4. Group Policy cmdlets
The Group Policy cmdlets in PowerShell follow in the
footsteps of all the other cmdlets in raw power. They let you do almost
anything you could normally do with the Group Policy Management Console
(GPMC) using cmdlets. But just like many of the other new features in
PowerShell 2.0, the cmdlets are not available from the start. To use
the Group Policy cmdlets, you will have to import the corresponding
module. First, make sure you are running Windows 2008 Server R2 on a
domain controller or on a member server that has the GPMC installed.
Startup PowerShell and type Import-Module GroupPolicy.
Once the cmdlet completes, you can make sure it worked by typing
Get-Help *GPO*. If the import worked, you should see a list with some
of the Group Policy cmdlets (see Figure 15).
Once you know that the import cmdlet worked, you can move on. Tables 11–15 list cmdlets used for creating, getting, setting, and deleting things, as well as various utility cmdlets.
Table 11. Group Policy cmdlets That Create Things, the Constructors
| cmdlet Name | Description |
|---|
| New-GPO | This cmdlet creates a new Group Policy Object (GPO) |
| New-GPStarterGPO | This cmdlet creates a new Starter GPO |
| New-GPLink | This cmdlet creates a new link between the GPO and a valid specified target with the specified values |
Table 12. Group Policy cmdlets That Get Things, the Getters
| cmdlet Name | Description |
|---|
| Get-GPInheritance | This cmdlet gets the inheritance information for a specified target |
| Get-GPO | This cmdlet gets a target GPO or all the GPOs in a domain with the –All flag |
| Get-GPOReport | This cmdlet gets a report for a specified GPO(s) |
| Get-GPPermissions | This cmdlet gets the specified permissions for a specific GPO |
| Get-GPPrefRegistryValue | This cmdlet gets a registry preference item for a specific GPO |
| Get-GPRegistryValue | This cmdlet gets a registry-based policy setting for a specific GPO |
| Get-GPResultantSetofPolicy | This cmdlet gets the ResultantSetofPolicy (RSoP) for a specified target. Target can be a computer, a user, or both |
| Get-GPStarterGPO | This cmdlet gets the specified starter GPO in the domain or all the starter GPOs in the domain |
Table 13. Group Policy cmdlets That Set Things, the Setters
| cmdlet Name | Description |
|---|
| Set-GPInheritance | This cmdlet sets the inheritance for a target domain or OU by setting it the –IsBlocked flag to Yes or No |
| Set-GPLink | This cmdlet sets the properties of a GPO link by setting the –Enforced, -LinkEnabled, and/ or –Order flags |
| Set-GPPermissions | This
cmdlet sets the permissions level for a security principal for one
target GPO or all the GPOs in the domain. Permission levels must be set
to a higher level or they will not be changed unless the –Replace flag
is used. |
| Set-GPPrefRegistryValue | This cmdlet sets a registry preference item under a computer or user configuration in a GPO |
| Set-GPRegistryValue | This cmdlet sets one or more registry-based settings under a computer or user configuration in a GPO |
Table 14. Group Policy cmdlets That Remove Things, the Deleters
| cmdlet Name | Description |
|---|
| Remove-GPLink | This cmdlet removes the link from a specific GPO to a specified target |
| Remove-GPO | This cmdlet removes a GPO |
| Remove-GPPrefRegistryValue | This cmdlet removes one or more registry preference items from either the computer or user configuration in a GPO |
| Remove-GPRegistryValue | This cmdlet removes one or more registry-based policy settings from either the computer or user configuration in a GPO |
Table 15. Miscellaneous Group Policy cmdlets, the Utility cmdlets
| cmdlet Name | Description |
|---|
| Backup-GPO | This cmdlet backs up a GPO or all the GPOs in the domain to a specified location that must already exist |
| Copy-GPO | This cmdlet copies a GPO. Will not create a GPO copy with the same name in a domain |
| Import-GPO | This
cmdlet imports the GPO settings from a GPO backup to a specified GPO.
The specified GPO does not have to exist and will be created from the
backup if the –CreateIfNeeded flag is used |
| Rename-GPO | This cmdlet renames a GPO only changing its display name |
| Restore-GPO | This cmdlet restores a GPO or all the GPOs in the domain from backup files. The GPO(s) must exist for them to be restored |
There are a large number of PowerShell cmdlets that
are there simply to support Group Policies. The purpose behind them is
to let you automate many of the tasks that are normally performed with
the GPMC by giving you the cmdlets that duplicate the features of the
console. The large number of cmdlets for Group Policies are divided
into four kinds of cmdlets dictated by what their purpose is. The first
group of cmdlets is used for GPO
maintenance; the second group of cmdlets is used to associate GPOs with
targeted AD sites, domains, or organizational Units (OUs) the third;
group is used to set permissions and inheritance; and the final set of
cmdlets is used for registry operations involving GPOs.
The
group of GPO maintenance cmdlets are typically used for the backup,
creation, removal, and import of GPOs. The first thing you will do is
create a test GPO so that you can familiarize yourself with the
cmdlets. Startup PowerShell and make sure you imported the Group Policy
module. Type New-GPO myPSGPO –Comment “My First Official PowerShell GPO.”
When the cmdlet has finished executing, you will have a list with all
the attributes for your newly created GPO. Now, you have a disposable
GPO, you can use the rest of the cmdlets on if you please and not have
to worry about. You can now try to create a backup of this GPO with the
Backup-GPO cmdlet. Type Backup-GPO –Name myPSGPO –Path C:\windows\GPOBackups.
Keep in mind that the path has to point to a directory that already
exists, it will not create it for you. You might want to substitute
that path with one of your own or create a directory to make that path
valid. You should also be aware that as an alternative to the –name
flag to specify the GPO, you can use the –GUID flag and give it the
globally unique identifier. This is used when there is a possibility of
more than one GPO with the same name. Once the cmdlet completes, you
will once again see a status screen. Now, let us say that the prized
GPO that you created gets zapped one
day. You remember that you backed it up one day when you were preparing
for a day just like this. All you have to do now is restore it. There
is a cmdlet for that as well. You will now restore from the backup you
created using the Import-GPO cmdlet. At the PowerShell prompt, you type
Import-GPO –BackUpGPOName myPSGPO –TargetName myPSGPO –createifneeded –path c:\Windows\System32\GPOBackups
and hit enter. When the cmdlet runs, you will see that the GPO will be
back. The –createifneeded flag is what makes it a true restore, because
without this flag, a new GPO would not be created from the old one and
the cmdlet would just serve to restore the old settings from the backup
GPO to the target GPO. You could also use the Restore-GPO cmdlet to
accomplish the same thing, the main difference is that Restore-GPO
allows a mass restore by using the –all flag, but for the restore
cmdlet to work, the target GPOs must still exist, while the Import-GPO
does not care as long as you use the –createifneeded flag. Now, assume
that a lot of time goes by and you outgrow the GPO you created. Since
then, you have grown much and created much better GPOs and no longer
need myPSGPO. This is where the Remove-GPO cmdlet comes in. It allows
you to quite simply remove or delete a GPO. When you are ready to
delete myPSGPO, you type Remove-GPO –Name myPSGPO.
The second group of Group Policy cmdlets is used for
Group Policy link maintenance. They allow the administrator to create
links, remove links, and change the properties on existing links. The
link maintenance Group Policy cmdlets are very powerful and
straightforward. It should come as no surprise that to create a new
link, you use the New-GPLink cmdlet. You will need the LDAP name of the
target site, domain, or OU you are linking to. If you wanted to link
the GPO myPSGPO you created earlier to one of your OUs, you would type New-GPLink –name myPSGPO –Target “LDAP name of the target” –LinkEnabled Yes.
When you hit enter, a new link from your GPO would be created to the
desired OU. Just as when you create links with the GPMC, you can
specify the link order if you want it enforced and if you want the link
enabled with the –Enforced –LinkEnabled and –Order flags. The –Enforced
and –LinkEnabled flags takes a Yes or No, while the –Order takes an
integer. Once you create a link, you might eventually decide to remove
it. If this does happen, then you will need the Remove-GPLink cmdlet.
To remove the link from myPSGPO, you type Remove-GPLink –Name “myPSGPO” –Target “LDAP name of the target”
and hit enter. The link has now been removed. Let us say that instead
of removing it, though, you wanted to change its properties. You
decided that you wanted to make the link enforced, something
that you did not do when you originally created the link. This is where
the Set-GPLink cmdlet comes in handy. Assuming you wanted to change the
link you had set up earlier instead of removing it, you would type Set-GPLink –Name myPSGPO –Target “LDAP name of the target” –Enforced Yes.
The next set of Group Policy cmdlets you will find
useful are the ones that deal with permissions and inheritance. Let us
say you want to check the permissions on a GPO. The Get-GPPermissions
cmdlet is the answer. To illustrate how this works, you will use it on
the GPO myPSGPO you created earlier. At the PowerShell prompt, type in get-GPPermissions –Name myPSGPO –ALL and hit enter. When the command executes, you will see a list of all the permissions for the GPO (see Figure 16).
Now, assume that you want to change some of the
permissions for the GPO. You will need to use the Set-GPPermissions
cmdlet to accomplish this. The Set-GPPermissions cmdlet is your
all-purpose permission tweak and permission set cmdlet. By default, it
will not replace an existing permission with a lower permission level
unless you use the –Replace flag. You notice that in your GPO, any
“Authenticated User” can apply a GPO. You want to change that so that
the only thing they can do is read it. You type Set-GPPermissions –Name myPSGPO –TargetName “Authenticated Users” –TargetType Group –PermissionLevel GpoRead –Replace
and hit enter. You need to use the –Replace flag since you are actually
lowering the permission level. You can now check your GPO again with Get-GPPermissions –name myPSGPO –TargetName “Authenticated Users” –TargetType Group and see that the permission level has been changed from GpoApply to GpoRead (see Figure 17).
The Inheritance cmdlets, like the Permissions
cmdlets, accomplish all they need with just two cmdlets. The
Get-GPInheritance cmdlet is used to get the GP Inheritance information
for a domain or OU, while the Set GPInheritance is used to modify the
existing Inheritance rule and either stop or allow inheritance in a
domain or OU. Let us say you wanted to find out the GP Inheritance
information for a specific OU. At the PowerShell prompt, you would type
Get-GpInheritance –Target “LDAP name of the OU”
and hit enter. The cmdlet would execute and return information, letting
you know if inheritance is blocked or not as well as the number of GPO
links and Inherited GPO links. If you decided you wanted to change the
inheritance rule for an existing OU and block inheritance, then at the
PowerShell prompt, you would type Set-GPInheritance –Target “LDAP name of the OU” –IsBlocked Yes and hit enter. This would then block inheritance for that OU, except for Enforced rules.
The final set of Group Policy cmdlets is
used to make registry operations. The Get-GPRegistryValue and
Get-GPPrefRegistryValue are the information getters,
Set-GPRegistryValue and Set-GPPrefRegistry-Value are the modifiers, and
RemoveGPRegistryValue and Remove-GPPrefRegistryValue are deletion
cmdlets. Their use and syntax are very straightforward.
