DESKTOP

Windows Server 2008 R2 Powershell Cmdlets (part 4) - Group Policy cmdlets

2/27/2014 2:15:27 AM

4. Group Policy cmdlets

The Group Policy cmdlets in PowerShell follow in the footsteps of all the other cmdlets in raw power. They let you do almost anything you could normally do with the Group Policy Management Console (GPMC) using cmdlets. But just like many of the other new features in PowerShell 2.0, the cmdlets are not available from the start. To use the Group Policy cmdlets, you will have to import the corresponding module. First, make sure you are running Windows 2008 Server R2 on a domain controller or on a member server that has the GPMC installed. Startup PowerShell and type Import-Module GroupPolicy. Once the cmdlet completes, you can make sure it worked by typing Get-Help *GPO*. If the import worked, you should see a list with some of the Group Policy cmdlets (see Figure 15).

Figure 15. Some of the Group Policy cmdlets.

Once you know that the import cmdlet worked, you can move on. Tables 1115 list cmdlets used for creating, getting, setting, and deleting things, as well as various utility cmdlets.

Table 11. Group Policy cmdlets That Create Things, the Constructors
cmdlet NameDescription
New-GPOThis cmdlet creates a new Group Policy Object (GPO)
New-GPStarterGPOThis cmdlet creates a new Starter GPO
New-GPLinkThis cmdlet creates a new link between the GPO and a valid specified target with the specified values

Table 12. Group Policy cmdlets That Get Things, the Getters
cmdlet NameDescription
Get-GPInheritanceThis cmdlet gets the inheritance information for a specified target
Get-GPOThis cmdlet gets a target GPO or all the GPOs in a domain with the –All flag
Get-GPOReportThis cmdlet gets a report for a specified GPO(s)
Get-GPPermissionsThis cmdlet gets the specified permissions for a specific GPO
Get-GPPrefRegistryValueThis cmdlet gets a registry preference item for a specific GPO
Get-GPRegistryValueThis cmdlet gets a registry-based policy setting for a specific GPO
Get-GPResultantSetofPolicyThis cmdlet gets the ResultantSetofPolicy (RSoP) for a specified target. Target can be a computer, a user, or both
Get-GPStarterGPOThis cmdlet gets the specified starter GPO in the domain or all the starter GPOs in the domain

Table 13. Group Policy cmdlets That Set Things, the Setters
cmdlet NameDescription
Set-GPInheritanceThis cmdlet sets the inheritance for a target domain or OU by setting it the –IsBlocked flag to Yes or No
Set-GPLinkThis cmdlet sets the properties of a GPO link by setting the –Enforced, -LinkEnabled, and/ or –Order flags
Set-GPPermissionsThis cmdlet sets the permissions level for a security principal for one target GPO or all the GPOs in the domain. Permission levels must be set to a higher level or they will not be changed unless the –Replace flag is used.
Set-GPPrefRegistryValueThis cmdlet sets a registry preference item under a computer or user configuration in a GPO
Set-GPRegistryValueThis cmdlet sets one or more registry-based settings under a computer or user configuration in a GPO

Table 14. Group Policy cmdlets That Remove Things, the Deleters
cmdlet NameDescription
Remove-GPLinkThis cmdlet removes the link from a specific GPO to a specified target
Remove-GPOThis cmdlet removes a GPO
Remove-GPPrefRegistryValueThis cmdlet removes one or more registry preference items from either the computer or user configuration in a GPO
Remove-GPRegistryValueThis cmdlet removes one or more registry-based policy settings from either the computer or user configuration in a GPO

Table 15. Miscellaneous Group Policy cmdlets, the Utility cmdlets
cmdlet NameDescription
Backup-GPOThis cmdlet backs up a GPO or all the GPOs in the domain to a specified location that must already exist
Copy-GPOThis cmdlet copies a GPO. Will not create a GPO copy with the same name in a domain
Import-GPOThis cmdlet imports the GPO settings from a GPO backup to a specified GPO. The specified GPO does not have to exist and will be created from the backup if the –CreateIfNeeded flag is used
Rename-GPOThis cmdlet renames a GPO only changing its display name
Restore-GPOThis cmdlet restores a GPO or all the GPOs in the domain from backup files. The GPO(s) must exist for them to be restored

There are a large number of PowerShell cmdlets that are there simply to support Group Policies. The purpose behind them is to let you automate many of the tasks that are normally performed with the GPMC by giving you the cmdlets that duplicate the features of the console. The large number of cmdlets for Group Policies are divided into four kinds of cmdlets dictated by what their purpose is. The first group of cmdlets is used for GPO maintenance; the second group of cmdlets is used to associate GPOs with targeted AD sites, domains, or organizational Units (OUs) the third; group is used to set permissions and inheritance; and the final set of cmdlets is used for registry operations involving GPOs.

The group of GPO maintenance cmdlets are typically used for the backup, creation, removal, and import of GPOs. The first thing you will do is create a test GPO so that you can familiarize yourself with the cmdlets. Startup PowerShell and make sure you imported the Group Policy module. Type New-GPO myPSGPOCommentMy First Official PowerShell GPO.” When the cmdlet has finished executing, you will have a list with all the attributes for your newly created GPO. Now, you have a disposable GPO, you can use the rest of the cmdlets on if you please and not have to worry about. You can now try to create a backup of this GPO with the Backup-GPO cmdlet. Type Backup-GPOName myPSGPO –Path C:\windows\GPOBackups. Keep in mind that the path has to point to a directory that already exists, it will not create it for you. You might want to substitute that path with one of your own or create a directory to make that path valid. You should also be aware that as an alternative to the –name flag to specify the GPO, you can use the –GUID flag and give it the globally unique identifier. This is used when there is a possibility of more than one GPO with the same name. Once the cmdlet completes, you will once again see a status screen. Now, let us say that the prized GPO that you created gets zapped one day. You remember that you backed it up one day when you were preparing for a day just like this. All you have to do now is restore it. There is a cmdlet for that as well. You will now restore from the backup you created using the Import-GPO cmdlet. At the PowerShell prompt, you type Import-GPOBackUpGPOName myPSGPOTargetName myPSGPOcreateifneededpath c:\Windows\System32\GPOBackups and hit enter. When the cmdlet runs, you will see that the GPO will be back. The –createifneeded flag is what makes it a true restore, because without this flag, a new GPO would not be created from the old one and the cmdlet would just serve to restore the old settings from the backup GPO to the target GPO. You could also use the Restore-GPO cmdlet to accomplish the same thing, the main difference is that Restore-GPO allows a mass restore by using the –all flag, but for the restore cmdlet to work, the target GPOs must still exist, while the Import-GPO does not care as long as you use the –createifneeded flag. Now, assume that a lot of time goes by and you outgrow the GPO you created. Since then, you have grown much and created much better GPOs and no longer need myPSGPO. This is where the Remove-GPO cmdlet comes in. It allows you to quite simply remove or delete a GPO. When you are ready to delete myPSGPO, you type Remove-GPOName myPSGPO.

The second group of Group Policy cmdlets is used for Group Policy link maintenance. They allow the administrator to create links, remove links, and change the properties on existing links. The link maintenance Group Policy cmdlets are very powerful and straightforward. It should come as no surprise that to create a new link, you use the New-GPLink cmdlet. You will need the LDAP name of the target site, domain, or OU you are linking to. If you wanted to link the GPO myPSGPO you created earlier to one of your OUs, you would type New-GPLinkname myPSGPOTargetLDAP name of the target” –LinkEnabled Yes. When you hit enter, a new link from your GPO would be created to the desired OU. Just as when you create links with the GPMC, you can specify the link order if you want it enforced and if you want the link enabled with the –Enforced –LinkEnabled and –Order flags. The –Enforced and –LinkEnabled flags takes a Yes or No, while the –Order takes an integer. Once you create a link, you might eventually decide to remove it. If this does happen, then you will need the Remove-GPLink cmdlet. To remove the link from myPSGPO, you type Remove-GPLinkNamemyPSGPO” –TargetLDAP name of the target” and hit enter. The link has now been removed. Let us say that instead of removing it, though, you wanted to change its properties. You decided that you wanted to make the link enforced, something that you did not do when you originally created the link. This is where the Set-GPLink cmdlet comes in handy. Assuming you wanted to change the link you had set up earlier instead of removing it, you would type Set-GPLinkName myPSGPOTargetLDAP name of the target” –Enforced Yes.

The next set of Group Policy cmdlets you will find useful are the ones that deal with permissions and inheritance. Let us say you want to check the permissions on a GPO. The Get-GPPermissions cmdlet is the answer. To illustrate how this works, you will use it on the GPO myPSGPO you created earlier. At the PowerShell prompt, type in get-GPPermissionsName myPSGPOALL and hit enter. When the command executes, you will see a list of all the permissions for the GPO (see Figure 16).

Figure 16. Permissions list for PSGPO.

Now, assume that you want to change some of the permissions for the GPO. You will need to use the Set-GPPermissions cmdlet to accomplish this. The Set-GPPermissions cmdlet is your all-purpose permission tweak and permission set cmdlet. By default, it will not replace an existing permission with a lower permission level unless you use the –Replace flag. You notice that in your GPO, any “Authenticated User” can apply a GPO. You want to change that so that the only thing they can do is read it. You type Set-GPPermissionsName myPSGPOTargetNameAuthenticated Users” –TargetType GroupPermissionLevel GpoRead Replace and hit enter. You need to use the –Replace flag since you are actually lowering the permission level. You can now check your GPO again with Get-GPPermissionsname myPSGPOTargetNameAuthenticated Users” –TargetType Group and see that the permission level has been changed from GpoApply to GpoRead (see Figure 17).

Figure 17. Permissions have been changed.

The Inheritance cmdlets, like the Permissions cmdlets, accomplish all they need with just two cmdlets. The Get-GPInheritance cmdlet is used to get the GP Inheritance information for a domain or OU, while the Set GPInheritance is used to modify the existing Inheritance rule and either stop or allow inheritance in a domain or OU. Let us say you wanted to find out the GP Inheritance information for a specific OU. At the PowerShell prompt, you would type Get-GpInheritanceTargetLDAP name of the OU” and hit enter. The cmdlet would execute and return information, letting you know if inheritance is blocked or not as well as the number of GPO links and Inherited GPO links. If you decided you wanted to change the inheritance rule for an existing OU and block inheritance, then at the PowerShell prompt, you would type Set-GPInheritanceTargetLDAP name of the OU” –IsBlocked Yes and hit enter. This would then block inheritance for that OU, except for Enforced rules.

The final set of Group Policy cmdlets is used to make registry operations. The Get-GPRegistryValue and Get-GPPrefRegistryValue are the information getters, Set-GPRegistryValue and Set-GPPrefRegistry-Value are the modifiers, and RemoveGPRegistryValue and Remove-GPPrefRegistryValue are deletion cmdlets. Their use and syntax are very straightforward.

Other  
  •  Windows Server 2008 R2 : PowerShell V2 feature focus - Installing Powershell, Introduction to Powershell Scripting
  •  Windows Server 2008 R2 : PowerShell V2 feature focus - Introduction to Powershell
  •  Installing Windows 8 on startup VHD files (part 3) - Starting the system from the VHD, Removing VHD installations
  •  Installing Windows 8 on startup VHD files (part 2) - Creating the VHD during the installation by using DiskPart
  •  Installing Windows 8 on startup VHD files (part 1) - Creating a VHD from an existing installation
  •  Windows 8 : Upgrading or migrating from a previous version of Windows (part 4) - Migrating user data
  •  Windows 8 : Upgrading or migrating from a previous version of Windows (part 3) - Using an external hard disk or USB flash drive, Using the User State Migration Tool
  •  Windows 8 : Upgrading or migrating from a previous version of Windows (part 2) - Using removable media, Using a network connection
  •  Windows 8 : Upgrading or migrating from a previous version of Windows (part 1) - Running the Setup Wizard , Configuring your account
  •  Installing Windows 8 on a new or formatted system (part 3) - Installing Windows 8 with Windows To Go
  •  
    Top 10
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    3 Tips for Maintaining Your Cell Phone Battery (part 1) - Charge Smart
    OPEL MERIVA : Making a grand entrance
    FORD MONDEO 2.0 ECOBOOST : Modern Mondeo
    BMW 650i COUPE : Sexy retooling of BMW's 6-series
    BMW 120d; M135i - Finely tuned
    PHP Tutorials : Storing Images in MySQL with PHP (part 2) - Creating the HTML, Inserting the Image into MySQL
    PHP Tutorials : Storing Images in MySQL with PHP (part 1) - Why store binary files in MySQL using PHP?
    Java Tutorials : Nested For Loop (part 2) - Program to create a Two-Dimensional Array
    Java Tutorials : Nested For Loop (part 1)
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    VIDEO TUTORIAL
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS