Powershell and Group Policies

I’ve been playing with PowerShell and Group Policy recently so here’s a little walk through..

Firstly lets create a new Group Policy

   1: New-GPO -name "COMPUTER - Power Settings for Laptops"

image

Before we go any further, a brief talk about Group Policy; everyone has their own methods with group policies but here is how I do mine. 
Firstly, don’t have Computer settings and User settings in the same GPO – its bad practice.  When I create a GPO I always think about its target first, is it a computer or a user?  I then prefix the GPO as such, for example…

“COMPUTER – Laptop Power Settings”
“USER – Desktop Shortcut for Business Application”. 

Naming GPOs the way I do helps me link them correctly.  A ‘COMPUTER’ prefixed GPO, for instance, needs to be linked to an OU that contains computers or targeted to computer objects (or groups of computers) so it can process as you intend.  Simple but effective.

In addition, if its prefixed with ‘COMPUTER’, I will turn of the user settings so there is less to process on the client and visa versa.  This is done on the Details tab for the GPO under the setting of GPO Status:

image

Even if that time is nanoseconds I still think its worth saving and its a habit I’ve developed over time.    Make sure this part is changed before you export the GPO and it will follow the GPO when you import it.

The last thing you need to then worry about is your security filtering settings.  If a ‘COMPUTER’ prefixed GPO is security filtered to a user group, its probably not going to work as you’d expect.  So ideally you need to ensure that once they are named correctly, the settings are configured as per the name, the settings not being used are turned off and they are security filtered properly then you’re good to go.  Its a little bit of good practice I follow on the domains I manage, I would advise you to do the same.

Lets have a play with PowerShell now and see what we can come up with.

Firstly, we’ll edit the power settings on the computer GPO I created above then try and export/import it, afterwards we’ll have a play with linking it and changing security filtering.

So I navigate through, Computer Configuration> Preferences> Control Panel Settings> Power Options right click and New Power Plan (At least Windows 7),  under display lets set the On Battery  to 10 mins and Plugged in to 0 mins, under Power buttons and lid let set On Battery to Do Nothing.

Now lets export the GPO.  Using this code:

   1: Backup-GPO -name "COMPUTER - Power Settings for Laptops" -Path C:\GPOs

image

We can see that it completed successfully and if we look in the folder:

image

We can see that we have a sub folder, named by the Id property given to us in the PowerShell output (we’ll need this later).  Going back into Group policy I am now going to delete the GPO and try to import it from the backup.

   1: Get-Command *GPO*

I see from this we have Import-GPO sounds promising so lets explore that.  Looking at the examples the code looks straight forward so I try this command:

   1: Import-GPO -BackupId "40FAB3E0-2F7F-45F9-A1CE-4EAE8F5D3320" -path c:\GPOs -TargetName "COMPUTER - Power Settings for laptops" -CreateIfNeeded

image

Actually I tell a lie, it wasn’t as straight forward as I thought.  At first I tried –name “COMPUTER – Power Settings for laptops” instead of –BackupId “40FAB3E0-2F7F-45F9-A1CE-4EAE8F5D3320” because this made logical sense to me, but I kept receiving an error to state that no GPO with that name could be found.  Using the GUID (told you we’d need it later!) however, worked right out of the box.  The –CreateIfNeeded switch I used will create the GPO if it doesn’t already exist, otherwise the command will attempt to import the settings within the backup to a GPO with the same name that already exists and error because it doesn’t.

Now lets try linking the GPO.  Under my computers OU I have two OU’s one for Desktops and one for Laptops.  I’m going to attempt to link the Power Settings for laptops GPO to the laptops OU.  First I’ll declare the OU in a variable so I can reference it in the command.  Secondly I’m going to explore the command New-GPLink.  I previously ran Get-Command –module GroupPolicy  which provided me a few commands to try.  In there I have New-GPLink and Set-GPLink which caught my eye.  Exploring the help, I discovered;

Set-GPLink – Sets the properties of a GPO Link (Enabled, Enforced and Order)
New-GPLink – Links a GPO to a Site, Domain or OU

Looking at examples in the help it looks rather easy so I’ll attempt a line of code:

   1: $LaptopsOU = "ou=LAPTOPS,ou=HOME NETWORK COMPUTERS,dc=HOME,dc=local
   2: New-GPLink -name "COMPUTER - Power Settings for Laptops" -Target $LaptopsOU -LinkEnabled Yes

image

image

SUCCESS!

OK, so that’s export, import and linking it to the correct place. 

Now lets tackle security filtering.  Supposing I needed to target my power settings only to a specific group of computers.  It is safe to say I could link my GPO at the top most level and then security filter it down to a group of computers, even though we’ve linked the GPO to the laptops OU however this is still possible though so lets attempt it!  I have a group called “Sales Laptops” so lets explore that.  From my Get-Command –module GroupPolicy  results I can see we have Get-GPPermissions

Get-GPPermissions – Synopsis: Gets the permission level for one or more security principals on a specified GPO.

After examining the help, it looks like we can string a fairly simply command together to lets try

   1: Set-GPPermissions -Name "COMPUTER - Power Settings for Laptops" -PermissionLevel GpoApply -TargetName "Sales Laptops" -TargetType Group

image

Excellent!  Now looking at the GPO I can see the following:

image

One thing I don’t see though is a Remove-GPPermissions cmdlet so I can remove Authenticated Users.  Strange.  Perhaps I can set the ‘Authenticated Users’ permissions to null. (*quick search on technet*)… Yes I can, to ‘None’ rather than ‘Null’…  lets try that…

   1: Set-GPPermissions -Name "COMPUTER - Power Settings for Laptops" -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group

image

image

SUCCESS!…  Covering all bases here right?  Import, Export, Linking, Permissions… gives us a great toolset for a script to write to save us a lot of hassle manually doing GPO’s  We could even build some sort of tool and then delegate.

But what about migration tables (I hear you cry)?  Well, you can specify a migration table when you use the command Import-GPO by using the –MigrationTable parameter.  Migration tables are a whole subject unto themselves and despite the fact that some elements work just fine if you sort your table correctly, I’ve found some parts don’t transfer so well so it might be worth checking in a test environment first and then examining any parts of the GPO where you specify any domain data such as user or computer groups, where you specify application to run from a certain path or indeed any paths whatsoever.  Further reading can be found here:

https://technet.microsoft.com/en-us/library/cc739066(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc737567(v=ws.10).aspx

For those unaware what Migration Tables are, they are the tools we use to change any domain specific data, such as UNC paths or groups, inside a GPO when we apply it elsewhere.   I handle these slightly different to most, I create a migration table from the GPO’s I wish to export/import by using the ‘Populate from GPO’ tool within the migration table editor from my lab environment.  Once I’ve got it going through testing I change the data to searchable strings, so for the server name I might use AAAAA, for a specific user group I might use BBBBB etc.  Then I can use my deployment script to dynamically edit the migration table during a deployment using a ForEach command to replace the strings.  The migration table is saved as a different name and then used during imports.  This allows me to delete the edited migration table after a deployment, resetting everything back to normal.  It works for me and it saves me a lot of time which is what automation is all about.  I’ll be glad to answer any questions on this if anyone has any, please get in touch.

I hope this helps you, thanks for reading.

Jonathan.