VBScript Scripting
If
you use VBScript, you may find it difficult to create custom scripts
beyond the GPMC scripts for Group Policy management. Although you can
create VBScript scripts to control and manage Group Policy, it is not a
simple task.
If you want to manage the
GPOs, link to GPOs, set permissions on the GPOs, set permissions on the
Active Directory nodes, and so on, you would be better off just using
the GPMC scripts covered earlier. Those scripts are fully functional
and already proven. You can use those scripts in other scripts; just
send a function call to them.
If you want
to manage the GPO settings, however, the GPMC provides no programming
interfaces into the Group Policy settings. To manage those settings
with the GPMC, you have to understand how the Group Policy settings for
each policy area are configured, stored, and tracked, because each
policy uses a different format when being stored.
Solutions
are available that apply this level of investigation. These solutions
include scripting interfaces that you use to make, change, and delete
settings from GPOs.
The most
prevalent solution is an SDM Software product for making changes to GPO
settings using Windows PowerShell. The GPExpert Scripting Toolkit for
PowerShell allows you to automate the modification of Group Policy
settings across all GPOs in a domain, not just one at a time manually.
It also supports modification of local GPOs. You can register and
download an evaluation version of the product at http://www.sdmsoftware.com/products2.php.
Windows PowerShell
Windows
PowerShell is one of the hottest topics and technologies for management
of Windows today. This new technology was created from the ground up
for Microsoft operating systems and it is proving to be a powerful,
easy-to-follow, and widely used solution for Windows command-line
automation.
Unfortunately, Windows
PowerShell does not currently include native support for Group Policy.
Although this is a limitation at first glance, it is quickly fixed with
some of the other capabilities that it provides for Group Policy
management. Windows PowerShell can call on COM objects directly,
allowing you to manage Group Policy.
Windows
PowerShell allows you to manage the settings in a GPO, as well as
leverage better control over the GPOs compared with the GPMC scripts.
Windows PowerShell derives its power from the pipeline,
or the ability to “pipe” objects between Windows PowerShell cmdlets.
This pipeline or piping is the ability of Windows PowerShell to carry
out instructions to objects through a sequence of stages between
cmdlets. For example, Windows PowerShell allows you to get a list of
GPOs, determine which has a certain parameter (for example, the
HRAdmins that have Edit permission delegated to them), and then pipe
that list to a cmdlet that lets you alter just the GPOs that have this
permission with a new set of permissions for the group. You can usually
do this with one line of script by using Windows PowerShell.
The
foundation has already been laid for you as well. Many example scripts
and cmdlets have been generated for Windows PowerShell to control Group
Policy. These cmdlets allow you to perform tasks on Group Policy and
GPOs in a more efficient automated manner. For a list of Windows
PowerShell–enabled scripts and cmdlets, visit the following links:
http://www.microsoft.com/technet/technetmag/issues/2007/05/GroupPolicy/default.aspx
http://www.sdmsoftware.com/freeware.php
As an example of the capabilities and simplicity offered by Windows PowerShell, Figure 1 shows you a Windows PowerShell cmdlet that reports on significant information from a GPO within the domain.
In another example, shown in Figure 2,
Windows PowerShell is used to control not only the GPO, but also the
settings within the GPO. This is a very difficult task using a script,
but Figure 2 illustrates how the GPExpert Scripting Toolkit for PowerShell can alter a GPO setting.
