..and he has given unto you these these nine …. twelve! twelve cmdlets for GPO management!
Apologies for the poor homage. I couldn’t help myself ;)
Nine. No. Twelve
Reply
Category Archives: Group Policy
SpecOps Command
PowerShell is gaining in popularity, and more companies are announcing products that provide access to interfaces to PowerShell for automation and administration.
This situation is very similar to when the Windows Installer (MSI) technology first came on to the scene around 2000-2001, and anyone authoring setup software was dealing with how to get it out into their environments. Everyone was including the redistributable with their software in case the machine it was going to be installed on didn’t have it in place already.
The complexity with PowerShell however is that there are two questions that need to be dealt with:1) Like MSI, how do you deploy PowerShell out in your environment? and 2) How do you manage your PowerShell landscape of Snappins?
I was lucky enough see an online demo from Magnus and Thorbjorn from Special Operations Software today. They have a new product expected to be announced at TechEd later this month, called SpecOps Command which I believe will deal with these questions, for starters.
SpecOps Command, seems to be a tightly integrated product between Group Policy and PowerShell. This combination has the ability to provide it with the best of both products: the ease and flexibility of PowerShell, and the centralised environment management of Group Policy.
The tool has loads of cool features including the ability to run PoSH scripts assigned in GPO’s, Undo scripts for when things fall out of scope, reporting, and the ability to target clients in a very granular manner e.g. Only apply to Dell machines running Windows XP.
Thorbjorn advised that SpecOps intend to release a couple of versions of Command, including a free version that should provide the core functionality including the abilty to distribute PowerShell out into your environment.
I think it’s great that ISV’s like Quest and SpecOps are adding value to the PowerShell community with free offerings, as well as their commercial products. It give them exposure to their intended market, and provides us with some cool tools to make life easier :)
Like Quest’s AD Cmdlet’s I think SpecOps Command is likely to have a big impact on the way we use PowerShell going forwards.
[Update 2 Nov]
Magnus just gave me the link to the SpecOps website for Command. This will be the product page when it releases.
GPO Settings with PowerShell and GPExpert Scripting Toolkit
In this post we’re going to take a look at changing some basic Group Policy Settings through the GPexpert Scripting Toolkit.
The toolkit is accessed as a PowerShell Snapin, and can make changes to the following GPO branches:
In this example, we’re going to make a change to the Max password age located within the Account Policies / Password Policy branch.
This is a shot of the Default Domain Policy with the default Password Policy settings. We’re going to change the Max password age setting from 24 to 7 because we like to make users lives difficult ;)
[Note] The blank spaces in the following pictures are where I’ve had to remove the domain name. This should be in FQDN format: MyDomain.tld
A quick check in GPMC, confirms that the setting has changed.
Walking through the code, we can see how easy it is.
Add-PSSnapin GetGPOObjectPSSnapin
$gpo = Get-SDMgpobject -gpoName “gpo://example.com/Default Domain Policy” -openByName $true;
We add the snapin to the Shell so that we can use the GPO cmdlets.
The second line binds to the GPO we are going to change.
If we perform a Get-Method on the $gpo object we get an insight into some of the methods we have access to:
Here we create the $setting object to the setting we wish to change.
$setting = $gpo.GetObject(“Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy/Maximum password age”);
Using the Put() method we change the attributes to what’s required. This is a similar way that certain AD attributes are modified too.
$setting.Put(“Defined”, $true);
$setting.Put(“Value”, 7);
$setting.Save();
We’ll be having a look at other settings and methods that can be changed through these cmdlets soon. In the mean time here’s the completed code snippet:
Add-PSSnapin GetGPOObjectPSSnapin
$gpo = Get-SDMgpobject -gpoName “gpo://example.com/Default Domain Policy” -openByName $true;
$setting = $gpo.GetObject(“Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy/Maximum password age”);
$setting.Put(“Defined”, $true);
$setting.Put(“Value”, 7);
$setting.Save();