If you use GPOs to enforce baselines, you may find that your enterprise is moving from version 1.1 to version 1.2 of a GPO. Unfortunately for you, version 1.1 linked in a dozen places. Wouldn’t you rather just you search for version 1.1 and replace it with version 1.2? Use Update-GPOLinks.ps1 to do just that. The script not only finds all the original links and updates them to the new version, it also keeps the link order.Script Text
Posts Tagged ‘GPO’
This script deletes the locally stored copies of GPOs and forces a GPUPdate on a computer. Reset-GPOCache.ps1 works by a remote connection to the registry provider to get the path to the Group Policy\History folder, then deletes the files beneath that path. This ensures a fresh application of group polices.Script Text
The Get-GPResultantSetOfPolicy cmdlet in the GroupPolicy module of PowerShell has a parameter for a user name. Often I have no idea who has logged onto the computer. Get-RSOP.ps1 uses WMI to give you a pick list of users on the remote computer and then passes that to the user parameter of Get-GPResultantSetOfPolicy.Script Text
Here is the unsupported method from Microsoft for editing the path for shares and printers inside a GPO.
From a server —
1) Backup the problem GPO to your desktop
2) Edit the gpreport.xml and backup.xml files
3) Import the edited GPO
The engineer said if you have to do both, update the path for the file shares first.
If we still had a lot to do, I’d write a script to automate this process
— but we don’t.
Our Active Directory lead recently complained to me that he didn’t have a good way to compare Group Policy Objects. I had already written the Group Policy Reporter, which exports GPOs to HTML files, and it occurred to me that comparing two HTML files would be pretty easy. But my experiments with Compare-Object led to some pretty ugly results. I frequently compare documents using MS Word, and I decided to use Word to do the comparison of the files.
The new script, GPOCompare.ps1, makes a list of your GPOs and displays that list using Out-GridView. After you select two GPOs, you are asked which is the “original” (earlier) GPO for Word to use as the original document. The HTML reports are created, then a comparison is made using Word. This script requires PowerShell 3, The Group Policy Management Console, and Word installed.
The Word COM object is not fun to work with in PowerShell. In particular, you cannot use $Null for some of the unused parameters, and note that many must be explicit references, example [REF]$True.Script Text
Over the past few months I have been spending more and more time working with PowerShell. I have gone to Windows 8 on my personal laptop, and am impressed by PowerShell 3.0. I have joined the Charlotte PowerShell User’s Group which meets monthly at the Charlotte Microsoft Campus. The Scripting Guy, Ed Wilson, together with his Teresa are regular attendees of the meetings, and at last month’s meeting I won a signed copy of Ed’s latest book, PowerShell 3.0 Step by Step. I shared some struggles I was having with PowerShell, and Ed gave me some practical advice about how to proceed. It was something I already knew — focus on a real world problem and don’t be concerned about writing elegant code.
For some time, I have been getting traffic for my GPO Reporter HTA. Unfortunately, this requires a component that was last available in Windows XP. I quit using XP (even VMs) last month, and the loss of the GPO Reporter soon became a problem. Fortunately, this month’s POSH meeting was led by Microsoft PFE Jason Walker who covered Active Directory and PowerShell. I decided to take another look at a PowerShell GPO Reporter.
I think I have done some interesting things in the coding of the new script, GPOReports.ps1, but it is hard to tell as I am still a PowerShell beginner. I have commented the code to make things easier to understand. This script requires PowerShell 3. Also note that you will need to install the Remote Server Administration Tools (RSAT) to get this to work, as it provides the ActiveDirectory PowerShell Module. It is available for Windows 7 and Windows 8. This is unsigned code, if you are a PowerShell noob, take a look at execution policy explanations about how to get it to run.
This HTA (gporeporter) allows you to export GPO settings into HTML files. This is a good way to document and to search GPO settings. Requires the Group Policy Management Console, you will be prompted to install it if necessary. Note: The GPMC does not work with Windows 7.
Update: 6/10/13: I have published a PowerShell version of the GPO Reporter.