Mr. Roboto
Power Up Your GPO Management
With the release of PowerShell, you now have a few more options when it comes to Group Policy. Here are two of them.
- By Jeffery Hicks
- 11/01/2007
Group Policy management can be a full time job. Group Policy Management Console
(GPMC) no doubt made your life much easier, especially if you had a scripting
background. You could create scripts to leverage the GPMC object model. "Advanced
VBScript for Windows Administrators" (which I co-wrote with Mr. Roboto
emeritus Don Jones) has a chapter devoted to that topic.
While GPMC is great, the release of PowerShell gives a few more options. The
"GPO Guy," Darren Mar-Elia, has just released two free PowerShell
cmdlets: Get-SDMGpo and New-SDMGpo. You can download these cmdlets from GPOGuy.com.
Be sure to read the online instructions carefully. The first cmdlet lets you
retrieve a Group Policy Object (GPO):
PS C:\> get-sdmgpo "default domain policy"
DisplayName : Default Domain Policy
Path : cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=
system...
ID : {31B2F340-016D-11D2-945F-00C04FB984F9}
DomainName :
company.local
CreationTime : 7/28/2006 10:11:18 PM
ModificationTime : 7/29/2006 11:17:24 AM
UserDSVersionNumber : 1
ComputerDSVersionNumber : 3
UserSysvolVersionNumber : 1
ComputerSysvolVersionNumber : 3
As you can see, there's some useful information here. You just can't do much
in terms of configuring individual Group Policy settings with this cmdlet.
This cmdlet also requires that you install the GPMC so it can take advantage
of the GPMC object model. This means you can use it for tasks like backing up,
copying, enabling or disabling user or computer nodes, and creating reports:
PS C:\> new-variable -name html -value 1 -option Constant
PS C:\> $gpo= get-sdmgpo "Default Domain Policy"
PS C:\> $gpo.GenerateReport ToFile($html,"c:\DefaultDomain.htm")
In this example, I first define a constant -- $html.
I'll use this in the GenerateReportToFile() method
on the third line. The method requires a report type and destination file.
Because the cmdlet returns objects, I can take advantage of the pipeline. For
example, suppose I want find all my GPOs where the user node is disabled. I
would use an expression like this:
PS C:\> get-sdmgpo * | Where {$_.IsUserEnabled() -eq $false } | select
Displayname
Or here's how I might find all GPOs modified since Aug. 1, 2007:
PS C:\> get-sdmgpo * | Where {$_.ModificationTime -ge '08/01/2007' } |
select Display name,ModificationTime
The New-SDMGpo cmdlet creates a GPO "shell." You can do basic GPO
tasks like disabling the computer configuration node or setting security. To
really manage GPOs in PowerShell though, you'll need a copy of the GPExpert
Scripting Toolkit. This toolkit consists of a rather complex cmdlet called Get-SDMgpobject.
The Get-SDMgpobject cmdlet lets you automate individual setting management
within Group Policy. You can use Get-SDMgpobject to get access to any setting
within GPO in Active Directory or local GPO on any network computer. Even if
you don't have AD, you can use this tool to manage local Group Policy settings.
I don't have space to show you everything you might accomplish with this cmdlet.
The Scripting Toolkit has a great help file with many examples. The more you
work with it, the more you'll find it a valuable addition to your toolbox, especially
if you spend a lot of time creating, modifying and managing GPOs.
The GPExpert Scripting Toolkit is a commercial product, developed by Darren
Mar-Elia and offered through SDM Software Inc. You can register for a demo at
www.sdmsoftware.com. The software is licensed per user at what I think is an
extremely reasonable price, so even a small-to-midsize shop will find it affordable.
Using this product in conjunction with free Group Policy cmdlets will add some
real power to your Group Policy management.
About the Author
Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at Petri.com, and a frequent speaker at technology conferences and user groups.