The GPOGUY-- Group Policy Blog

New Version of GPMC PowerShell Cmdlets Released!

2008-07-02T22:37:17Z

Well, we've released a new version of our GPMC PowerShell cmdlets--version 1.2. This new version represents a significant updgrade to the existing cmdlets. The biggest change is that we incorporated new functionality that became available in the version of GPMC that shipped with Vista, SP1 and Windows Server 2008. As a result of those significant GPMC changes, we had to break the cmdlets into two separate download packages--one package for Vista, SP1 and Server 2008 users and the other for earlier platforms. In general, the main differences between the two downloads is that the package for Vista, SP1 and 2008 supports some features like managing "Starter GPOs" and some other new capabilities that the older version of GPMC does not support. But both packages have added some cool new features, such as better pipelining support between cmdlets and support for creating GP Settings and RSOP reports. The pipelining support is especially interesting for those of you out there looking to fully automate your GP Management tasks. In earlier versions of the cmdlets, whenever you got a reference to a GPO or created a new GPO, you could not easily pipe the output of that to another cmdlet. The reason for this is that the objects that the cmdlets emitted were COM Interop types that did not appear as useful objects to the PowerShell pipeline. As a result, we have modified the default output of many of these Get- cmdlets to emit custom objects that are more easily piped to other cmdlets. For example, now you can create a GPO and link it in one fell swoop, like this:

new-sdmGPO "Marketing Stuff" | add-sdmgplink -Scope "OU=Marketing,DC=Cpandl,DC=com" -Location -1

If you do still need access to the COM interop types, then there is now a -Native parameter on cmdlets that emit these custom objects so that you can revert to the old 1.1 behavior if needed.

The following are the rest of the release notes on the new 1.2 version. Check them out and let us know what you think!

*******************************************************************

Release Notes for SDM Software's GPMC PowerShell Cmdlets, v1.2

July 2, 2008
-------------
#Added -Native parameter to a number of the get- cmdlets, including get-SDMGPO. In version 1.1, these cmdlets emitted native GPMC COM Interop types, which could not be sent to the pipeline successfully. As a result, all of the cmdlets in this release that support the -Native parameter now, by default, emit custom object types to work better with the pipeline. If you need the native GPMC object types, then use the -Native parameter.

#Add 9 new Cmdlets, including:

Add-WMIFilterLink: Links an existing WMI filter to a GPO
Copy-SDMStarterGPO: Copies an existing Starter GPO to a new Starter GPO (Server 2008 and Vista, Sp1 only)
Get-SDMStarterGPO: Retrieves a reference to and information on a named Starter GPO (Server 2008 and Vista, Sp1 only)

Get-SDMWMIFilter: Retrieves a reference to and information on one or all WMI Filters in a domain
New-SDMStarterGPO: Creates a new Starter GPO (Server 2008 and Vista, Sp1 only)
Out-SDMGPSettingsReport: Creates an xML or HTML GPO Settings report
Out-SDMRSOPLoggingReport: Creates and XML or HTML Group Policy Results report
Remove-SDMStarterGPO: Deletes a Starter GPO (Server 2008 and Vista, Sp1 only)
Remove-SDMWMIFilterLink: Removes any WMI Filter linked to a particular GPO

#Added a Name parameter to Get-SDMGPLink. This new parameter lets you search for links by GPO name in addition to SOM. So, you can provide a GPO name and get a list of all the places its linked.

#Added a GPOID parameter to Get-SDMGPO. This new parameter lets you search for a GPO by GUID instead of by name. With this new parameter, you can use this cmdlet to effectively translate from GUID to Name and Name to GUID.

***********************************************************************

Tags:

Group Policy, PowerShell, GPMC, SDM Software

GP Change Auditing

2008-07-01T00:39:18Z

The folks at NetWrix have just announced their newest product--Group Policy Change Reporter. The product comes in both a freeware and commercial version and can provide detailed change reporting on who made changes to GPOs, what settings were changed and when. It comes with a number of out-of-the-box reports as well.

Check it out!

Opportunity for providing Microsoft feedback on Server Management

2008-06-24T23:48:02Z

Hey Folks. The Group Policy Team at Microsoft is looking for feedback on managing Windows Servers. They've put a survey up online. If you want to get your feedback and experiences heard, and incorporated into future products, this is an ideal opportunity to do it! The survey is up until July 15th so get in there!

New PowerShell-based Product for Group Policy Health

2008-06-19T19:21:21Z

Well, in keeping with our current tradition of delivering PowerShell-based solutions for Group Policy Management, SDM Software has released its latest product--the Group Policy Health Cmdlet. This cmdlet basically lets you get quick and detailed Group Policy processing status across one or more machines within your enterprise. Its pretty cool in that you can feed it either a machine name, an OU name or a domain name and it will resolve all computer objects in those containers, and query each one, returning results either as an object (shown in the screenshot below) or as an XML document that you can save or manipulate using PowerShell's built-in XML capabilities. You can take a video tour of the product here, which shows off some of its features.

And while the product is not free, you can download a trial copy and use it for up to 10 queries. After that, to buy a copy is, well, cheap if you ask me :). Anyway, check it out and let us know what you think!

Tags:

Group Policy, PowerShell, SDM Software, Group Policy Health

Scripting/SysAdmin Meme

2008-06-18T21:24:16Z

I noticed that Jeff Hicks called me out on his blog for the Scripting/SysAdmin Meme, so I figured I would follow through with the chain and answer the questions here:

How old were you when you started using computers?

I was about 15.

What was your first machine?

The first computer that I used was probably a Cromemco multi-user system in High School or the original Apple computer. The first computer I owned was an Atari 800 that I got for Christmas in 1978 :).

What was the first real script you wrote?

Hmm. Well, my first language was BASIC--not sure that is really a scripting language but it approximated that on the Atari. But in terms of real scripting languages it was probably DOS batch.

What scripting languages have you used?

DOS batch, Fastlane FINAL, Perl, VBScript, JScript, PowerShell. Probably missing a couple in there.

What was your first professional sysadmin gig?

My first job out of college, as I struggled to be a bike racer, was part-time warehouse guy and part-time computer guy for a small computer leasing company. I did some basic maintenance and Paradox development. My first real sys admin. job was for an environmental consulting company. When I started, they had a Sun TOPS network based on Appletalk!!

If you knew then what you know now, would have started in IT?

Excellent question. Not sure. IT has changed a lot, there is a lot of things I don't like about it. I think I might have spent more time in dev. if I knew then what I know now.

If there is one thing you learned along the way that you would tell new sysadmins, what would it be?

What worked for me may not work for others, but I made a conscious decision to reach out and help people. This started with the early winnt-bhs mailing list on Compuserve in the mid-90s and continues today. I think this business is all about spreading the knowledge, because there is so much to learn. So, if you want to advance your own career, help others as you learn. It brings many side benefits, including gaining a reputation that might lead to more interesting things than just fixing broken printers :).

What’s the most fun you’ve ever had scripting?

Scripting is one of those things that I did out of necessity, but I can remember a perl script that I had to write to change thousands of machines from static IP to dynamic. I was particularly proud of that at the time. I think now I get the most kick out of developing PowerShell cmdlets. Fun stuff.

Who am I calling out?

Whitepaper on Group Policy Management using PowerShell

2008-06-17T21:03:24Z

I created a whitepaper a while back that describes how you can use SDM Software's free GPMC cmdlets along with our commercial GPExpert(tm) Scripting Toolkit product to automate Group Policy management using PowerShell. That whitepaper, entitled "Automating Group Policy Management" is now up on our website for download. You do have to register for it but it goes through a bunch of different scenarios, including performing basic GPO management tasks as well as using the Toolkit to audit or modify Group Policy settings across a group of GPOs.

PowerShell Script to leverage AD Tombstone cmdlets

2008-06-10T19:33:41Z

Well, Active Directory MVP and well-known speaker Guido Grillenmeier from HP has taken my AD tombstone reanimation cmdlets and fashioned a very cool PowerShell script that uses the cmdlets and the new AD snapshot mounting feature in Server 2008 to not only restore deleted objects but also restore their attributes that are lost when the object is deleted. Guido is presenting an AD recovery talk at TechEd in Orlando tomorrow and the script will be featured in that talk. If you are at TechEd, I highly recommend you check out his talk.

Guido has also provided some great feedback on my tombstone reanimation cmdlets so look for a 1.1 version of them very soon!

You can download Guido's PowerShell script here !

Thanks Guido!

"I installed RSAT...where is GPMC?"

2008-06-07T22:52:44Z

I've heard this question often enough since the Remote Server Administration Tools shipped that I thought it was worth blogging about it. After you install RSAT on your Vista, SP1 machine, you won't find GPMC installed right away. You'll need to go into the Control Panel, Programs and Features applet to enable it. Once in Programs and Features, select the link on the left that says Turn Windows Features on and off. Whent the list of features comes up, navigate to Remote Server Administration Tools, Feature Administration Tools, Group Policy Management Tools and check that box to select the GPMC, as shown below

Then click OK and once the install completes, you will have GPMC!

Tags:

GPMC, RSAT, Group Policy

PowerShell hits the morgue

2008-06-03T21:27:56Z

Well, despite the morbid title, this is not about dead things. Well, not quite. And amazingly its not about Group Policy either.

In my ever increasing thirst for PowerShell knowledge, I thought I would experiment a bit with some Active Directory-based cmdlets this time. The result is two free PowerShell Cmdlets that retrieve and reanimate AD Tombstones (for an excellent backgrounder article on Tombstone Reanimation, check out Gil Kirkpatrick's piece in TechNet Magazine from last September).

You can optionally register for and download these new AD tombstone cmdlets at www.sdmsoftware.com/freeware. Once you download and install the setup, and launch the console file that comes with it, you'll have two new cmdlets at your disposal*:

get-SDMADTombstone

restore-SDMADTombstone

The first cmdlet, most obviously retrieves a listing of all deleted objects in a given domain. You can filter the results using the -Filter parameter to search for a given text string within the DN of the deleted object. The 2nd cmdlet, which does the actual restoral work, is meant to be used with the first one. So, for example, if I have a user "Dick Evans" who was deleted, and I want to restore him, I can issue the following command:

get-SDMADTombstone -Filter Evans | restore-SDMADTombstone

The restore- cmdlet also implements the -whatif parameter, so that you can see what objects will be restored prior to pulling the trigger.

So, I encourage everyone to download and check it out and provide feedback. I look forward to hearing your input.

Have fun!

Tags:

Active Directory, PowerShell, Tombstone Reanimation

* Note: This blog post was edited after the initial posting. Thanks to feedback from Dmitry, I renamed the cmdlets to be singular, in keeping with PowerShell convention, and also changed the output format of the date fields. Otherwise, everything is the same!

On Demand version of the "Securing Desktops..." Webinar available

2008-05-30T22:43:54Z

For those of you who missed the webinar I did yesterday on "Securing Desktops with Group Policy", you can register to view the on-demand version here. If you did attend, thanks for listening! We had a good crowd and lots of good questions!

XMLLite and Group Policy Preferences

2008-05-30T19:09:16Z

I have heard a lot of questions about the need to install the pre-requisite XMLLite package on XP and Server 2003 prior to installing the Group Policy Preferences Client Side Extensions to those versions of Windows. The fact is that XMLLite is currently not deployable via WSUS, which has made it hard for folks to mass deploy Group Policy Preferences. What I've come to learn is that while this deployment challenge for XMLLite is true, there are some mitigating factors that might help certain shops. Namely:

Windows Server 2003, SP2 and Windows XP SP3 already include XMLLite, and thus its not required as a separate install before you install Group Policy Preferences on those versions of the OS
Windows Server 2003, SP1 and Windows XP, SP2 with Internet Explorer 7 installed also do not need XMLLite, as it is included with IE 7.

So, bottom line is that if you are running 2003, SP1 or XP, SP2 without IE7, you will still struggle to deploy XMLLite through means other than "sneaker-net" but the good news is that, with these above exceptions, the number of those machines should get smaller and smaller over time.

And just a note that XMLLite is not required at all for GP Preferences on Vista.

Tags:

Group Policy, Group Policy Preferences, XMLLite

Don't Like How they broke GP-based Deployment of Office 2007?

2008-05-22T14:06:58Z

If you are one of the many IT administrators I've talked to that doesn't like how Microsoft essentially broke Group Policy Software Installation-based deployment of Office when they released Office 2007, here's how you can provide feedback to Microsoft. I just noticed a blog posting from someone on the Office Resource Kit team with the title, "Deploying Office 2007 with GPSI is not for the faint of heart ". For someone from the Office Resource Kit team to use that kind of title is what I would call irony. I encourage everyone that finds what they did with Office deployment in the latest version just plain non-responsive to customer needs, to submit a comment to that blog posting. I think if they knew how many people were adversely affected by this decision, they would perhaps get around to providing some better deployment solutions than recommending yet another deployment product for folks to install!

Updated Group Policy Book Now Available!

2008-05-21T20:52:10Z

I just wanted to let everyone know that Microsoft Press has released a new version of the popular "Goup Policy Guide" book that fellow GP MVP Derek Melber and I contributed to a couple of years ago. This time Derek took the project on himself and the result is a great companion for navigating the new features within Group Policy in Server 2008 and Vista! Everyone who is doing anything with Group Policy should have this book on their desk!

Tags:

Group Policy, Derek Melber

"Securing Windows Desktops with Group Policy" Webinar

2008-05-19T21:44:04Z

Hey folks. I just wanted to let you all know that I will be giving a webinar about using Group Policy to create secure desktop configurations next week. The webinar is all about looking at the technology within Group Policy related to creating secure configurations. I'll also talk a little about how SDM Software's new Desktop Policy Manager product can help make the process of creating secure desktops using Group Policy much simpler. You can register for the webinar at http://www.bi101.com/go/secure_desktop/index.php. Its on May 29th at 11am Pacific Time (GMT-8). Hope to see you there!

Tags:

Group Policy, Desktop Policy Manager, Creating Secure Desktops

Group Policy Delegation

2008-05-08T15:47:33Z

The other day I got a question about one of our free GPMC PowerShell cmdlets--namely, the Add-SDMgpoSecurity that lets you modify GPO security. One of the permissions that you can grant using the cmdlet is the GPO creation permission--which controls who can create GPOs in the domain. This particular questioner was wondering why they were getting an error when trying to set GPO creation permissions on a particular OU. The question made me think that a blog entry on Group Policy delegation was in order. So, for this particular issue I just described, the answer is relatively straightforward. You can only delegate creation of GPOs at the domain level. That is why, in GPMC, you will notice that when you click on the Delegation tab for a particular OU, you don't have the option to delegate GPO creation.

In fact, the only place you will see that delegation, is when you click on the "Group Policy Objects" node within a particular domain, and view the Delegation tab. So, the right to create GPOs in a domain is domain-wide. Now of course, if you delegate to someone the right to create a GPO, it does not necessarily give them the ability to make it "live". That ability requires a different kind of delegation--the delegation of linking. Remember that a GPO can be linked to an AD site, domain or OU. Each of these AD containers has a set of permissions associated with it. One of those permissions is the ability to write to the gpLink attribute on the container, and it is that permission that controls who can link a GPO to that particular site, domain or OU. You can, of course, delegate that permission without having to dig into the bowels of the AD ACL Editor, by using the GPMC--simply by clicking the Delegation tab while focused on a container object and then choosing "Link GPOs" as the permission you want to manage.

The final type of delegation I will mention is the ability to edit GPOs. Regardless of who creates a GPO, there is the separate ability to be able to edit that GPO once its created. When a GPO is created, it gets a set of permissions that are controlled by the defaultSecurityDescriptor attribute on the AD schema groupPolicyContainer object class. That default security descriptor controls which groups have which permissions on newly created GPOs. You can, of course, modify that attribute in your AD environment so that you can control which groups get what rights on all newly GPOs (see KB article http://support.microsoft.com/kb/321476/en-us for more information), but you may also want to modify the ability to edit GPOs after they are created. For that GPMC again provides the answer. You simply need to highlight a particular GPO, choose the Delegation tab and from there you can set permissions for who can edit a GPO or who can edit, delete and modify the security on a GPO. Its also important to note that these permissions are stored on the GPO object itself, not the link or container object. So, while you can link a GPO to any number of AD containers, keep in mind that the permissions on that GPO in terms of who can read and write it remain constant, regardless of where its linked.

Finally, I will mention a slight variation on the GPO delegation I just described. The ability for a computer or user to process a GPO is just a different kind of delegation on that GPO. Namely, by granting a user or computer (or a group to which they belong) the Read and "Apply Group Policy" rights on a GPO, that user or computer is allowed to process that GPO, assuming its properly linked to them within the AD hierarchy. Strangely, this particular delegation is listed in two places within GPMC. If you're highlight a GPO, you will see it under the Scope tab, in the "Security Filtering" listview, and you will also see that same delegation listed on the Delegation tab for that GPO, except that it will say "Read(from Security Filtering)", next to the security principal name to indicate that the permission being granted is really the ability to process the GPO. Confused yet?

Of course, all of these delegation operations are supported in our free PowerShell GPMC cmdlets as well!

Tags:

Group Policy, PowerShell, GPMC