271 restore, and model GPOs from a single interface. Perhaps what is even better is the scriptable API that comes with the GPMC. Pretty much every function you can accomplish with the GPMC tool, you can do via a script. The only major feature that is still lacking is the ability to directly modify the settings of a GPO. That can be done only with the GPOE. However, the GPMC provides numerous options for migrating GPOs, which addresses the majority of the problems people face today. You can download the GPMC from the following site: http://www.microsoft.com/windowsserver2003/gpmc/default.mspx. It requires the .NET Framework on Windows Server 2003 or Windows XP SP 1 with hotfix Q326469, and cannot be run on Windows 2000. You can manage Windows 2000-based Active Directory GPOs with the GPMC as long as you run it from one of the previously mentioned platforms. The majority of solutions presented in this chapter use GPMC. In fact, most of these recipes would not have had workable solutions were it not for the GPMC. It is for this reason that I highly recommend downloading it and becoming familiar with it. Most of the command-line solutions I provide, use one of the scripts provided in the GPMC install. A whole host of pre- canned scripts have already been written, in a mix of VBScript and JavaScript, that serve as great command-line tools and good examples to start scripting GPOs. These scripts are available, by default, in the %ProgramFiles%\GPMC\scripts directory. You can execute them one of two ways. You can call it using cscript: > cscript listallgpos.wsf or, if you make cscript your default WSH interpreter, you can execute the file directly. To make cscript your default interpreter, run this command: > cscript //H:cscript The complete documentation for the GPM API is available in the gpmc.chm file in the %ProgramFiles%\GPMC\scripts directory or from MSDN (http://msdn.microsoft.com/). Recipe 9.1 Finding the GPOs in a Domain 9.1.1 Problem You want to find all of the GPOs that have been created in a domain. 9.1.2 Solution 9.1.2.1 Using a graphical user interface 1. Open the GPMC snap-in. 272 2. In the left pane, expand the Forest container. 3. Expand the Domains container. 4. Browse to the domain of the target GPO. 5. Expand the Group Policy Objects container. All of the GPOs in the domain will be listed under that container. 9.1.2.2 Using a command-line interface > listallgpos.wsf [/domain:<DomainDNSName>] [/v] You can also use the gpotool to display the GPOs: > gpotool [/domain:<DomainDNSName>] [/verbose] 9.1.2.3 Using VBScript ' This code displays all of the GPOs for a domain. ' SCRIPT CONFIGURATION strDomain = "<DomainDNSName>" ' e.g. rallencorp.com ' END CONFIGURATION set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Create an empty search criteria set objGPMSearchCriteria = objGPM.CreateSearchCriteria set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) ' Print the GPOs. WScript.Echo "Found " & objGPOList.Count & " GPOs in " & strDomain & ":" for each objGPO in objGPOList WScript.Echo " " & objGPO.DisplayName next 9.1.3 Discussion See the Introduction in Chapter 9 for more on how GPOs are stored in Active Directory. 9.1.3.1 Using VBScript You can find the GPOs in a domain by using the GPMDomain.SearchGPOs method. The only parameter you need to pass to SearchGPOs is a GPMSearchCriteria object, which can be used to define criteria for your search. In this case, I created a GPMSearchCriteria object without additional criteria so that all GPOs are returned. The SearchGPOs method returns a GPMGPOCollection object, which is a collection of GPMGPO objects. 273 9.1.4 See Also MS KB 216359 (HOW TO: Identify Group Policy Objects in the Active Directory and SYSVOL) and MSDN: GPMDomain.SearchGPOs Recipe 9.2 Creating a GPO 9.2.1 Problem You want to create a GPO to force users to have a particular desktop configuration or provision configuration settings on workstations or servers. 9.2.2 Solution 9.2.2.1 Using a graphical user interface 1. Open the GPMC snap-in. 2. In the left pane, expand the Forest container, expand the Domains container, and browse to the domain of the target GPO. 3. Right-click on the Group Policy Objects container and select New. 4. Enter the name of the GPO and click OK. 9.2.2.2 Using a command-line interface > creategpo.wsf <GPOName> [/domain:<DomainDNSName>] 9.2.2.3 Using VBScript ' This code creates an empty GPO. ' SCRIPT CONFIGURATION strGPO = "<GPOName>" ' e.g. Sales GPO strDomain = "<DomainDNSName>" ' e.g. rallencorp.com ' END CONFIGURATION set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Create the GPO and print the results set objGPO = objGPMDomain.CreateGPO( ) WScript.Echo "Successfully created GPO" objGPO.DisplayName = strGPO WScript.Echo "Set GPO name to " & strGPO 9.2.3 Discussion When you create a GPO through the GPMC, it is initially empty with no settings or links configured. See Recipe 9.6 for more on modifying GPO settings, and Recipe 9.12 for creating a link. 274 9.2.3.1 Using VBScript To create a GPO, I first instantiate a GPMDomain object for the domain to add the GPO to. This is accomplished with the GPM.GetDomain method. Then it is just a matter of calling the GPMDomain.CreateGPO method (with no parameters) to create an empty GPO. A GPM.GPO object is returned from this method, which I then use to set the display name of the GPO. 9.2.4 See Also MS KB 216359 (HOW TO: Identify Group Policy Objects in the Active Directory and SYSVOL) and MSDN: GPMDomain.CreateGPO Recipe 9.3 Copying a GPO 9.3.1 Problem You want to copy the properties and settings of a GPO to another GPO. 9.3.2 Solution 9.3.2.1 Using a graphical user interface 1. Open the GPMC snap-in. 2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the source GPO, and expand the Group Policy Objects container. 3. Right-click on the source GPO and select Copy. 4. Right-click on the Group Policy Objects container and select Paste. 5. Select whether you want to use the default permissions or preserve the existing permissions, and click OK. 6. A status window will pop up that will indicate whether the copy was successful. Click OK to close. 7. Rename the new GPO by right-clicking it in the left pane and selecting Rename. 9.3.2.2 Using a command-line interface > copygpo.wsf <SourceGPOName> <TargetGPOName> 9.3.2.3 Using VBScript ' This code copies a source GPO to a new GPO ' SCRIPT CONFIGURATION strSourceGPO = "<SourceGPOName>" ' e.g. SalesGPO strNewGPO = "<NewGPOName>" ' e.g. Marketing GPO strDomain = "<DomainDNSName>" ' e.g. rallencorp.com ' END CONFIGURATION set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) 275 ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the source GPO set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, cstr(strSourceGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then WScript.Echo "Did not find GPO: " & strGPO WScript.Echo "Exiting." WScript.Quit elseif objGPOList.Count > 1 then WScript.Echo "Found more than one matching GPO. Count: " & _ objGPOList.Count WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName End if ' Copy from source GPO to target GPO set objGPMResult = objGPOList.Item(1).CopyTo(0, objGPMDomain, strNewGPO) ' This will throw an exception if there were any errors ' during the actual operation. on error resume next objGPMResult.OverallStatus( ) if objGPMResult.Status.Count > 0 then WScript.Echo "Status message(s): " & objGPMResult.Status.Count for i = 1 to objGPMResult.Status.Count WScript.Echo objGPMResult.Status.Item(i).Message next WScript.Echo vbCrLf end if ' Display the results if Err.Number <> 0 then WScript.Echo "Error copying GPO." WScript.Echo "Error: " & Err.Description else WScript.Echo "Copy successful to " & strNewGPO & "." end if 9.3.3 Discussion Prior to the GPMC tool, one of the big problems with managing GPOs in large environments is migrating them from one forest to another. It is common to have a test forest where GPOs are initially created, configured, and tested before moving them into production. The problem is that once you have the GPO the way you want it in the test forest, there is no easy way to move it to the production forest. With the GPMC you can simply copy GPOs between domains and even forests. Copying GPOs between forests requires a trust to be in place between the two target domains (or a forest trust 276 between the two forests). If this is not possible, you can import GPOs, which is similar to a copy except that a trust is not needed. A GPO import uses a back up of the source GPO in order to create the new GPO. See Recipe 9.7 for more information on importing a GPO. Some properties of GPOs, such as security group filters or UNC paths, may vary slightly from domain to domain. In that case, you can use a GPMC migration table to help facilitate the transfer of those types of references to the target domain. For more information on migration tables, see the GPMC help file. 9.3.3.1 Using VBScript To copy a GPO, I have to first find the source GPO. To do this, I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If zero was returned or more than one are returned, I have to abort the script. Now that I have a GPMGPO object, I'm ready to copy the GPO using the GPMGPO.CopyTo method. The first parameter to CopyTo is a flag that indicates how permissions in the source GPO should be handled when copying them to the new GPO. I specified 0 to use the default setting (see the GPMC help file for the other values). The second parameter is a GPMDomain object of the domain the GPO should be copied to. The last parameter is the display name of the new GPO. 9.3.4 See Also Recipe 9.7 for importing a GPO and MSDN: GPMGPO.CopyTo Recipe 9.4 Deleting a GPO 9.4.1 Problem You want to delete a GPO. 9.4.2 Solution 9.4.2.1 Using a graphical user interface 1. Open the GPMC snap-in. 2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container. 3. Right-click on the target GPO and select Delete. 4. Click OK to confirm. 9.4.2.2 Using a command-line interface > deletegpo.wsf <GPOName> [/domain:<DomainDNSName>] 9.4.2.3 Using VBScript 277 ' This code deletes the specified GPO. ' SCRIPT CONFIGURATION strGPO = "<GPOName>" ' e.g. My New GPO strDomain = "<DomainDNSName>" ' e.g. rallencorp.com ' END CONFIGURATION set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the GPO set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, cstr(strGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then WScript.Echo "Did not find GPO: " & strGPO WScript.Echo "Exiting." WScript.Quit elseif objGPOList.Count > 1 then WScript.Echo "Found more than one matching GPO. Count: " & _ objGPOList.Count WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName end if ' Delete the GPO objGPOList.Item(1).Delete WScript.Echo "Successfully deleted GPO: " & strGPO 9.4.3 Discussion When you delete a GPO through the GPMC, it attempts to find all links to the GPO in the domain and will delete them if the user has permissions to delete the links. If the user does not have the necessary permissions to remove the links, the GPO will still get deleted, but the links will remain intact. Any links external to the domain the GPO is in are not automatically deleted. It is for this reason that it is a good practice to view the links to the GPO before you delete it. Links to deleted GPOs show up as "Not Found" in GPMC. 9.4.3.1 Using VBScript I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If zero or more than one are returned, I abort the script. If only one is returned, I used the GPMGPO.Delete method to delete the GPO. 278 9.4.4 See Also Recipe 9.11 for viewing the links for a GPO and MSDN: GPMGPO.Delete Recipe 9.5 Viewing the Settings of a GPO 9.5.1 Problem You want to view the settings that have been defined on a GPO. 9.5.2 Solution 9.5.2.1 Using a graphical user interface 1. Open the GPMC snap-in. 2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container. 3. Click on the target GPO. 4. In the right pane, click on the Settings tab. 5. Click the Show All link to display all configured settings. 9.5.2.2 Using a command-line interface > getreportsforgpo.wsf "<GPOName>" <ReportLocation> [/domain:<DomainDNSName>] 9.5.2.3 Using VBScript ' This code generates a HTML report of all the properties ' and settings for a GPO. ' SCRIPT CONFIGURATION strGPO = "<GPOName>" ' e.g. Sales GPO strDomain = "<DomainDNSName>" ' e.g. rallencorp.com strReportFile = "<FileNameAndPath>" ' e.g. c:\gpo_report.html ' END CONFIGURATION set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, cstr(strGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then WScript.Echo "Did not find GPO: " & strGPO WScript.Echo "Exiting." WScript.Quit elseif objGPOList.Count > 1 then WScript.Echo "Found more than one matching GPO. Count: " & _ 279 objGPOList.Count WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName end if set objGPMResult = objGPOList.Item(1).GenerateReportToFile( _ objGPMConstants.ReportHTML, _ strReportFile) ' This will throw an exception if there were any errors ' during the actual operation. on error resume next objGPMResult.OverallStatus( ) if objGPMResult.Status.Count > 0 then WScript.Echo "Status message(s): " & objGPMResult.Status.Count for i = 1 to objGPMResult.Status.Count WScript.Echo objGPMResult.Status.Item(i).Message next WScript.Echo vbCrLf end if ' Display the result if Err.Number <> 0 then WScript.Echo "Error generating report." WScript.Echo "Error: " & Err.Description else WScript.Echo "Reported saved to " & strReportFile end if 9.5.3 Discussion The GPMC can generate an XML or HTML report that contains all of the settings in a GPO. See Recipe 9.6 for more on how to modify GPO settings. 9.5.3.1 Using VBScript I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If zero or more than one are returned, I abort the script. If only one is returned, I used the GPMGPO.GenerateReportToFile method to generate a report of all the settings in the GPO. The first parameter for GenerateReportToFile is a constant that determines the type of report to generate (i.e., HTML or XML). The second parameter is the path of the file to store the report. 9.5.4 See Also MSDN: GPMGPO.GenerateReportToFile 280 Recipe 9.6 Modifying the Settings of a GPO 9.6.1 Problem You want to modify the settings associated with a GPO. 9.6.2 Solution 9.6.2.1 Using a graphical user interface 1. Open the GPMC snap-in. 2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container. 3. Right-click on the target GPO and select Edit. This will bring up the Group Policy Object Editor. 4. Browse through the Computer Configuration or User Configuration settings and modify them as necessary. 9.6.2.2 Using a command-line interface or VBScript You cannot modify the settings of a GPO with any of the command-line tools or APIs, but you can copy and import settings as described in Recipe 9.3 and Recipe 9.7. 9.6.3 Discussion The one function that the GPMC tool and API cannot do is modify GPO settings. This still must be done from within the GPOE. You can, however, launch GPOE from within GPMC as described in the GUI solution. Not having a scriptable way to modify GPO settings has been a big roadblock with managing GPOs, especially across multiple forests. Copying or importing GPOs can help with migrating settings across forests. 9.6.4 See Also Recipe 9.3 for copying a GPO, Recipe 9.5 for viewing the settings of a GPO, and Recipe 9.7 for importing a GPO Recipe 9.7 Importing Settings into a GPO 9.7.1 Problem You want to import settings from one GPO to another. 9.7.2 Solution 9.7.2.1 Using a graphical user interface . requires the .NET Framework on Windows Server 2003 or Windows XP SP 1 with hotfix Q326469, and cannot be run on Windows 2000. You can manage Windows 2000-based Active Directory GPOs with the GPMC. ":" for each objGPO in objGPOList WScript.Echo " " & objGPO.DisplayName next 9.1.3 Discussion See the Introduction in Chapter 9 for more on how GPOs are stored in Active Directory. . it in the test forest, there is no easy way to move it to the production forest. With the GPMC you can simply copy GPOs between domains and even forests. Copying GPOs between forests requires