I create a PowerShell function that updates the permission of a Group Policy only for DenyApply rights. 
You can use this function at your own risk.

function Set-GPPermissionDeny {

    $Domain = (Get-ADDomain).NetbiosName
    $DomainDN = (Get-ADDomain).DistinguishedName
    $Account = ('{0}\{1}' -f $Domain, $GroupName)
    $GPO = Get-GPO -Name $GpoName

    if (![STRING]::IsNullOrWhiteSpace($Domain) -and ![STRING]::IsNullOrWhiteSpace($Account) -and ![STRING]::IsNullOrWhiteSpace($GpoName))
        Write-Host ('Permissions set for GPO: {0} => ' -f $GPO.DisplayName) -NoNewline

        $ADGpo = [ADSI]"LDAP://CN=`{$($GPO.Id.guid)`},CN=Policies,CN=System,$($DomainDN)"

        $Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(

        $acl = $ADGpo.ObjectSecurity
        try {
            Write-Host 'successfull' -ForegroundColor Green
        } catch {
            Write-Host 'failed' -ForegroundColor Red
    } else {
        'Something went wrong...'

Have fun

One Reply to “The missing Set-GPPermission PowerShell function”

Leave a Reply

Your email address will not be published. Required fields are marked *