Group Policy Objects and Powershell - 2 Creating the GPOs

As was quickly pointed out to me SDM Software has some excellent freeware Cmdlets available, and if you don't know this is Darren Mar-Elia's – The GPO Guy's company and so they are no doubt well written and will do the job for you. Having said that, it wasn't an option for me as the Company I work for would never have accepted me using them, and I would have felt bad using someone else's work in large AD implementations. More importantly this gave me a chance at playing around with Powershell, and achieve something useful with it. So I would say if Darren's cmdlets do the job for you and you are happy using them, then make use of them, if not then read on.

After you look at the completed scripts if you are familiar with the wsf scripts you get with GPMC then you will begin to see the similarities and it will make it easier to come up with your own Powershell scripts.

As previously mentioned the Technet article - Simplify Group Policy Administration with Windows PowerShell
is a good introduction and explains that the wsf GPMC scripts actually call the GPMgmt.GPM COM object, and as COM objects can be called directly from Powershell we can work with this to do most of, if not all we need to do with Group Policy objects (with the exception of amending contents of the GPO itself).

So the first thing we need to do in this script is to define the domain we are going to work with and the name of the GPO we want to create, then instantiate the COM object, Connect to the Domain, then create the GPO with the Display name you defined earlier.

$domainName="Philtest.PRI"

$gpmName="GPO 1"

$gpm = New-Object -ComObject GPMgmt.GPM

$gpmConstants = $gpm.GetConstants()

$gpmDomain = $gpm.GetDomain("$domainName", "", $gpmConstants.UseAnyDC)

$gpmGpo = $gpmDomain.CreateGPO()

$gpmGpo.DisplayName = "$gpmName"

So this is a useful way of starting the script, but what if you want to create a number of GPOs defined in a text file? Actually it is pretty straight forward you can create a text file that lists the GPOs on separate lines:-

GPO 1

GPO 2

GPO 3

GPO4

So from here you need to add some elements to the script to connect to this text file and retrieve the GPO names:-

$aryText = Get-Content -Path "c:\PSScripts\GPOs.txt"

forEach ($aryElement in $aryText)

{

$gpm = New-Object -ComObject GPMgmt.GPM

$gpmConstants = $gpm.GetConstants()

$gpmDomain = $gpm.GetDomain("$domainName", "", $gpmConstants.UseAnyDC)

$gpmGpo = $gpmDomain.CreateGPO()

$gpmGpo.DisplayName = $aryElement

}

This script gets the contents of the text file and scrolls through it creating GPOs with the Displaynames of Whatever is on each line of the text file(in the case GPO 1, GPO 2, GPO 3, GPO 4)

Group Policy Objects and Powershell - 1 Introduction

I haven't posted anything in a long time, mainly due to work pressures and not having too much to say. I have started a few posts then not got around to finishing them, however some work I have been doing recently has prompted this post as I figured this could be useful for some people.

Anyway from my earlier posts you probably won't realise that I actually specialise in Active Directory, and more specifically in design. So when building test networks for various clients I did have a long commissioning document that I run through un-disturbed in about 5 or 6 hours for a 2 domain model (2 Domain Controller in each) with basic Certificate services installed and configured. However what if you wanted to automate this, on one large project that is what our build team did - fully automated AD build using VB Scripts and ADS (Automated Deployment Services). This allows for someone less knowledgable to install the AD, but more importantly it allows for consistency in the deployments with much of the possible human error removed. This scripts are all well and good, however they are not supportable due to a lack of documentation and lack of commenting in the scripts, and the ownership of the automated build process has shifted to the team I work in so we decided to rewrite it all - in Powershell.

I had played around with powershell in its earlier guise as MONAD, but not really in anger and was interested in learning about it. At this point we had decided to modularise our standard AD design into a base build and a number of extra AD modules that could be implemented depending on what was to be installed into the environment (Exchange, OCS, Sharepoint, etc).

The base build would initially contain a number of things that it would be useful to use powershell to build, the two I was concentrating on initially were GPOs and DCPromo answer file creation (from a config file).

I will concentrate on the GPO problem here though as it was the most interesting, googling for GPO management with Powershell (or similar) does not retrieve a lot of terribly useful stuff but it does return a number of useful starting points th emost useful of which initially I found to be this article from Technet Magazine (extra useful as you can download a file with the script source) - Simplify Group Policy Administration with Windows PowerShell

The main problem I saw straight away was that there are no cmdlets built into powershell to manage GPOs so I had two main options:-

• Creating my own in C#
• Interacting with the COM objects used in the scripts you get with the Group Policy Management Console (GPMC) directly from Powershell.

I am not a programmer so realistically that left me with second option, so I got stuck into the examples provided in the technet article however they didn't cover all of what I needed to do which was the following:-

• Create a number of GPOs
• Import GPOs from a backup taking from a different domain
• Link the GPOs to the relevant OUs

Over the course of the next few posts I will go through how you do this, then from there go into how to pass arguments into the scripts from text files or XML files.