Windows Server 2008 and Windows Vista : GPO Security (part 2)

4. SetGPOPermissionsBySOM.wsf

This script grants the specified permission for the security principal specified to all GPOs in the SOM of the site, domain, or organizational unit targeted. Complete control is allowed with this script and switches; the Replace, None, and Recursive options allow you to tailor your permission and scope of the permission.

Syntax

Usage: SetGPOPermissionsBySOM.wsf SOM Group /Permission:value [/Replace] [/Recursive]
									[/Domain:value]
SOM: Name of the site, domain, or OU to process.
Group: Name of the group or user to grant permissions to.
Permission: Permission to grant. Can be "Read," "Apply," "Edit," "FullEdit," or "None."
Replace: Replaces any existing permissions for the specified trustee. Otherwise, the script
simply ensures that the trustee has at least the permission level specified.
Recursive: Applies the changes to all child OUs as well.
Domain: DNS name of domain.

					  

Example & Output

This example contains an error. The /Recursive switch was used, but there was not a linked GPO in Test OU.

cscript SetGPOPermissionsBySOM.wsf Servers "Server Operators" /Permission:Read /Recursive
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Updating all GPOs linked to OU Servers to give Read rights to Server Operators

Updating all GPOs linked to OU Model Office to give Read rights to Server Operators

Updating permissions on linked GPO 'Hardened Server GPO'

Updating all GPOs linked to OU Production to give Read rights to Server Operators
Updating permissions on linked GPO 'Hardened Server GPO'

Updating all GPOs linked to OU Test to give Read rights to Server Operators
Error getting SOM CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=com

5. SetSOMPermissions.wsf

This script targets the delegation that can be set for the Active Directory nodes where you can link GPOs. Because this is a function that affects only the appropriate permissions, there must be a domain controller running Windows Server 2003 or Windows Server 2008 so you can leverage the RSoP Planning permission.

Syntax

Usage: SetSOMPermissions.wsf SOM Group /Permission:value [/Inherit] [/Domain:value]
SOM: Name of the site, domain, or OU to process.
Group: Name of the group or user to grant permissions to.
Permission: Permission to grant. Can be "LinkGPOs," "RSoPLogging," "RSoPPlanning," "All,"
or "None."
Inherit: Specifies that the permission should be inherited by all child containers.
Domain: DNS name of domain.

					  

Example #1 & Output

In Example#1, you add RSOPLogging to all of the GPOs for the Server Operators group. In Example#2, you add RSOPPlanning to all of the GPOs for the Server Operators group.

cscript SetSOMPermissions.wsf Servers "server operators" /Permission:RSOPLogging /inherit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Added the 'RSoP Logging Mode' permission for server operators.

					  

Example #2 & Output

cscript SetSOMPermissions.wsf Servers "server operators" /Permission:RSOPPlanning /inherit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Added the 'RSoP Planning Mode' permission for server operators.

					  

Direct from the Source: The Scripting Group Policy Landscape

GPMC provides an important interface into Group Policy management. You may be familiar with the GPMC GUI, but the GPMC scripts provide a great tool for automating management of Group Policy objects themselves. All of the tasks that you can perform with the GUI can also be automated by using the supplied GPMC scripts; you can also create custom scripts by using the scripting model that GPMC provides. Automation tasks also include management of GPOs as a whole. That is, you create and delete GPOs, link them to Active Directory containers, back them up and restore or import them, and even generate Group Policy Results reports—all from scripts.

If you are a Windows PowerShell scripter, you can also leverage the GPMC scripting interfaces from that scripting environment, because they are just COM objects that you can call directly from your Windows PowerShell scripts by using the New-Object cmdlet. In addition, a set of free Windows PowerShell cmdlets makes it easy to leverage much of the GPMC functionality from Windows PowerShell. You can find these at www.sdmsoftware.com/freeware.php.

The GPMC is lacking, however, when it comes to modifying the settings within GPOs via scripts or some other automated mechanism. There are no scripting interfaces into Group Policy settings. Microsoft does provide the IGroupPolicyObject C++ interface (for more details, you can search for that interface name on http://msdn.microsoft.com) for programmatically accessing some parts of Group Policy, namely registry policy, but this interface is not easily accessible via Microsoft Visual Basic, Scripting Edition (VBScript) or other COM-based scripting languages.

The SDM Software GPExpert™ Scripting Toolkit for PowerShell exposes Group Policy settings to scripting interfaces. It supports VBScript (although it is designed to work primarily with Windows PowerShell), and it provides a mechanism for reading, searching, and writing settings within most of the supported policy areas in Windows Vista, Windows XP, Windows Server 2003, and Windows Server 2008.