I need to automate the creation several security groups, then create and apply a GPO that includes OU / Security group specific file permissions and auditing.
I have the OU and group creation done. I can do the permission / auditing as ACLs but need to apply these as a GPO. I can link to the OUs/Groups and I can copy existing GPOs, but I still need to replace certain security groups. I do have the creation of registry keys per security group, but I cannot find any documentation on creating file permission / auditing.
Ex Case:
We roll out Virtual web servers that are assigned to specific clients. We've got a PS script that creates the new OUs and security groups for the new server. Rather than have to re-apply a PS script with ACLs if we need to re-deploy the VM, we'd like to automate the GPO creation that contains the ACLs for the default folders so we don't have to touch anything on a re-deploy once the VM is back up.
I have the ACL script, and that works fine, but it's not good for automation in this case.
Best Answer
So, there is no way to directly set up file permissions in a GPO using Powershell. (Computer/Policies/Windows Settings/Security Settings/File System)
However, I was able to work around this by creating a GPO and manually backing it up (one time thing). In respect to the specific answer I was looking for, there are 3 files that need to be edited in the GPO backup.
You will need to replace the User Group Name(s) and SIDs with placeholders [GROUP_NAME] and [GROUP_SID] (could be USER as well) in all three files. You will also need to update the {Name} tag in gpreport.xml and the {DisplayName} in backup.XML to the new name of the GPO. I did this with another place holder [GPO_NAME].
Now, this was the tricky part that took a while to figure out. You can't just Import-GPO this new object. You actually have to create a new blank GPO, back it up, and output the files that you update from the template into this backup.
Here's the code I used. There are a few placeholders in here. Replace these as needed for you environment. It looks like Stack formatting on Powershell scripts is a little off. It works as pasted.