This is the first in a series of blogs postings I plan to do showing how you can use Microsoft’s very cool PowerShell scripting environment and SDM Software’s Group Policy Automation Engine, to manage Group Policy settings. One of the strengths of the GPAE is the ability to modify the settings within a local or domain GPO. But another great thing that the GPAE can do is read settings out of GPOs. In the scenario I’m showing today, I want to feed my script a list of GPO names, and then for each GPO, I want to check whether or not a particular Admin. Template setting is enabled. If it is, then I want to report that out. I could also just as easily use this script to modify the setting if it wasn’t what I wanted. I could also use the GPAE to check other settings, like security settings. One scenario that comes to mind is a script that ensures that Password policy is set the same across all of my domains (assuming I have multiple domains), but that’s an example for another day.

So, let’s look at the full script and then I’ll break it down:

$gpos = import-csv gpos.txt
foreach ($mygpo in $gpos)
{
$path = “gpo://cpandl.com/” + $mygpo.Name
$gpo = Get-SDMgpobject -gpoName $path -openbyname $true;
$container = $gpo.getObject(“Computer Configuration/Administrative Templates/System/Logon”);
$settingName = “Always wait for the network at computer startup and logon”;
$setting = $container.Settings.ItemByName($settingName);

  if ($setting.Get(“State”) -eq -1)
{
$mygpo.Name + ” does not have setting configured”;
}
else
{
$mygpo.Name + ” has setting set to state of: ” + $setting.Get(“State”);
}
}

The first line simply uses the import-csv cmdlet that is provided within PSH to grab GPOs names out of a text file called gpos.txt. That file as a list of GPO names–one on each line, with a header line called Name, as follows;

Name
“My GPO”
“Wireless Test”

I could also have included a column for domain name if I wanted to get at GPOs in multiple domains.

The foreach is going to loop through my list of GPOs so that I can read the setting I’m interested in out of each GPO. The real action starts with this line:

$gpo = Get-SDMgpobject -gpoName $path -openbyname $true;

The cmdlet get-sdmgpobject is part of the GPAE, and lets us get a reference to a local or AD-based GPO. In this case, I’m referencing the GPO passed from the text file. Next, I want to “connect” to the path within the GPO whose setting I want to query. I do that with these 3 lines:

 $container = $gpo.getObject(“Computer Configuration/Administrative Templates/System/Logon”);
$settingName = “Always wait for the network at computer startup and logon”;
$setting = $container.Settings.ItemByName($settingName);

These three lines essentially connect to the Admin. Template path of interest, and then get the particular policy setting (in this case its “Always wait for the network…”)  I want to query.

Then its a simple matter of finding the state of that setting using this command:

$setting.Get(“State”)

Based on the value of that state, I return information about whether its Not Configured, Enabled or Disabled. Of course, if this was a policy that was more complex–i.e. it had values other than these three simple ones, I could also get those values from the script.

This is just a small example of how the GPAE can read, as well as write values from your GPOs! Next time I’ll blog on a scenario for setting policies where the Toolkit really shines.
Tags:

Powershell, Group Policy