Add-GphGpoDefaultPermissions.ps1

#Requires -RunAsAdministrator
function Add-GphGpoDefaultPermissions
{
  <#
      .SYNOPSIS
      Adds Additional Permissions to the GPO-Schema Template
 
      .DESCRIPTION
      If a new GPO is created, default Permissions are read from the AD-Schema. This function extends the schema with Read-Permissions for
      Authenticated Computers or custom SDDL-Strings can be added using the parameter -SDDLStringToAdd. The SDDL-Strings are explained in the
      notes for this function.
 
      .EXAMPLE
      Add-GPODefaultPermissions
      Adds the Group "Domain Computers" with Read-Permissions to the Group Policy Container Default Permissions
 
      .EXAMPLE
      Add-GPODefaultPermissions -SDDLString "(A;CI;LCRPLORC;;;DU)"
      Adds the Group "Domain Computers" with Read-Permissions to the Group Policy Container Default Permissions
 
      .NOTES
      Meaning of SDDL-Flags:
      Access type: A = Access Allowed
      ACE flag: CI = Container Inherit
      Permissions:
      LC = List Contents
      RP = Read All Properties
      LO = List Object
      RC = Read Permissions
      Access subject: DC = Domain Computers
      More Infos:
      https://msdn.microsoft.com/de-de/library/windows/desktop/aa379602(v=vs.85).aspx
      http://woshub.com/how-to-change-default-permissions-for-new-gpos/
 
      Author: Holger Voges
      Date: 2018-11-16
      Version: 1.0
  #>



  [CmdletBinding()]
  param (
    # The Permission to add to the GPO Container Object. Default is Authenticated Computers
    [String]
    $SDDLStringToAdd = '(A;CI;LCRPLORC;;;DC)'
  )
  
  $ADschemaDn = ( Get-ADRootDSE ).schemaNamingContext 
  $GPCClass = Get-ADObject -Filter { name -eq 'Group-Policy-Container' } -SearchBase $ADschemaDn -Properties DefaultSecurityDescriptor
  $NewGPCClassDescriptor = $GPCClass.DefaultSecurityDescriptor + $SDDLStringToAdd
  if ( -not $GPCClass.DefaultSecurityDescriptor.Contains( $SDDLStringToAdd ))
  { 
    Set-ADObject -Identity $GPCClass -Partition $ADschemaDn -Replace @{ DefaultSecurityDescriptor = $NewGPCClassDescriptor }
  }
  Update-SchemaCache
}