RSS All Posts

RSS PowerShell Posts

Tags

2142 Active Directory Administrativia Announcements Battlefield Blogging Cricket Deployment Deployment4 Get-PSUGUK Group Policy HowTo Linux MDT MDT 2010 Microsoft Deployment Toolkit MSDN Music Permissions Personal PowerGui Power Lines PowerShell PowerShell Groups PowerShell Support PowerShell Tools PowerShell V2 Presentations PSUGAU Quick Tips Scripting SDDL Security Tech Talk Ubuntu User Groups Virtualisation VMware Infrastructure Client WAIK Weekly Poll Windows 7 Windows Automation Installation Kit Windows Server 2003 Windows Server 2008 XML

Archives

Meta


« | Main | »

GPO Settings with PowerShell and GPExpert Scripting Toolkit

By Adam Bell | August 14, 2007

In this post we’re going to take a look at changing some basic Group Policy Settings through the GPexpert Scripting Toolkit.

The toolkit is accessed as a PowerShell Snapin, and can make changes to the following GPO branches:
GPexpert Scripting Toolkit Documentation

In this example, we’re going to make a change to the Max password age located within the Account Policies / Password Policy branch.

This is a shot of the Default Domain Policy with the default Password Policy settings. We’re going to change the Max password age setting from 24 to 7 because we like to make users lives difficult ;)
Default Domain Policy - Password Policy Settings

[Note] The blank spaces in the following pictures are where I’ve had to remove the domain name. This should be in FQDN format: MyDomain.tld
Password Policy - Max password age

A quick check in GPMC, confirms that the setting has changed.
Default Domain Policy - Password Policy Settings #2

Walking through the code, we can see how easy it is.


Add-PSSnapin GetGPOObjectPSSnapin
$gpo = Get-SDMgpobject -gpoName "gpo://example.com/Default Domain Policy" -openByName $true;

We add the snapin to the Shell so that we can use the GPO cmdlets.
The second line binds to the GPO we are going to change.

If we perform a Get-Method on the $gpo object we get an insight into some of the methods we have access to:
Displaying a Get-Method on the $gpo object

Here we create the $setting object to the setting we wish to change.


$setting = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy/Maximum password age");

Using the Put() method we change the attributes to what’s required. This is a similar way that certain AD attributes are modified too.


$setting.Put("Defined", $true);
$setting.Put("Value", 7);
$setting.Save();

We’ll be having a look at other settings and methods that can be changed through these cmdlets soon. In the mean time here’s the completed code snippet:
Set-MaxPwdAge


Add-PSSnapin GetGPOObjectPSSnapin
 
$gpo = Get-SDMgpobject -gpoName "gpo://example.com/Default Domain Policy" -openByName $true;
$setting = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy/Maximum password age");
$setting.Put("Defined", $true);
$setting.Put("Value", 7);
$setting.Save();

Topics: Group Policy, PowerShell | 1 Comment »

One Response to “GPO Settings with PowerShell and GPExpert Scripting Toolkit”

  1. Tessa Says:
    August 19th, 2007 at 00:26

    hi nice post, i enjoyed it

Comments