Group Policy cmdlets
The Group Policy cmdlets in PowerShell follow in the footsteps of all the other cmdlets in raw power. They let you do almost anything you could normally do with the Group Policy Management Console (GPMC) using cmdlets. But just like many of the other new features in PowerShell 2.0, the cmdlets are not available from the start. To use the Group Policy cmdlets, you will have to import the corresponding module. First, make sure you are running Windows 2008 Server R2 on a domain controller or on a member server that has the GPMC installed. Startup PowerShell and type Import-Module GroupPolicy. Once the cmdlet completes, you can make sure it worked by typing Get-Help *GPO*. If the import worked, you should see a list with some of the Group Policy cmdlets.
Once you know that the import cmdlet worked, you can move on. Tables-12-16 list cmdlets used for creating, getting, setting, and deleting things, as well as various utility cmdlets.
Table-12 Group Policy cmdlets That Create Things, the Constructorscmdlet Name | Description |
---|---|
New-GPO | This cmdlet creates a new Group Policy Object (GPO) |
New-GPStarterGPO | This cmdlet creates a new Starter GPO |
New-GPLink | This cmdlet creates a new link between the GPO and a valid specified target with the specified values |
Table-13 Group Policy cmdlets That Get Things, the Getters
cmdlet Name | Description |
---|---|
Get-GPInheritance | This cmdlet gets the inheritance information for a specified target |
Get-GPO | This cmdlet gets a target GPO or all the GPOs in a domain with the -All flag |
Get-GPOReport | This cmdlet gets a report for a specified GPO(s) |
Get-GPPermissions | This cmdlet gets the specified permissions for a specific GPO |
Get-GPPrefRegistryValue | This cmdlet gets a registry preference item for a specific GPO |
Get-GPRegistryValue | This cmdlet gets a registry-based policy setting for a specific GPO |
Get-GPResultantSetofPolicy | This cmdlet gets the ResultantSetofPolicy (RSoP) for a specified target. Target can be a computer, a user, or both |
Get-GPStarterGPO | This cmdlet gets the specified starter GPO in the domain or all the starter GPOs in the domain |
There are a large number of PowerShell cmdlets that are there simply to support Group Policies. The purpose behind them is to let you automate many of the tasks that are normally performed with the GPMC by giving you the cmdlets that duplicate the features of the console. The large number of cmdlets for Group Policies are divided into four kinds of cmdlets dictated by what their purpose is. The first group of cmdlets is used for GPO maintenance; the second group of cmdlets is used to associate GPOs with targeted AD sites, domains, or organizational Units (OUs) the third; group is used to set permissions and inheritance; and the final set of cmdlets is used for registry operations involving GPOs.
Table-14 Group Policy cmdlets That Set Things, the Setters
cmdlet Name | Description |
---|---|
Set-GPInheritance | This cmdlet sets the inheritance for a target domain or OU by setting it the -IsBlocked flag to Yes or No |
Set-GPLink | This cmdlet sets the properties of a GPO link by setting the -Enforced, -LinkEnabled, and/or -Order flags |
Set-GPPermissions | This cmdlet sets the permissions level for a security principal for one target GPO or all the GPOs in the domain. Permission levels must be set to a higher level or they will not be changed unless the -Replace flag is used. |
Set-GPPrefRegistryValue | This cmdlet sets a registry preference item under a computer or user configuration in a GPO |
Set-GPRegistryValue | This cmdlet sets one or more registry-based settings under a computer or user configuration in a GPO |
Table-15 Group Policy cmdlets That Remove Things, the Deleters
cmdlet Name | Description |
---|---|
Remove-GPLink | This cmdlet removes the link from a specific GPO to a specified target |
Remove-GPO | This cmdlet removes a GPO |
Remove-GPPrefRegistryValue | This cmdlet removes one or more registry preference items from either the computer or user configuration in a GPO |
Remove-GPRegistryValue | This cmdlet removes one or more registry-based policy settings from either the computer or user configuration in a GPO |
Table-16 Miscellaneous Group Policy cmdlets, the Utility cmdlets
cmdlet Name | Description |
---|---|
Backup-GPO | This cmdlet backs up a GPO or all the GPOs in the domain to a specified location that must already exist |
Copy-GPO | This cmdlet copies a GPO. Will not create a GPO copy with the same name in a domain |
Import-GPO | This cmdlet imports the GPO settings from a GPO backup to a specified GPO. The specified GPO does not have to exist and will be created from the backup if the -CreateIfNeeded flag is used |
Rename-GPO | This cmdlet renames a GPO only changing its display name |
Restore-GPO | This cmdlet restores a GPO or all the GPOs in the domain from backup files. The GPO(s) must exist for them to be restored |
The group of GPO maintenance cmdlets are typically used for the backup, creation, removal, and import of GPOs. The first thing you will do is create a test GPO so that you can familiarize yourself with the cmdlets. Startup PowerShell and make sure you imported the Group Policy module. Type New-GPO myPSGPO -Comment "My First Official PowerShell GPO." When the cmdlet has finished executing, you will have a list with all the attributes for your newly created GPO. Now, you have a disposable GPO, you can use the rest of the cmdlets on if you please and not have to worry about. You can now try to create a backup of this GPO with the Backup-GPO cmdlet. Type Backup-GPO -Name myPSGPO -Path C:\windows\GPOBackups. Keep in mind that the path has to point to a directory that already exists, it will not create it for you. You might want to substitute that path with one of your own or create a directory to make that path valid. You should also be aware that as an alternative to the -name flag to specify the GPO, you can use the -GUID flag and give it the globally unique identifier. This is used when there is a possibility of more than one GPO with the same name. Once the cmdlet completes, you will once again see a status screen. Now, let us say that the prized GPO that you created gets zapped one day. You remember that you backed it up one day when you were preparing for a day just like this. All you have to do now is restore it. There is a cmdlet for that as well. You will now restore from the backup you created using the Import-GPO cmdlet. At the PowerShell prompt, you type Import-GPO -BackUpGPOName myPSGPO -TargetName myPSGPO -createifneeded -path c:\Windows\System32\GPOBackups and hit enter. When the cmdlet runs, you will see that the GPO will be back. The -createifneeded flag is what makes it a true restore, because without this flag, a new GPO would not be created from the old one and the cmdlet would just serve to restore the old settings from the backup GPO to the target GPO. You could also use the Restore-GPO cmdlet to accomplish the same thing, the main difference is that Restore-GPO allows a mass restore by using the -all flag, but for the restore cmdlet to work, the target GPOs must still exist, while the Import-GPO does not care as long as you use the -createifneeded flag. Now, assume that a lot of time goes by and you outgrow the GPO you created. Since then, you have grown much and created much better GPOs and no longer need myPSGPO. This is where the Remove-GPO cmdlet comes in. It allows you to quite simply remove or delete a GPO. When you are ready to delete myPSGPO, you type Remove-GPO -Name myPSGPO.
The second group of Group Policy cmdlets is used for Group Policy link maintenance. They allow the administrator to create links, remove links, and change the properties on existing links. The link maintenance Group Policy cmdlets are very powerful and straightforward. It should come as no surprise that to create a new link, you use the New-GPLink cmdlet. You will need the LDAP name of the target site, domain, or OU you are linking to. If you wanted to link the GPO myPSGPO you created earlier to one of your OUs, you would type New-GPLink -name myPSGPO -Target "LDAP name of the target" -LinkEnabled Yes. When you hit enter, a new link from your GPO would be created to the desired OU. Just as when you create links with the GPMC, you can specify the link order if you want it enforced and if you want the link enabled with the -Enforced -LinkEnabled and -Order flags. The -Enforced and -LinkEnabled flags takes a Yes or No, while the -Order takes an integer. Once you create a link, you might eventually decide to remove it. If this does happen, then you will need the Remove-GPLink cmdlet. To remove the link from myPSGPO, you type Remove-GPLink -Name "myPSGPO" -Target "LDAP name of the target" and hit enter. The link has now been removed. Let us say that instead of removing it, though, you wanted to change its properties. You decided that you wanted to make the link enforced, something that you did not do when you originally created the link. This is where the Set-GPLink cmdlet comes in handy. Assuming you wanted to change the link you had set up earlier instead of removing it, you would type Set-GPLink -Name myPSGPO -Target "LDAP name of the target" -Enforced Yes.
The next set of Group Policy cmdlets you will find useful are the ones that deal with permissions and inheritance. Let us say you want to check the permissions on a GPO. The Get-GPPermissions cmdlet is the answer. To illustrate how this works, you will use it on the GPO myPSGPO you created earlier. At the PowerShell prompt, type in get-GPPermissions -Name myPSGPO -ALL and hit enter. When the command executes, you will see a list of all the permissions for the GPO.
Now, assume that you want to change some of the permissions for the GPO. You will need to use the Set-GPPermissions cmdlet to accomplish this. The Set-GPPermissions cmdlet is your all-purpose permission tweak and permission set cmdlet. By default, it will not replace an existing permission with a lower permission level unless you use the -Replace flag. You notice that in your GPO, any "Authenticated User" can apply a GPO. You want to change that so that the only thing they can do is read it. You type Set-GPPermissions -Name myPSGPO -TargetName "Authenticated Users" -TargetType Group -PermissionLevel GpoRead -Replace and hit enter. You need to use the -Replace flag since you are actually lowering the permission level. You can now check your GPO again with Get-GPPermissions -name myPSGPO -TargetName "Authenticated Users" -TargetType Group and see that the permission level has been changed from GpoApply to GpoRead.
The Inheritance cmdlets, like the Permissions cmdlets, accomplish all they need with just two cmdlets. The Get-GPInheritance cmdlet is used to get the GP Inheritance information for a domain or OU, while the Set- GPInheritance is used to modify the existing Inheritance rule and either stop or allow inheritance in a domain or OU. Let us say you wanted to find out the GP Inheritance information for a specific OU. At the PowerShell prompt, you would type Get-GpInheritance -Target "LDAP name of the OU" and hit enter. The cmdlet would execute and return information, letting you know if inheritance is blocked or not as well as the number of GPO links and Inherited GPO links. If you decided you wanted to change the inheritance rule for an existing OU and block inheritance, then at the PowerShell prompt, you would type Set-GPInheritance -Target "LDAP name of the OU" -IsBlocked Yes and hit enter. This would then block inheritance for that OU, except for Enforced rules.
The final set of Group Policy cmdlets is used to make registry operations. The Get-GPRegistryValue and Get-GPPrefRegistryValue are the information getters, Set-GPRegistryValue and Set-GPPrefRegistry-Value are the modifiers, and RemoveGPRegistryValue and Remove- GPPrefRegistryValue are deletion cmdlets. Their use and syntax are very straightforward.