Mr. Roboto

Power Up Your GPO Management

With the release of PowerShell, you now have a few more options when it comes to Group Policy. Here are two of them.

Group Policy management can be a full time job. Group Policy Management Console (GPMC) no doubt made your life much easier, especially if you had a scripting background. You could create scripts to leverage the GPMC object model. "Advanced VBScript for Windows Administrators" (which I co-wrote with Mr. Roboto emeritus Don Jones) has a chapter devoted to that topic.

While GPMC is great, the release of PowerShell gives a few more options. The "GPO Guy," Darren Mar-Elia, has just released two free PowerShell cmdlets: Get-SDMGpo and New-SDMGpo. You can download these cmdlets from Be sure to read the online instructions carefully. The first cmdlet lets you retrieve a Group Policy Object (GPO):

PS C:\> get-sdmgpo "default domain policy"
DisplayName : Default Domain Policy
Path : cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=
ID : {31B2F340-016D-11D2-945F-00C04FB984F9}
DomainName :
CreationTime : 7/28/2006 10:11:18 PM
ModificationTime : 7/29/2006 11:17:24 AM
UserDSVersionNumber : 1
ComputerDSVersionNumber : 3
UserSysvolVersionNumber : 1
ComputerSysvolVersionNumber : 3

As you can see, there's some useful information here. You just can't do much in terms of configuring individual Group Policy settings with this cmdlet.

This cmdlet also requires that you install the GPMC so it can take advantage of the GPMC object model. This means you can use it for tasks like backing up, copying, enabling or disabling user or computer nodes, and creating reports:

PS C:\> new-variable -name html -value 1 -option Constant
PS C:\> $gpo= get-sdmgpo "Default Domain Policy"
PS C:\> $gpo.GenerateReport ToFile($html,"c:\DefaultDomain.htm")

In this example, I first define a constant -- $html. I'll use this in the GenerateReportToFile() method on the third line. The method requires a report type and destination file.

Because the cmdlet returns objects, I can take advantage of the pipeline. For example, suppose I want find all my GPOs where the user node is disabled. I would use an expression like this:

PS C:\> get-sdmgpo * | Where {$_.IsUserEnabled() -eq $false } | select 

Or here's how I might find all GPOs modified since Aug. 1, 2007:

PS C:\> get-sdmgpo * | Where {$_.ModificationTime -ge '08/01/2007' } | 
    select Display name,ModificationTime

The New-SDMGpo cmdlet creates a GPO "shell." You can do basic GPO tasks like disabling the computer configuration node or setting security. To really manage GPOs in PowerShell though, you'll need a copy of the GPExpert Scripting Toolkit. This toolkit consists of a rather complex cmdlet called Get-SDMgpobject.

The Get-SDMgpobject cmdlet lets you automate individual setting management within Group Policy. You can use Get-SDMgpobject to get access to any setting within GPO in Active Directory or local GPO on any network computer. Even if you don't have AD, you can use this tool to manage local Group Policy settings.

I don't have space to show you everything you might accomplish with this cmdlet. The Scripting Toolkit has a great help file with many examples. The more you work with it, the more you'll find it a valuable addition to your toolbox, especially if you spend a lot of time creating, modifying and managing GPOs.

The GPExpert Scripting Toolkit is a commercial product, developed by Darren Mar-Elia and offered through SDM Software Inc. You can register for a demo at The software is licensed per user at what I think is an extremely reasonable price, so even a small-to-midsize shop will find it affordable.

Using this product in conjunction with free Group Policy cmdlets will add some real power to your Group Policy management.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.


comments powered by Disqus