$domain = 'LDAP389'
$domainfqdn = 'ldap389.info'
$siteadmgrp = 'SITE1-ADM'
$gpoprefix = 'SITE1-'

$gpos = Get-QADObject -SearchAttributes @{objectclass='groupPolicyContainer';Displayname=$gpoprefix + '*'} -SecurityMask Dacl 


foreach($gpo in $gpos){
$gpook = 'no'

Get-QADPermission $gpo -Inherited -SchemaDefault | foreach-object { if (( $_.Account.Name -eq $siteadmgrp ) -and ($_.Rights -like '*delete*')){$gpook = 'yes'}}


if ($gpook -eq 'no') {


Get-QADPermission $gpo  |  foreach-object {if (( $_.AccountName -like $domain + '\*' ) -and ($_.Rights -like '*delete*')){$AdminAccount = $_.AccountName}}



$gpodisplay = $gpo.displayname
$gpodn = $gpo.dn


$Proceed = read-host "Replace"$AdminAccount" permissions with "$siteadmgrp" on "$gpodisplay "GPO (Y/N)"

if ($Proceed -eq 'Y') {


$sddlgpc = Get-QADObjectSecurity $gpo.dn -SDDL
$oldsid = (Get-QADObject -identity $AdminAccount).SID.value
$groupname = $domain + '\' + $siteadmgrp
$newsid = (Get-QADObject -identity $groupname).SID.value
$sddlgpc2 = $sddlgpc.replace($oldsid,$newsid)



#Permissions sur objet AD (GPC)
$DE = [ADSI]"LDAP://$gpodn"
$DE.psbase.ObjectSecurity.SetSecurityDescriptorSddlForm($sddlgpc2)
$DE.psbase.commitchanges()


#Permissions sur SYSVOL (GPT)
$gpopath = '\\'+$domain+'\SYSVOL\'+$domainfqdn+'\Policies\'+$gpo.name
$sddlgpt = (get-acl $gpopath).sddl
$sddlgpt2 = $sddlgpt.Replace($oldsid,$newsid)
$acl = get-acl($gpopath)
$acl.SetSecurityDescriptorSddlForm($sddlgpt2) 
set-acl $gpopath $acl

}
}


 
 }