Creating and linking GPOs
To show how you can create and link GPOs using Windows
PowerShell, you will create a new GPO named “BO-1-Desktops” based on
the Starter GPO named “Computers-Desktop” .
You will then link the new GPO to the OU named “BO-1-SEA”, which
represents the Branch Office #1 in Seattle in the corp.fabrikam.com
domain.
You can start by using the Get-StarterGPO cmdlet to confirm that
your Starter GPO exists:
PS C:\> Get-GPStarterGPO -Name "Computers-Desktop"
DisplayName : Computers-Desktop
Id : 260220b0-d73e-40f1-b293-9477dd697977
Owner : BUILTIN\Administrators
CreationTime : 8/30/2012 11:00:36 AM
ModificationTime : 8/30/2012 11:05:10 AM
UserVersion : 0
ComputerVersion : 1
StarterGpoVersion :
StarterGpoType : Custom
Author :
Description : This Starter GPO will be used to create GPOs for desktop computers
for all locations
Next, you can use the New-GPO cmdlet to create the new GPO from
your Starter GPO as follows:
PS C:\> New-GPO -Name "BO-1-Desktops" -StarterGpoName "Computers-Desktop"
DisplayName : BO-1-Desktops
DomainName : corp.fabrikam.com
Owner : CORP\Domain Admins
Id : a2b711b4-ea20-4a42-9cd2-cba11b07b7ea
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 8/30/2012 7:57:35 PM
ModificationTime : 8/30/2012 7:57:36 PM
UserVersion : AD Version: 1, SysVol Version: 1
ComputerVersion : AD Version: 1, SysVol Version: 1
WmiFilter :
Finally, you can link the new GPO to the targeted OU as
follows:
PS C:\> New-GPLink -Name "BO-1-Desktops" `
-Target "ou=BO-1-SEA,dc=corp,dc=fabrikam,dc=com"
GpoId : a2b711b4-ea20-4a42-9cd2-cba11b07b7ea
DisplayName : BO-1-Desktops
Enabled : True
Enforced : False
Target : OU=BO-1-SEA,DC=corp,DC=fabrikam,DC=com
Order : 1
Alternatively, by using the Windows PowerShell pipeline feature,
you can create and link the GPO using a single command like
this:
Get-GPStarterGPO -Name "Computers-Desktop" | New-GPO -Name "BO-1-Desktops" | `
New-GPLink -Target "ou=BO-1-SEA,dc=corp,dc=fabrikam,dc=com"
Remotely refreshing Group Policy
You can use the Invoke-GPUpdate cmdlet to refresh Group Policy
settings on remote computers. This cmdlet works by scheduling the
running of the Gpupdate.exe command on the remote computers. Before
you can do this, however, you need to open the necessary firewall
ports on the computers you will be targeting. You can perform this preliminary step
by using Windows PowerShell. For example, the following command
creates and links a GPO that will open the necessary firewall ports
for all computers in the corp.fabrikam.com domain:
New-GPO -Name "EnableRemoteRefresh" `
-StarterGPOName "Group Policy Remote Update Firewall Ports" | `
New-GPLink -Target "dc=corp,dc=fabrikam,dc=com"
Once this GPO has been processed, you can then perform a remote
refresh of Group Policy for computers in a specific OU.
Get-ADComputer -Filter * `
-SearchBase "ou=Desktops,ou=Computers,ou=HQ-NYC,dc=corp,dc=fabrikam,dc=com" | `
foreach{Invoke-GPUpdate -Computer $_.Name -force -RandomDelayInMinutes 0}
The preceding command uses the Get-ADComputer cmdlet to obtain a
list of names of computers in the targeted OU. The output from this
command is then piped into a foreach statement
that initiates an immediate refresh of Group Policy on each
computer.
Backing up and restoring GPOs
You can use the Backup-GPO and Restore-GPO cmdlets to back up
GPOs and restore them. For example, the following command backs up the
GPO named “HQ-Desktops” to the local folder named
C:\GPOBackups:
PS C:\> Get-GPO -Name "BO-1-Desktops" | Backup-GPO -Path "C:\GPOBackups" `
-Comment "Today's backup"
DisplayName : BO-1-Desktops
GpoId : aec4900f-f450-4ea6-8187-13cfb014ab2f
Id : 54937d03-5cb6-49c8-9069-dcdc9aece0d0
BackupDirectory : C:\GPOBackups
CreationTime : 8/30/2012 8:41:59 PM
DomainName : corp.fabrikam.com
Comment : Today's backup
You can then use the Get-ChildItem cmdlet to verify the result
as follows:
PS C:\> Get-ChildItem "C:\GPOBackups" -Recurse
Directory: C:\GPOBackups
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 8/30/2012 8:41 PM {54937D03-5CB6-49C8-9069-DCDC9AECE0D0}
Directory: C:\GPOBackups\{54937D03-5CB6-49C8-9069-DCDC9AECE0D0}
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 8/30/2012 8:41 PM DomainSysvol
-a--- 8/30/2012 8:41 PM 3707 Backup.xml
-a--- 8/30/2012 8:42 PM 16700 gpreport.xml
Directory: C:\GPOBackups\{54937D03-5CB6-49C8-9069-DCDC9AECE0D0}\DomainSysvol
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 8/30/2012 8:41 PM GPO
Directory: C:\GPOBackups\{54937D03-5CB6-49C8-9069-DCDC9AECE0D0}\DomainSysvol\GPO
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 8/30/2012 8:41 PM Machine
d---- 8/30/2012 8:41 PM User
Directory: C:\GPOBackups\{54937D03-5CB6-49C8-9069-
DCDC9AECE0D0}\DomainSysvol\GPO\Machine
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 8/30/2012 11:05 AM 558 comment.cmtx
-a--- 8/30/2012 11:05 AM 196 registry.pol
