The GPOGUY-- Group Policy Blog

This is the 2nd in an irregular series of discussions about using SDM Software PowerShell cmdlets for managing Group Policy. In this post, I've written a fairly simple PowerShell script that uses two of our free GPMC cmdlets to first backup a GPO, and then launch the GP Editor on that GPO. This can be a useful way to edit GPOs because it guarantees that before you make any changes to that GPO, that you have a backup copy. This script uses two of our GPMC cmdlets--namely export-sdmgpo and get-sdmgpo. The Export cmdlet backs up the gpo that you specify and then get-sdmgpo grabs the GUID for that GPO, which needs to be passed to gpedit.msc command in order to launch the GP Editor. Well, let's look at the script now. I named the script backupAndEdit.ps1 (I know, very original). When I call the script from PowerShell, I pass it 3 parameters, like this:

PS> .\backupandedit.ps1 "ADM Test" "\\sdm1\gpbackups" "Backup and Edit Test"

The first param is the name of the GPO, in this case, its called "ADM Test". The 2nd parameter is the path to my GPO backups. The 3rd param is a comment that is associated with the backup. Obviously you could get more creative here! Now here's the script:

***** 

param($GPOName,$backupLocation,$comment)
write-host "Backing up GPO: $GPOName"
trap {
'Backup Failed!'
$_
exit
}
export-sdmGPO $GPOName -Location $backupLocation -Description $comment -ea 1
write-host "Backup Completed"
write-host "Launching GP Editor"
$GPO= get-sdmGPO $GPOName
$extcmd = " /gpobject:`"LDAP://CN=" + $GPO.ID + ",CN=Policies,CN=System,DC=cpandl,DC=com`""
gpedit.msc $extcmd

*******

This script is pretty simple. I declare my parameter names at the beginning of the script. Then I set up a trap to catch for any errors during backup--I don't want to edit the GPO if the backup fails. Then I call export-SDMgpo using the params I passed in. Then assuming the backup completes and the script continues, I use get-sdmgpo to get a reference to the GPO, because from that object I can get the GPO's GUID (the ID property). Then I assign the full command I want to, including the DN of the GPO, to $extcmd. Finally, I call the external MMC tool gpedit.msc and pass it that arguments in $extcmd. Now, you'll notice that my domain name is hard-coded into the path here. I could just as easily have passed this in as a parameter as well, or used some AD code to grab my current DN. Just know that if you use this script, you'll need to modify the command for your own domain name.
Enjoy!

Tags:

Group Policy, PowerShell, GPMC

Posted by gpoguy at 12:35 PM | Permalink | Comments (0) | TrackBacks (0)

http://www.windowsitpro.com/Windows/Article/ArticleID/97313/97313.html

Check it out!

Tags

Group Policy, Group Policy Troubleshooting, SDM Software, Windows IT Pro

Posted by gpoguy at 08:43 AM | Permalink | Comments (0) | TrackBacks (0)

Well, I suppose I couldn't help myself. I had planned on updating our cmdlets released last week to correct an omission that Richard Siddaway had kindly pointed out, namely that I didn't have a remove-sdmgplink to go along with add-sdmgplink. So I went ahead and corrected that. I also committed a small sin by renaming one of the cmdlets, but I swear I had to. Microsoft's current naming standards for common verbs have a few gaps, as far as I'm concerned. Namely, they have a verb called export, which is supposed to encompass backups. Well, they also have a verb called import, which is the pair to export, of course. Problem is, GPMC considers imports as distinctly different from a restore of a backup. So, my use of import-sdmgpo as a way of restoring a backup would become problematic down the line, when I add support for true GPMC imports. So I opted for changing import-sdmgpo to restore-sdmgpo. Restore is supposed to be paired with "Checkpoint" but that didn't make a whole lot of sense in my case, so I chose to ignore that .

And of course, along the way I found at least 3 other cmdlets that I could add, so I did. At this point its probably worthwhile to summarize what is currently in the Snap-in. We now have 12 cmdlets, as follows:

Add-SDMgplink: Links a GPO to a particular AD container (site,domain or OU)
*Get-SDMgplink: Retrieves a list of linked GPOs from a particular AD container
*Remove-SDMgplink: Removes a GPO link from a given AD container
Export-SDMgpo: Backs up a GPO to a given folder path
Get-SDMgpo: Retrieves information about one or all GPOs in a domain
New-SDMgpo: Creates a new GPO in a domain
Remove-SDMgpo: Deletes an existing GPO from a domain
Restore-SDMgpo: Restores a GPO from backup
*Get-SDMgpoBackups: Retrieves the list of all backed-up GPOs (or a given GPO) from a given folder path
Add-SDMgpoSecurity: Adds a GP permission (ACE) for a given group to a given GPO
Get-SDMgpoSecurity: Retrieves a list of GP permissions from a given GPO
Remove-SDMgpoSecurity: Removes a particular permission for a given group from a given GPO.

* new cmdlet for this release

 Ok, so if you've already installed the first version of this, go ahead and remove that from Add/Remove Programs and reinstall the new version that's out on www.sdmsoftware.com/freeware.php . Everything should be the same except what I've noted above.

 Thanks and as always, feedback is good. Email Support (at) sdmsoftware (dot)  com if you have questions or issues.

Tags:

PowerShell, Group Policy, GPMC

Posted by gpoguy at 11:31 AM | Permalink | Comments (0) | TrackBacks (0)

Yesterday at TechEd in Barcelona, Microsoft made a slew of announcements. And buried in those announcements was the note about Group Policy Preferences. This is the name Microsoft has given to the DesktopStandard PolicyMaker extensions that they acquired last year. The good news is that these extensions are finally going to see the light of day as a free part of the OS when Server 2008 ships!!! This is HUGE because these extensions greatly add to what you can configure via Group Policy. And my understanding is that they will work on XP and above, which means that you get some of these great features without having to upgrade to Vista. In addition to adding support for new policy areas such as mapped drives, mapped printers, ini files, environment variables, shortcut distribution, local users and groups, scheduled tasks, power options, network options and IE settings, they also support much more granular filtering than you could ever get from WMI filters or security groups. This is huge because it means that there will be few things that you can't configure on a Windows desktop using Group Policy!

Microsoft has created a whitepaper that you can download to get more detail on this new feature. This is great news!!! Cudos to the Group Policy team for making this happen!

Tags:

Group Policy

Posted by gpoguy at 08:10 AM | Permalink | Comments (2) | TrackBacks (1)

Well, many of you know that we released the GPExpert Scripting Toolkit for PowerShell back at the end of July. The Toolkit lets you modify the settings within Group Policy objects using PowerShell. I also had a couple of cmdlets out on my GPOGUY.COM site that wrapped up some GPMC functionality for creating new GPOs and getting information on existing ones. More recently, I decided to flesh out that GPMC functionality even more, and I'm happy to announce that I just posted a new PowerShell snap-in for GPMC last night on our Freeware Page. The new snap-in contains 9 cmdlets, as follows:

Add-SDMgplink
Add-SDMgpoSecurity
Export-SDMgpo
Get-SDMgpo
Get-SDMgpoSecurity
Import-SDMgpo
New-SDMgpo
Remove-SDMgpo
Remove-SDMgpoSecurity

These new cmdlets let you use PowerShell to easily get at GPMC functionality such as linking GPOs to AD containers, modifying and retrieving security permissions on GPOs, backing up and restoring GPOs and creating and deleting GPOs. Give them a spin and let me know what you think!

Tags

Group Policy, PowerShell, GPMC, SDM Software

Posted by gpoguy at 09:56 AM | Permalink | Comments (0) | TrackBacks (0)

This is the first in a series of blogs postings I plan to do showing how you can use Microsoft's very cool PowerShell scripting environment and SDM Software's GPExpert Scripting Toolkit for PowerShell, to manage Group Policy settings. One of the strengths of the Scripting Toolkit is the ability to modify the settings within a local or domain GPO. But another great thing that the Toolkit can do is read settings out of GPOs. In the scenario I'm showing today, I want to feed my script a list of GPO names, and then for each GPO, I want to check whether or not a particular Admin. Template setting is enabled. If it is, then I want to report that out. I could also just as easily use this script to modify the setting if it wasn't what I wanted. I could also use the Toolkit to check other settings, like security settings. One scenario that comes to mind is a script that ensures that Password policy is set the same across all of my domains (assuming I have multiple domains), but that's an example for another day.

So, let's look at the full script and then I'll break it down:

$gpos = import-csv gpos.txt
foreach ($mygpo in $gpos)
{
  $path = "gpo://cpandl.com/" + $mygpo.Name
  $gpo = Get-SDMgpobject -gpoName $path -openbyname $true;
  $container = $gpo.getObject("Computer Configuration/Administrative Templates/System/Logon");
  $settingName = "Always wait for the network at computer startup and logon";
  $setting = $container.Settings.ItemByName($settingName);

  if ($setting.Get("State") -eq -1)
  {
    $mygpo.Name + " does not have setting configured";
  }
  else
  {
    $mygpo.Name + " has setting set to state of: " + $setting.Get("State");
  }
}

The first line simply uses the import-csv cmdlet that is provided within PSH to grab GPOs names out of a text file called gpos.txt. That file as a list of GPO names--one on each line, with a header line called Name, as follows;

Name
"My GPO"
"Wireless Test"

 I could also have included a column for domain name if I wanted to get at GPOs in multiple domains.

The foreach is going to loop through my list of GPOs so that I can read the setting I'm interested in out of each GPO. The real action starts with this line:

$gpo = Get-SDMgpobject -gpoName $path -openbyname $true;

The cmdlet get-sdmgpobject is part of the Scripting Toolkit, and lets us get a reference to a local or AD-based GPO. In this case, I'm referencing the GPO passed from the text file. Next, I want to "connect" to the path within the GPO whose setting I want to query. I do that with these 3 lines:

 $container = $gpo.getObject("Computer Configuration/Administrative Templates/System/Logon");
  $settingName = "Always wait for the network at computer startup and logon";
  $setting = $container.Settings.ItemByName($settingName);

These three lines essentially connect to the Admin. Template path of interest, and then get the particular policy setting (in this case its "Always wait for the network...")  I want to query.

Then its a simple matter of finding the state of that setting using this command:

$setting.Get("State")

Based on the value of that state, I return information about whether its Not Configured, Enabled or Disabled. Of course, if this was a policy that was more complex--i.e. it had values other than these three simple ones, I could also get those values from the script.

This is just a small example of how the Toolkit can read, as well as write values from your GPOs! Next time I'll blog on a scenario for setting policies where the Toolkit really shines.
 

Tags:

Powershell, Group Policy, GPExpert Scripting Toolkit

Posted by gpoguy at 09:18 AM | Permalink | Comments (0) | TrackBacks (0)