
109+ Permission : GpoEditDeleteModifySecurity
110110Inherited : False
111111```
112112
113113This command gets the permission level for each security principal that has permissions on the GPO
114- named TestGPO.
114+ named ` TestGPO ` .
115115
116116### Example 4: Get the display name of each GPO for a specific permissions
117117
118118``` powershell
119- Get-GPO -All | ForEach-Object {
119+ Get-GPO -All | ForEach-Object {
120120 if ( $_ |
121121 $params = @{
122122 TargetName = 'contoso\Domain Admins'
@@ -130,26 +130,27 @@ Get-GPO -All | ForEach-Object {
130130```
131131
132132``` Output
133- Default Domain Policy
134- TestGPO-1
135- TestGPO-2 Default Domain Controllers Policy
136- Internet Security
133+ Default Domain Policy
134+ TestGPO-1
135+ TestGPO-2 Default Domain Controllers Policy
136+ Internet Security
137137TestGPO
138138```
139139
140140This command lists the display name of each GPO (in the domain) on which the specified security
141141principal has permissions.
142142
143- First, ` Get-GPO ` is used to retrieve all the GPOs in the domain (** Get-GPO -All** ). Then, the
144- collection is piped into the ` Foreach-Object ` command. As each GPO is evaluated, it is piped into
145- ` Get-GPPermissions ` . If a permission level is returned, the DisplayName property of the GPO is
146- printed ($ _ .DisplayName) .
143+ First, ` Get-GPO ` is used to retrieve all the GPOs in the domain (` Get-GPO -All ` ). Then, the
144+ collection is piped into the ` Foreach-Object ` command. As each GPO is evaluated, it's piped into
145+ ` Get-GPPermissions ` . If a permission level is returned, the ** DisplayName** property of the GPO is
146+ printed.
147147
148- Note: The ErrorAction parameter is set to SilentlyContinue for Get-GPPermissions. This is because a
149- non-terminating error occurs if the specified security principal does not have permissions on the
150- GPO. Specifying the ErrorAction as SilentlyContinue prevents the error messages from being printed
151- for GPOS on which the security principal does not have permissions. For more information about the
152- ErrorAction parameter, see about_CommonParameters.
148+ The ** ErrorAction** parameter is set to ` SilentlyContinue ` . This is because a non-terminating error
149+ occurs if the specified security principal doesn't have permissions on the GPO. Specifying the
150+ ** ErrorAction** as ` SilentlyContinue ` prevents the error messages from being printed for GPOS on
151+ which the security principal doesn't have permissions. For more information about the
152+ ** ErrorAction** parameter, see
153+ [ about_CommonParameters] ( https://go.microsoft.com/fwlink/?LinkID=113216 ) .
153154
154155## PARAMETERS
155156
@@ -161,7 +162,7 @@ permissions on the GPO.
161162``` yaml
162163Type : System.Management.Automation.SwitchParameter
163164Parameter Sets : (All)
164- Aliases :
165+ Aliases :
165166
166167Required : False
167168Position : Named
@@ -172,17 +173,14 @@ Accept wildcard characters: False
172173
173174### -DomainName
174175
175- Specifies the domain for this cmdlet.
176- You must specify the fully qualified domain name (FQDN) of the domain.
176+ Specifies the domain for this cmdlet. You must specify the fully qualified domain name (FQDN) of the
177+ domain. The GPO specified must exist in this domain.
177178
178- For the ` Get-GPPermission` cmdlet, the GPO for which to get the permission level must exist in
179- this domain.
180-
181- If you do not specify the **Domain** parameter, the domain of the user that is running the current
179+ If you don't specify the **Domain** parameter, the domain of the user that's running the current
182180session is used. If the cmdlet is being run from a computer startup or shutdown script, the domain
183181of the computer is used. For more information, see the Notes section in the full Help.
184182
185- If you specify a domain that is different from the domain of the user that is running the current
183+ If you specify a domain that's different from the domain of the user that's running the current
186184session (or, for a startup or shutdown script, the computer), a trust must exist between that domain
187185and the domain of the user or the computer.
188186
@@ -204,7 +202,7 @@ Accept wildcard characters: False
204202### -Guid
205203
206204Specifies the GPO from which to retrieve the permission level by its globally unique identifier
207- (GUID). The GUID uniquely identifies the GPO.
205+ (GUID). The ` GUID` uniquely identifies the GPO.
208206
209207You can also refer to the **Guid** parameter by its built-in alias, **Id**. For more information,
210208see [about_Aliases](/powershell/module/microsoft.powershell.core/about/about_aliases).
@@ -225,7 +223,7 @@ Accept wildcard characters: False
225223
226224Specifies the GPO from which to retrieve the permission level by its display name.
227225
228- The display name is not guaranteed to be unique in the domain. If another GPO with the same display
226+ The display name isn't guaranteed to be unique in the domain. If another GPO with the same display
229227name exists in the domain an error occurs. You can use the **Guid** parameter to uniquely identify a
230228GPO.
231229
@@ -249,7 +247,7 @@ Accept wildcard characters: False
249247Specifies the name of the domain controller that this cmdlet contacts to complete the operation. You
250248can specify either the fully qualified domain name (FQDN) or the host name.
251249
252- If you do not specify the name by using the **Server** parameter, the PDC emulator is contacted.
250+ If you don't specify the name using the **Server** parameter, the PDC emulator is contacted.
253251
254252You can also refer to the **Server** parameter by its built-in alias, **DC**. For more information,
255253see [about_Aliases](/powershell/module/microsoft.powershell.core/about/about_aliases).
@@ -274,16 +272,14 @@ security principal (domain\account) or just its name.
274272
275273For instance, in the `contoso.com` domain, to specify :
276274
277- - The user someuser, use `contoso\someuser` or `someuser`.
278-
275+ - The username, use `contoso\someuser` or `someuser`.
279276- The Domain Admins security group, use `contoso\Domain Admins` or `Domain Admins`.
280-
281- - The computer computer-01, use `contoso\computer-01` or `computer-01`.
277+ - The computer name, use `contoso\computer-01` or `computer-01`.
282278
283279` ` ` yaml
284280Type: System.String
285281Parameter Sets: (All)
286- Aliases:
282+ Aliases:
287283
288284Required: False
289285Position: Named
@@ -294,20 +290,17 @@ Accept wildcard characters: False
294290
295291# ## -TargetType
296292
297- The type of security principal for which to get the permission level.
298-
299- The acceptable values for this parameter are :
293+ The type of security principal for which to get the permission level. The acceptable values for this
294+ parameter are :
300295
301296- Computer
302-
303297- User
304-
305298- Group
306299
307300` ` ` yaml
308301Type: PermissionTrusteeType
309302Parameter Sets: (All)
310- Aliases:
303+ Aliases:
311304Accepted values: Computer, User, Group
312305
313306Required: False
@@ -333,26 +326,26 @@ GPOs from different domains are not supported.
333326
334327# # OUTPUTS
335328
336- # ##
329+ # ## Microsoft.GroupPolicy.GPPermissionCollection
330+
331+ # ## Microsoft.GroupPolicy.GPPermission
337332
338333This cmdlet returns an object that represents permissions for the specified security principal
339334(user, group, or computer) on the GPO.
340335
341336# # NOTES
342337
343- * You can use the *DomainName* parameter to explicitly specify the domain for this cmdlet.
344-
345- If you do not explicitly specify the domain, the cmdlet uses the default domain. The default
346- domain is the domain that is used to access network resources by the security context under which
347- the current session is running. This domain is typically the domain of the user that is running
348- the session. For example, the domain of the user who started the session by opening Windows
349- PowerShell or the domain of a user that is specified in a runas command. However, computer startup
350- and shutdown scripts run under the context of the LocalSystem account. The LocalSystem account is
351- a built-in local account, and it accesses network resources under the context of the computer
352- account. Therefore, when this cmdlet is run from a startup or shutdown script, the default domain
353- is the domain to which the computer is joined.
338+ You can use the **DomainName** parameter to explicitly specify the domain for this cmdlet. If you do
339+ not explicitly specify the domain, the cmdlet uses the default domain. The default domain is the
340+ domain that is used to access network resources by the security context under which the current
341+ session is running. This domain is typically the domain of the user that is running the session. For
342+ example, the domain of the user who started the session by opening Windows PowerShell or the domain
343+ of a user that is specified in a runas command. However, computer startup and shutdown scripts run
344+ under the context of the LocalSystem account. The LocalSystem account is a built-in local account,
345+ and it accesses network resources under the context of the computer account. Therefore, when this
346+ cmdlet is run from a startup or shutdown script, the default domain is the domain to which the
347+ computer is joined.
354348
355349# # RELATED LINKS
356350
357351[Set-GPPermission](./Set-GPPermission.md)
358-
0 commit comments