Lead, Follow, or Move » Group Policy

Presentation – Managing Group Policy using PowerShell

Adam Bell — Thu, 22 Nov 2007 18:27:09 +0000

So. I gave the presentation to the UG on Tuesday night. It was the first real time I’ve done that sort of thing. I tend to be very self critical so I believe it could have gone better, but I’m happy that the fundamental message got across.

I’ll write up the meeting soon.

[Updated 27 Nov 2007]

I’ve put the presentation inside a zip file. This should resolve any issues. Please let me know ..

Any comments on either the night, or the attached PowerPoint are welcome ….
Group Policy Management with PowerShell

Nine. No. Twelve

Adam Bell — Thu, 15 Nov 2007 10:32:26 +0000

..and he has given unto you these these nine …. twelve! twelve cmdlets for GPO management!

Apologies for the poor homage. I couldn’t help myself ;)

CTP’s, Beta’s and Releases

Adam Bell — Fri, 09 Nov 2007 10:55:01 +0000

It looks like everyone is busy this week:

The PowerShell Team have released a CTP of 2.0.

Skype have released Beta 2.0 for Linux (finally bringing video!)

SDM Software have released a set of free cmdlets full of GPO goodness!

And even though it wasn’t technically this week, Microsoft’s Deployment4, was officially named Microsoft Deployment, and went to RC1.

SpecOps Command

Adam Bell — Thu, 01 Nov 2007 23:32:40 +0000

PowerShell is gaining in popularity, and more companies are announcing products that provide access to interfaces to PowerShell for automation and administration.

This situation is very similar to when the Windows Installer (MSI) technology first came on to the scene around 2000-2001, and anyone authoring setup software was dealing with how to get it out into their environments. Everyone was including the redistributable with their software in case the machine it was going to be installed on didn’t have it in place already.

The complexity with PowerShell however is that there are two questions that need to be dealt with:1) Like MSI, how do you deploy PowerShell out in your environment? and 2) How do you manage your PowerShell landscape of Snappins?

I was lucky enough see an online demo from Magnus and Thorbjorn from Special Operations Software today. They have a new product expected to be announced at TechEd later this month, called SpecOps Command which I believe will deal with these questions, for starters.

SpecOps Command, seems to be a tightly integrated product between Group Policy and PowerShell. This combination has the ability to provide it with the best of both products: the ease and flexibility of PowerShell, and the centralised environment management of Group Policy.

The tool has loads of cool features including the ability to run PoSH scripts assigned in GPO’s, Undo scripts for when things fall out of scope, reporting, and the ability to target clients in a very granular manner e.g. Only apply to Dell machines running Windows XP.

Thorbjorn advised that SpecOps intend to release a couple of versions of Command, including a free version that should provide the core functionality including the abilty to distribute PowerShell out into your environment.

I think it’s great that ISV’s like Quest and SpecOps are adding value to the PowerShell community with free offerings, as well as their commercial products. It give them exposure to their intended market, and provides us with some cool tools to make life easier :)

Like Quest’s AD Cmdlet’s I think SpecOps Command is likely to have a big impact on the way we use PowerShell going forwards.

[Update 2 Nov]
Magnus just gave me the link to the SpecOps website for Command. This will be the product page when it releases.

GPO Settings with PowerShell and GPExpert Scripting Toolkit

Adam Bell — Tue, 14 Aug 2007 20:33:07 +0000

In this post we’re going to take a look at changing some basic Group Policy Settings through the GPexpert Scripting Toolkit.

The toolkit is accessed as a PowerShell Snapin, and can make changes to the following GPO branches:

In this example, we’re going to make a change to the Max password age located within the Account Policies / Password Policy branch.

This is a shot of the Default Domain Policy with the default Password Policy settings. We’re going to change the Max password age setting from 24 to 7 because we like to make users lives difficult ;)

[Note] The blank spaces in the following pictures are where I’ve had to remove the domain name. This should be in FQDN format: MyDomain.tld

A quick check in GPMC, confirms that the setting has changed.

Walking through the code, we can see how easy it is.



Add-PSSnapin GetGPOObjectPSSnapin

$gpo = Get-SDMgpobject -gpoName "gpo://example.com/Default Domain Policy" -openByName $true;

We add the snapin to the Shell so that we can use the GPO cmdlets.
The second line binds to the GPO we are going to change.

If we perform a Get-Method on the $gpo object we get an insight into some of the methods we have access to:

Here we create the $setting object to the setting we wish to change.



$setting = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy/Maximum password age");

Using the Put() method we change the attributes to what’s required. This is a similar way that certain AD attributes are modified too.



$setting.Put("Defined", $true);

$setting.Put("Value", 7);

$setting.Save();

We’ll be having a look at other settings and methods that can be changed through these cmdlets soon. In the mean time here’s the completed code snippet:
Set-MaxPwdAge



Add-PSSnapin GetGPOObjectPSSnapin

 

$gpo = Get-SDMgpobject -gpoName "gpo://example.com/Default Domain Policy" -openByName $true;

$setting = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy/Maximum password age");

$setting.Put("Defined", $true);

$setting.Put("Value", 7);

$setting.Save();

Change Group Policy Settings through PowerShell

Adam Bell — Mon, 30 Jul 2007 21:29:08 +0000

If you’ve done any kind of GPO management before, you’ll be aware that the one thing you can’t do (that I’ve ever been able to find) is actually change explicit settings.

Well today I stumbled across GPExpert™ Scripting Toolkit for PowerShell. This product apparently exposes GPO settings to PowerShell, allowing specific changes to be made, rather than importing backed up GP objects.

I’ve not had the opportunity to take it for a test drive yet, but I do have an eval version and will be having a closer look later this week.I’ll let you know how it shapes up.

Linking a GPO using GPMC and PowerShell

Adam Bell — Tue, 29 May 2007 10:42:50 +0000

Previously we have gone through the process of creating a Group Policy Object, and importing a backed up GPO into the directory. In this post we’ll take a look at linking our GPO to an OU.

We will use the GPO from the previous examples: “New GPO Test”, and we will link it to the Domain Controllers OU.

As usual, we start by creating a reference to the domain ($root), instantiating the GPMC COM object ($gpm), and by binding to the domain through GPMC ($domain).

After searching AD for a policy called New GPO Test, we check to see if we have found a match by looking at $GPOlist.count. We have only found one here so we have no problems to proceed.

The $SOM object refers to the Scope of Management, which is where we specify our target for the link. The -1 refers to the link order, which in this example will append our GPO to the end of the list.

Here we have the available methods on the GPMlink object, in particular we can set the enforcement of the policy. In the example above we can see that the newly linked policy has a link order of 3 showing us that there are 2 other policies linked to the Domain Controllers OU.

There’s a lot of automated administration that we can apply to Group Policies through the GPMC COM object and PowerShell. For more ideas I’d recommend checking out the scripts provided with GPMC, and the GPMC object model

create-gpolink



#----------------------------------------------------------------------------------------------------------

function Create-GPOLink

#----------------------------------------------------------------------------------------------------------

# Depends on Convert-DNtoFQDN function from Code Samples Page

{

Param (

  $GPOname,

  [int]$GPOlinkPos,

  $DSlocation

  )

  # Make the connection to the domain through GPMC COM

  $domain = $gpm.GetDomain( (Convert-DNtoFQDN $root.distinguishedName[0]), $null, $gpm.GetConstants().UseAnyDC )

 

  # Build a GPMC search object to locate the GPO (in both the backup directory and AD)

  $searcher = $gpm.CreateSearchCriteria()

  $searcher.Add( $gpm.GetConstants().SearchPropertyGPODisplayName, `

    $gpm.GetConstants().SearchOpEquals, $GPOname )

 

  $GPOlist = $domain.SearchGPOs( $searcher )

  # This would be a good place to check that our GPOlist.count is as desired!

  

  #Define our Scope Of Management (SoM)

  $SOM = $domain.GetSOM( $DSlocation ","+$root.distinguishedName)

  

  # Create the actual link

  $GPMlink = $SOM.CreateGPOLink( $GPOlinkPos, $GPOlist.Item(1) )

}

# Sample calling:

Create-GPOlink "New GPO Test" -1 "ou=domain controllers"

Microsoft TechNet article on GPO management with PowerShell

Adam Bell — Thu, 10 May 2007 08:49:49 +0000

There’s a good article on the Microsoft TechNet website on Group Policy using GPMC and PowerShell.

There’s also some nice code examples included! Well worth a look!

Importing a GPO using GPMC and PowerShell

Adam Bell — Fri, 04 May 2007 21:07:16 +0000

Previously we discussed how to create a GPO using the COM object exposed by using GPMC.

This time I thought we’d take a look at the next step of importing a GPO into our newly created policy.

The general principle behind this is that you import a policy that has been backed up using GPMC previously. If the policy is not from the same domain as the one you’re importing into, then any domain specific data such as SID’s will need to be dealt with using a Migration Table.

In our example though, we will simply be importing a GPO that was exported through right-clicking the Group Policy Objects container and stepping through the back up wizard.

Just like when we created a new GPO, we search the AD to see if we can find a GPO matching our displayName. This time a match is what we are looking for. We also use the same $searcher object to search the backup directory for a matching policy.

Important to note here that we have exactly one match returned in each of the two searches.

Selecting $GPOlist.Item(1) gives you an idea how you can reference different policies located in the previous search. The list of methods (gm) available also gives you an idea of the type of things you can do with it. We are interested in the Import() method.

As you can see with the $Result object, we can verify that the policy was successful. And checking with GPMC:

Creating a GPO with GPMC and PowerShell

Adam Bell — Thu, 19 Apr 2007 10:14:33 +0000

If you have GPMC installed then you have the ability to manage your Group Policy objects via the COM object that the software exposes.

Microsoft provide a good set of example scripts located in the Scripts folder in the GPMC install directory. There is also a pretty decent help file (CHM format). Both the help and samples are well worth a look.

Through the COM object we can perform any of the management tasks in PowerShell that can be done in VBScript or JScript etc.

We instantiate the object, and after binding to the Directory, search for any GPO’s that match our displayName of “New GPO Test”. Receiving a count of 0 shows us that no conflict will occur. You can actually have two GPO’s with the same displayName, but this would just add a level of confusion in your environment that you just don’t need!

You might notice that I have a function dot sourced in my profile here: ConvertDNtoFQDN. This allows me to dynamically lookup data and change the format as needed.

GPMC shows what a new GPO looks like.At this stage it is just an empty GPO, with no attributes set.

The commands to create the object. We can also see the methods and property’s available to the GPO object. And then finally we set the displayName.

GPMC shows our updated object with the displayName configured.

For the GPO to become useful, at a minimum, we would need to actually import settings and link it to the directory.

I am not aware of any programmatic method of actually configuring settings at the moment. What I have personally seen is people exporting backup of the GPO’s from a reference system, and then importing them into the target environment using a Migration Table to handle any domain specific references.

Below is a sample function to create a new GPO.
Create-NewGPO.ps1



# Globals and Constants

$gpm  = New-Object -com gpmgmt.gpm

 

#----------------------------------------------------------------------------------------------------------

function Create-NewGPO

#----------------------------------------------------------------------------------------------------------

{

Param (

  $GPOname,

  $FQDName

  )

  $domain = $gpm.GetDomain( $FQDName), $null, $gpm.GetConstants().UseAnyDC )

  $searcher = $gpm.CreateSearchCriteria()

  $searcher.Add( $gpm.GetConstants().SearchPropertyGPODisplayName, `

    $gpm.GetConstants().SearchOpEquals, $GPOname )

  

  $GPOlist = $domain.SearchGPOs( $Searcher )

  

  If ($GPOlist.count -eq 0)

  {  

    $GPO = $domain.CreateGPO()

    $GPO.DisplayName = $GPOname

  }

}

#----------------------------------------------------------------------------------------------------------

Create-NewGPO "New Test GPO" "dc=rig1, dc=testlab,dc=tld"