Mr. Roboto

Power Up Your GPO Management

With the release of PowerShell, you now have a few more options when it comes to Group Policy. Here are two of them.

Group Policy management can be a full time job. Group Policy Management Console (GPMC) no doubt made your life much easier, especially if you had a scripting background. You could create scripts to leverage the GPMC object model. "Advanced VBScript for Windows Administrators" (which I co-wrote with Mr. Roboto emeritus Don Jones) has a chapter devoted to that topic.

While GPMC is great, the release of PowerShell gives a few more options. The "GPO Guy," Darren Mar-Elia, has just released two free PowerShell cmdlets: Get-SDMGpo and New-SDMGpo. You can download these cmdlets from Be sure to read the online instructions carefully. The first cmdlet lets you retrieve a Group Policy Object (GPO):

PS C:\> get-sdmgpo "default domain policy"
DisplayName : Default Domain Policy
Path : cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=
ID : {31B2F340-016D-11D2-945F-00C04FB984F9}
DomainName :
CreationTime : 7/28/2006 10:11:18 PM
ModificationTime : 7/29/2006 11:17:24 AM
UserDSVersionNumber : 1
ComputerDSVersionNumber : 3
UserSysvolVersionNumber : 1
ComputerSysvolVersionNumber : 3

As you can see, there's some useful information here. You just can't do much in terms of configuring individual Group Policy settings with this cmdlet.

This cmdlet also requires that you install the GPMC so it can take advantage of the GPMC object model. This means you can use it for tasks like backing up, copying, enabling or disabling user or computer nodes, and creating reports:

PS C:\> new-variable -name html -value 1 -option Constant
PS C:\> $gpo= get-sdmgpo "Default Domain Policy"
PS C:\> $gpo.GenerateReport ToFile($html,"c:\DefaultDomain.htm")

In this example, I first define a constant -- $html. I'll use this in the GenerateReportToFile() method on the third line. The method requires a report type and destination file.

Because the cmdlet returns objects, I can take advantage of the pipeline. For example, suppose I want find all my GPOs where the user node is disabled. I would use an expression like this:

PS C:\> get-sdmgpo * | Where {$_.IsUserEnabled() -eq $false } | select 

Or here's how I might find all GPOs modified since Aug. 1, 2007:

PS C:\> get-sdmgpo * | Where {$_.ModificationTime -ge '08/01/2007' } | 
    select Display name,ModificationTime

The New-SDMGpo cmdlet creates a GPO "shell." You can do basic GPO tasks like disabling the computer configuration node or setting security. To really manage GPOs in PowerShell though, you'll need a copy of the GPExpert Scripting Toolkit. This toolkit consists of a rather complex cmdlet called Get-SDMgpobject.

The Get-SDMgpobject cmdlet lets you automate individual setting management within Group Policy. You can use Get-SDMgpobject to get access to any setting within GPO in Active Directory or local GPO on any network computer. Even if you don't have AD, you can use this tool to manage local Group Policy settings.

I don't have space to show you everything you might accomplish with this cmdlet. The Scripting Toolkit has a great help file with many examples. The more you work with it, the more you'll find it a valuable addition to your toolbox, especially if you spend a lot of time creating, modifying and managing GPOs.

The GPExpert Scripting Toolkit is a commercial product, developed by Darren Mar-Elia and offered through SDM Software Inc. You can register for a demo at The software is licensed per user at what I think is an extremely reasonable price, so even a small-to-midsize shop will find it affordable.

Using this product in conjunction with free Group Policy cmdlets will add some real power to your Group Policy management.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.


  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.