291 strOU = "<OrgUnitDN>" ' e.g. ou=Sales,dc=rallencorp,dc=com boolBlock = TRUE ' e.g. set to FALSE to not block inheritance ' END CONFIGURATION set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the specified OU set objSOM = objGPMDomain.GetSOM(strOU) if IsNull(objSOM) then WScript.Echo "Did not find OU: " & strOU WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found OU: " & objSOM.Name end if ' on error resume next objSOM.GPOInheritanceBlocked = boolBlock if Err.Number <> 0 then WScript.Echo "There was an error blocking inheritance." WScript.Echo "Error: " & Err.Description else WScript.Echo "Successfully set inheritance blocking on OU to " & boolBlock end if 9.13.3 Discussion By default, GPOs are inherited down through the directory tree. If you link a GPO to a top-level OU, that GPO will apply to any objects within the child OUs. Sometimes that may not be what you want, and you can disable inheritance as described in the solutions. Try to avoid blocking inheritance when possible because it can make determining what settings should be applied to a user or computer difficult. If someone sees that a GPO is applied at a top- level OU, they may think it applies to any object under it. Using the Resultant Set of Policies (RSoP) snap-in can help identify what settings are applied to a user or computer (see Recipe 9.20). 9.13.3.1 Using VBScript To block inheritance, I first have to get a GPMSOM object for the OU by calling the GPMDomain.GetSOM method. The only parameter to this method is the DN of the OU (or leave blank to reference the domain itself). Next, I call the GPMSOM. GPOInheritanceBlocked method, which should be set to either TRUE or FALSE depending if you want inheritance blocked or not. 292 9.13.4 See Also MSDN: GPMDomain.GetSOM and MSDN: GPMSOM.GPOInheritanceBlocked Recipe 9.14 Applying a Security Filter to a GPO 9.14.1 Problem You want to configure a GPO so that it applies only to members of a particular security group. 9.14.2 Solution 9.14.2.1 Using a graphical user interface 1. Open the GPMC snap-in. 2. In the left pane, expand the Forest container, expand the Domains container, browse to the target domain, and expand the Group Policy Objects container. 3. Click on the GPO you want to modify. 4. In the right pane under Security Filtering, click the Add button. 5. Use the Object Picker to select a group and click OK. 6. Highlight Authenticated Users and click the Remove button. 7. Click OK to confirm. 9.14.2.2 Using a command-line interface > setgpopermissions.wsf "<GPOName>" "<GroupName>" /permission:Apply > setgpopermissions.wsf "<GPOName>" "Authenticated Users" /permission:None 9.14.2.3 Using VBScript ' This code adds a security group filter permission to a GPO ' and removes the Authenticated Users filter permission. ' SCRIPT CONFIGURATION strGPO = "<GPOName>" ' e.g. Sales GPO strDomain = "<DomainDNSName>" ' e.g. rallencorp.com strGroupAdd = "<GroupName>" ' e.g. SalesUsers strGroupRemove = "Authenticated Users" ' END CONFIGURATION set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the specified GPO set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, cstr(strGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then WScript.Echo "Did not find GPO: " & strGPO 293 WScript.Echo "Exiting." WScript.Quit elseif objGPOList.Count > 1 then WScript.Echo "Found more than one matching GPO. Count: " & _ objGPOList.Count WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName end if ' Get permission objects to Apply GPO set objGPMPerm1 = objGPM.CreatePermission(strGroupAdd, _ objGPMConstants.PermGPOApply, False) set objGPMPerm2 = objGPM.CreatePermission(strGroupRemove, _ objGPMConstants.PermGPOApply, False) ' Get the existing set of permissions on the GPO set objSecurityInfo = objGPOList.Item(1).GetSecurityInfo( ) ' Add the new permission objSecurityInfo.Add objGPMPerm1 ' Remove Authenticate users objSecurityInfo.Remove objGPMPerm2 on error resume next ' Apply the permission to the GPO objGPOList.Item(1).SetSecurityInfo objSecurityInfo if Err.Number <> 0 then WScript.Echo "There was an error setting the security filter." WScript.Echo "Error: " & Err.Description else WScript.Echo "Added Apply permission for group " & strGroupAdd WScript.Echo "Removed Apply permission for group " & strGroupRemove end if 9.14.3 Discussion Creating a security filter for a GPO consists of granting a specific group the Apply Group Policy permission on the ACL of the GPO. By default, Authenticated Users are granted the Apply Group Policy right on all new GPOs, so you will also need to remove this right if you want to restrict the GPO to only be applied to members of another group. Avoid using "Deny" as part of the security filter because it can lead to confusion with accounts that have membership of groups with conflicting filter settings. For example, if a user is a member of a group that has "Deny" set in the filter and is also a member of a group that is allowed to apply the policy, the Deny setting will always win. This can be difficult to troubleshoot. Be very careful when changing permissions on GPOs. If you create a very restricted GPO and apply a security filter to it, put tight controls on who 294 can modify the GPO and how. If for some reason that security filter was removed (resulting in no security filters), the restrictive GPO could be applied to every user or computer in the domain. 9.14.3.1 Using VBScript First, I have to find the target GPO. I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If none or more than one were returned, I abort the script. If only one GPO is returned, I create two GPM.CreatePermission objects for the group I want to add as a security filter and for the Authenticated Users group. Next, I use the GPMGPO.GetSecurityInfo to retrieve the current ACL on the GPO. Finally, I add the permission to the ACL for group I want as the new security filter, and I remove the permission for Authenticated Users. 9.14.4 See Also MSDN: GPM.CreatePermission and MSDN: GPMGPO.GetSecurityInfo Recipe 9.15 Creating a WMI Filter WMI filters can be configured only on a Windows Server 2003 domain controller, and they will apply only to Windows Server 2003- and Windows XP-based clients. 9.15.1 Problem You want to create a WMI filter. 9.15.2 Solution 9.15.2.1 Using a graphical user interface 1. Open the GPMC snap-in. 2. In the left pane, expand the Forest container, expand the Domains container, browse to the target domain, and click the WMI Filters container. 3. Right-click on the WMI Filters container and select New. 4. Enter a name and description for the filter. 5. Click the Add button. 6. Select the appropriate namespace, enter a WQL query, and click OK. 7. Repeat steps 5 and 6 for as many queries as you need to add. 8. Click the Save button. 9.15.2.2 Using VBScript 295 At the time of publication of this book, there were no GPM methods available for creating WMI filters. 9.15.3 Discussion WMI filters are new in Windows Server 2003 and provide another way to filter how GPOs are applied to clients. WMI filters live in Active Directory as objects under the WMIPolicy container within the System container for a domain. A WMI filter consists of a WMI Query Language (WQL) query that when linked to a GPO will be run against all clients that the GPO applies to. If the WQL returns a true value (that is returns nonempty results from the WQL query), the GPO will continue to process. If the WQL query returns false (nothing is returned from the query), the GPO will not be processed. The great thing about WMI filters is that the vast amount of information that is available in WMI on a client becomes available to filter GPOs. You can query against CPU, memory, disk space, hotfixes installed, service packs installed, applications installed, running processes, and the list goes on and on. For example, if you want to create a GPO that applies only to computers that are running Windows XP Professional, it would have been really difficult to accomplish under Windows 2000. You would have either needed to create a security group that contained all of those computers as members (and apply a security filter), or move all of those workstations to a particular OU. With a WMI filter, this becomes trivial. Here is an example WQL query that would return true when run on a Windows XP Professional workstation: select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional" 9.15.4 See Also Recipe 9.16 for applying a WMI filter to a GPO and MSDN: Querying with WQL Recipe 9.16 Applying a WMI Filter to a GPO WMI filters can be configured only on a Windows Server 2003 domain controller, and they will apply only to Windows Server 2003- and Windows XP-based clients. 9.16.1 Problem You want to apply a WMI filter to a GPO. 9.16.2 Solution 9.16.2.1 Using a graphical user interface 296 1. Open the GPMC snap-in. 2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to target, and expand the Group Policy Objects container. 3. Single-click on the target GPO. 4. In the right name, at the bottom of the window you can select from the list of WMI filters. 5. After you've selected the WMI filter, click Yes to confirm. 9.16.2.2 Using VBScript ' This code links an existing WMI filter with a GPO ' SCRIPT CONFIGURATION strGPO = "<GPOName>" ' e.g. Sales GPO strDomain = "<DomainDNSName>" ' e.g. rallencorp.com ' e.g. {D715559A-7965-45A6-864D-AEBDD9934415} strWMIFilterID = "<WMIFilterID>" ' END CONFIGURATION set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the GPO set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, _ cstr(strGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then WScript.Echo "Did not find GPO: " & strGPO WScript.Echo "Exiting." WScript.Quit elseif objGPOList.Count > 1 then WScript.Echo "Found more than one matching GPO. Count: " & _ objGPOList.Count WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName end if on error resume next ' Retrieve the WMI filter strWMIFilter = "MSFT_SomFilter.Domain=""" & _ strDomain & """,ID=""" & _ strWMIFilterID & """" set objWMIFilter = objGPMDomain.GetWMIFilter(strWMIFilter) if Err.Number <> 0 then WScript.Echo "Did not find WMI Filter: " & strWMIFilterID WScript.Echo "Exiting." WScript.Quit 297 else WScript.Echo "Found WMI Filter: " & objWMIFilter.Name end if ' Link the filter and print the result objGPOList.Item(1).SetWMIFilter(objWMIFilter) if Err.Number <> 0 then WScript.Echo "Failed to set WMI filter." WScript.Echo "Error: " & err.description else WScript.Echo "Set WMI filter successfully." end if 9.16.3 Discussion You can link only one WMI filter to a GPO. This is not necessarily a limitation because you can still link more than one GPO to a site, domain, or OU. If you need multiple WMI filters to apply to a GPO, copy the GPO and apply a new WMI filter to it. See Recipe 9.15 for more information on WMI filters. 9.16.3.1 Using VBScript I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If none or more than one are returned, I abort the script. If only one GPO is returned, I call GPMDomain.GetWMIFilter to instantiate a GPMWMIFilter object based on the WMI filter GUID specified in the configuration section. If you need to programmatically search for the WMI filter ID, you can use the GPMDomain.SearchWMIFilters method. After I retrieve the GPMWMIFilter object, I call the GPMGPO.SetWMIFilter method to set the filter for the GPO. 9.16.4 See Also MSDN: GPMDomain.GetWMIFilter and MSDN: GPMGPO.SetWMIFilter Recipe 9.17 Backing Up a GPO 9.17.1 Problem You want to back up a GPO. 9.17.2 Solution 9.17.2.1 Using a graphical user interface 1. Open the GPMC snap-in. 298 2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to back up, and expand the Group Policy Objects container. 3. Right-click on the GPO you want to back up, and select Back Up. 4. For Location, enter the folder path to store the backup files. 5. For Description, enter a descriptive name for the backup. 6. Click the Back Up button. 7. You will see a progress bar and status message that indicates if the back up was successful. 8. Click OK to exit. 9.17.2.2 Using a command-line interface > backupgpo.wsf "<GPOName>" "<BackupFolder>" /comment:"<BackupComment>" 9.17.2.3 Using VBScript ' This code backs up a GPO to the specified backup location. ' SCRIPT CONFIGURATION strGPO = "<GPOName>" ' e.g. Default Domain Policy strDomain = "<DomainDNSName>" ' e.g. rallencorp.com strLocation = "<BackupFolder>" ' e.g. c:\GPMC Backups strComment = "<BackupComment>" ' e.g. Default Domain Policy Weekly ' END CONFIGURATION set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the GPO you want to back up set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, cstr(strGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then WScript.Echo "Did not find GPO: " & strGPO WScript.Echo "Exiting." WScript.Quit elseif objGPOList.Count > 1 then WScript.Echo "Found more than one matching GPO. Count: " & _ objGPOList.Count WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName End if ' Kick off the backup On Error Resume Next set objGPMResult = objGPOList.Item(1).Backup(strLocation, strComment) ' Call the OverallStatus method on the GPMResult. ' This will throw an exception if there were any ' errors during the actual operation. 299 objGPMResult.OverallStatus( ) if objGPMResult.Status.Count > 0 then WScript.Echo "Status messages:" & objGPMResult.Status.Count for i = 1 to objGPMResult.Status.Count WScript.Echo objGPMResult.Status.Item(i).Message next WScript.Echo vbCrLf end if ' Print the results if Err.Number <> 0 then WScript.Echo "The backup failed." WScript.Echo "Attempted to backup GPO '" & strGPO & "' to location " & strLocation WScript.Echo "Error: " & err.description else set objGPMBackup = objGPMResult.Result WScript.Echo "Backup completed successfully." WScript.Echo "GPO ID: " & objGPMBackup.GPOID WScript.Echo "Timestamp: " & objGPMBackup.TimeStamp WScript.Echo "Backup ID: " & objGPMBackup.ID end if 9.17.3 Discussion The GPMC provides a way to back up individual (or all) GPOs. A GPO backup consists of a set of folders and files that catalog the GPO settings, filters and links, and is created in the backup location you specify. You can back up a GPO to a local drive or over the network to a file server. Restoring a GPO is just as easy and is described in Recipe 9.18. Prior to GPMC, the only way to back up GPOs was by backing up the System State on a domain controller. The System State includes Active Directory and SYSVOL (both components are needed to completely back up a GPO). To restore a GPO using this method, you'd have to boot into DS Restore mode and perform an authoritative restore of the GPO(s) you were interested in. Needless to say, the GPMC method is significantly easier. A good practice is to back up your GPO backups. Since all the back-up information is captured in a series of files, you can back up that information to media, which provides two levels of restore capability. You could restore the last backup taken, which could be stored on a domain controller or file server, or you could go to tape and restore a previous version. In the folder you specify to store the GPO backups is a list of folders that have GUIDs for names. This does not make it very easy to distinguish which backups are for which GPOs. A quick way to find that out is to use the querybackuplocation.wsf script. This will list each of the folder GUID names and the corresponding GPO it is for: > querybackuplocation.wsf "c:\gpmc backups" 9.17.3.1 Using VBScript 300 I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If none or more than one is returned, I abort the script. If only one is returned, I call the GPMGPO.Backup method to back up the GPO. The first parameter is the directory to store the GPO backup files, and the second parameter is a comment that can be stored with the back up. This comment may come in handy later for doing searches against the backups on a server, so you may want to think about what to put for it. 9.17.4 See Also Recipe 9.18 for restoring a GPO and MSDN: GPMGPO.Backup Recipe 9.18 Restoring a GPO 9.18.1 Problem You want to restore a GPO. 9.18.2 Solution 9.18.2.1 Using a graphical user interface 1. Open the GPMC snap-in. 2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to back up, and expand the Group Policy Objects container. 3. Right-click on the GPO you want to restore, and select Restore from Backup. 4. Click Next. 5. Select the backup folder location and click Next. 6. Select the backup you want to restore and click Next. 7. Click Finish. 8. You will see the restore status window. After it completes, click OK to close the window. 9.18.2.2 Using a command-line interface > restoregpo.wsf "<BackupFolder>" "<GPOName>" 9.18.2.3 Using VBScript ' This code restores a GPO from a back up. ' SCRIPT CONFIGURATION strGPO = "<GPOName>" ' e.g. Sales Users GPO strDomain = "<DomainDNSName>" ' e.g. rallencorp.com strLocation = "<BackupFolder>" ' e.g. c:\GPMC Backups strBackupID = "<BackupGUID>" ' e.g. {85CA37AC-0DB3-442B-98E8-537291D26ED3} ' END CONFIGURATION set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) . Filter WMI filters can be configured only on a Windows Server 2003 domain controller, and they will apply only to Windows Server 2003- and Windows XP-based clients. 9.15.1 Problem You. a GPO WMI filters can be configured only on a Windows Server 2003 domain controller, and they will apply only to Windows Server 2003- and Windows XP-based clients. 9.16.1 Problem You. available for creating WMI filters. 9.15.3 Discussion WMI filters are new in Windows Server 2003 and provide another way to filter how GPOs are applied to clients. WMI filters live in Active Directory