Mr. Roboto

Power Up Your GPO Management

With the release of PowerShell, you now have a few more options when it comes to Group Policy. Here are two of them.

Group Policy management can be a full time job. Group Policy Management Console (GPMC) no doubt made your life much easier, especially if you had a scripting background. You could create scripts to leverage the GPMC object model. "Advanced VBScript for Windows Administrators" (which I co-wrote with Mr. Roboto emeritus Don Jones) has a chapter devoted to that topic.

While GPMC is great, the release of PowerShell gives a few more options. The "GPO Guy," Darren Mar-Elia, has just released two free PowerShell cmdlets: Get-SDMGpo and New-SDMGpo. You can download these cmdlets from Be sure to read the online instructions carefully. The first cmdlet lets you retrieve a Group Policy Object (GPO):

PS C:\> get-sdmgpo "default domain policy"
DisplayName : Default Domain Policy
Path : cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=
ID : {31B2F340-016D-11D2-945F-00C04FB984F9}
DomainName :
CreationTime : 7/28/2006 10:11:18 PM
ModificationTime : 7/29/2006 11:17:24 AM
UserDSVersionNumber : 1
ComputerDSVersionNumber : 3
UserSysvolVersionNumber : 1
ComputerSysvolVersionNumber : 3

As you can see, there's some useful information here. You just can't do much in terms of configuring individual Group Policy settings with this cmdlet.

This cmdlet also requires that you install the GPMC so it can take advantage of the GPMC object model. This means you can use it for tasks like backing up, copying, enabling or disabling user or computer nodes, and creating reports:

PS C:\> new-variable -name html -value 1 -option Constant
PS C:\> $gpo= get-sdmgpo "Default Domain Policy"
PS C:\> $gpo.GenerateReport ToFile($html,"c:\DefaultDomain.htm")

In this example, I first define a constant -- $html. I'll use this in the GenerateReportToFile() method on the third line. The method requires a report type and destination file.

Because the cmdlet returns objects, I can take advantage of the pipeline. For example, suppose I want find all my GPOs where the user node is disabled. I would use an expression like this:

PS C:\> get-sdmgpo * | Where {$_.IsUserEnabled() -eq $false } | select 

Or here's how I might find all GPOs modified since Aug. 1, 2007:

PS C:\> get-sdmgpo * | Where {$_.ModificationTime -ge '08/01/2007' } | 
    select Display name,ModificationTime

The New-SDMGpo cmdlet creates a GPO "shell." You can do basic GPO tasks like disabling the computer configuration node or setting security. To really manage GPOs in PowerShell though, you'll need a copy of the GPExpert Scripting Toolkit. This toolkit consists of a rather complex cmdlet called Get-SDMgpobject.

The Get-SDMgpobject cmdlet lets you automate individual setting management within Group Policy. You can use Get-SDMgpobject to get access to any setting within GPO in Active Directory or local GPO on any network computer. Even if you don't have AD, you can use this tool to manage local Group Policy settings.

I don't have space to show you everything you might accomplish with this cmdlet. The Scripting Toolkit has a great help file with many examples. The more you work with it, the more you'll find it a valuable addition to your toolbox, especially if you spend a lot of time creating, modifying and managing GPOs.

The GPExpert Scripting Toolkit is a commercial product, developed by Darren Mar-Elia and offered through SDM Software Inc. You can register for a demo at The software is licensed per user at what I think is an extremely reasonable price, so even a small-to-midsize shop will find it affordable.

Using this product in conjunction with free Group Policy cmdlets will add some real power to your Group Policy management.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.


  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.