Windows 7 / Getting Started

Creating and Managing GPOs Using Windows PowerShell

Beginning with Windows 7 and Windows Server 2008 R2, you can also use 25 new Windows PowerShell cmdlets to create and manage GPOs from the PowerShell command line or by using PowerShell scripts. This new capability builds upon the earlier Component Object Model (COM)-based Group Policy scripting capabilities found in Windows Vista and Windows Server 2008. This feature enables administrators to manage the full life cycle of GPOs, including creating, deleting, copying, configuring, linking, backing up and restoring, generating Resultant Set of Policy (RSoP) reports, configuring permissions, and migrating (importing and exporting) GPOs across domains and forests and from test to production environments.

This new functionality is implemented using the GPMC application programming interfaces (APIs) and is available as a module that you can import from the Windows PowerShell command line. This means that the GPMC must be installed on the computer from which you run your Windows PowerShell commands. These new cmdlets provide functionality both for performing GPMC operations and for reading and writing registry settings to GPOs (including both policy settings and preference items).

You can also use Group Policy to configure policy settings that specify whether Windows PowerShell scripts can run before non-PowerShell scripts during user computer startup and shutdown and during user logon and logoff. By default, Windows PowerShell scripts run after non-PowerShell scripts.

As shown in Table below, the Windows PowerShell cmdlets in Group Policy can be organized into five different categories according to their verb.

Windows PowerShell cmdlets for Group Policy in Windows 7 and Windows Server 2008 R2
VerbCMDLETS
GetGet-GPInheritance
Get-GPO
Get-GPOReport
Get-GPPermissions
Get-GPPrefRegistryValue
Get-GPRegistryValue
Get-GPResultantSetofPolicy
Get-GPStarterGPO
NewNew-GPLink
New-GPO
New-GPStarterGPO
SetSet-GPInheritance
Set-GPLink
Set-GPPermissions
Set-GPPrefRegistryValue
Set-GPRegistryValue
RemoveRemove-GPLink
Remove-GPO
Remove-GPPrefRegistryValue
Remove-GPRegistryValue
MiscBackup-GPO
Copy-GPO
Import-GPO
Rename-GPO
Restore-GPO

As an example of using these new cmdlets, the procedure described here creates a new Seattle Users GPO and links it to the Seattle Users OU beneath the Seattle OU in the contoso.com domain to complement the Seattle Computers GPO created using the GPMC in the previous section.

  1. Log on to your domain controller and click the Administrator: Windows PowerShell icon pinned to the taskbar. This opens the Windows PowerShell command-prompt window.
  2. Type import-module GroupPolicy to import the Group Policy module into Windows PowerShell. This step is required at the beginning of each Windows PowerShell script or series of PowerShell commands that you execute to manage Group Policy.
  3. Type $gpo = New-GPO "Seattle Users GPO" to create a new GPO named Seattle Users GPO and assign the GPO to the Windows PowerShell variable named $gpo.
  4. Type Get-GPO $gpo.DisplayName to retrieve the properties of the newly created GPO and verify its creation.
  5. Type New-GPLink $gpo.DisplayName -target "ou=Seattle Users,ou=Seattle,dc= contoso,dc=com" -order 1 to link the new GPO to the Seattle Users OU beneath the Seattle OU in the contoso.com domain and assign the GPO a link order of 1.

If you refresh the GPMC view, you should now see the newly created GPO linked to the OU you specified.

For more examples on how to use these new Group Policy cmdlets to create and manage Group Policy, see the Windows PowerShell section of the Group Policy Team Blog on Microsoft TechNet at http://blogs.technet.com/grouppolicy/archive/tags/PowerShell/default.aspx.

[Previous] [Contents] [Next]