vbscript GPO permissions - set group to deny "Apply Group Policy"

Question

Background (these facts are all set in stone and cannot be changed):

• SettingA is to apply to all users EXCEPT TestGroup
• All Users are in the same OU
• There is no group (and I cannot create one) which encompasses "all users EXCEPT TestGroup"
• I need to do this using vbscript
• Using Server 2003

So therefore to apply SettingA I need to set TestGPO (which has SettingA) with permissions:

• Authenticated Users with read and apply (the default permissions)
• TestGroup set to deny "Apply Group Policy".

i have looked at Microsoft's provided SetGPOPermissions.wsf (available here - https://gallery.technet.microsoft.com/group-policy-management-17a5f840) but this only covers the basis permissions (note that the PermGPORead permission, while it does not have "Apply Group Policy" permission, all users are in "Authenticated Users" so would get the Apply GPO permissions from here, so this does not equate to deny)

I have customised the script here for my purposes (but kept same var names, etc.,), and it works as the script describes, but I can't work out how to get it to work with custom permissions. (https://books.google.co.uk/books?id=Ga1nLk_xqcUC&pg=PA430&dq=objGPOlist+item+1+getsecurityinfor&hl=en&sa=X&ved=0ahUKEwj67qq56-baAhUU3YMKHURTA1kQ6AEILTAA#v=onepage&q=objGPOlist%20item%201%20getsecurityinfor&f=false)

When it comes to the following line, I can see that I can change the method/property at the end from "PermGPOApply" to "PermGPOCustom", but I can't find examples of what I could put in here.

set objGPMPerm = 
objGPM.CreatePermissions(strGroupAdd,objGPMConstants.PermGPOApply, False)

Following this line from the script:

setObjsecurityinfo = objGPOlist.item(1).GetSecurityInfo()

I added the following, adapted from DumpGPOInfo.wsf (https://gallery.technet.microsoft.com/group-policy-management-17a5f840):

For each GPOPermission in objSecurityInfo
    wscript.echo "GPO trustee is: " & GPOPermission.Trustee.Trusteename
    wscript.echo "GPO permission is: " & GPOPermission.Permission
Next

And from this I can see that "Custom" permission shows as 65795. However, this does not determine a specific custom permission, but rather any permission which does not fall in the bracket of "read" or "edit" - so Read, Execute, Edit and Deny "Apply Group Policy" would show as 65795, as would simply Deny "Apply Group Policy". In other words it is of no use to me.

I did find a tantalising reference to how to set permissions on the following website, but then could not find any more useful information from this link.

"To set Deny or Custom permissions on these objects, you still need to use Active Directory Service Interfaces—ADSI—tools such as IADsSecurityDescriptor or Microsoft's adssecurity.dll." (http://www.itprotoday.com/management-mobility/scripting-group-policy-permissions)

So in summary: Please can someone advise how to use vbscript to set a GPO to deny "Apply Group Policy" for a specified group. Thanks!

Answer 1

Could not find a way using GPMmgt.GPM COM object as used in Microsoft scripts, so used DSA.exe to work out the name of the permissions and DSACLs to set the permissions (as the GPO is, or course, an object in AD). I Set read permissions, and then deny, and I required the Distinguished Name (DN) of the GPO.

objFSO = CreateObject("wscript.Shell")
strCMDLineRead = "dsacls " & chr(34) & strGPO_DN & chr(34) & " /I:T /G " & strGroupAdd & ":GR"
strCMDLineDeny = "dsacls " & chr(34) & strGPO_DN & chr(34) & " /I:T /D " & strGroupAdd & ":CA;" & chr(34) & "Apply Group Policy"  & chr(34)

objShell.Run strCMLDLineRead,0, TRUE
objShell.Run strCMLDLineDeny,0, TRUE

Unsure of the etiquette of answering my own question. I didn't want to just close it, as someone may come across this and find it useful.