WEBVTT

00:03.050 --> 00:07.820
In this module, I'm going to talk about and introduce the concept of group policy scripting.

00:08.660 --> 00:13.550
Now, primarily, this is going to be a PowerShell discussion, but I will touch on some capabilities

00:13.550 --> 00:18.410
that are still available via VBScript that provides some neat functions and neat capabilities within

00:18.410 --> 00:19.580
group policy management.

00:20.480 --> 00:26.300
So Microsoft, since Windows seven, has provided this PowerShell module for group policy as a function

00:26.300 --> 00:27.220
of EMC.

00:28.160 --> 00:34.640
So when you install PMC on Windows seven or as it comes installed by default in Server 2012 and server

00:34.640 --> 00:40.670
2016 or server 2022, you will get the command lets the PowerShell command lets the come with the group

00:40.670 --> 00:42.680
policy module installed by default.

00:43.580 --> 00:46.580
So once PMC is installed, you're all good to go.

00:47.420 --> 00:51.950
And I'll talk a little bit more about what that limit is and what you can and can't do with the command

00:51.950 --> 00:52.280
lets.

00:53.180 --> 00:54.950
So this is just a screenshot.

00:54.950 --> 01:00.080
If I type get command dash modal space group policy lists out all the command lets and a couple aliases

01:00.080 --> 01:02.420
within the group policy model on Windows Server.

01:03.290 --> 01:08.510
And these command, let's really provide capabilities over a range of management tasks.

01:09.410 --> 01:12.540
So if you call that, PowerShell has this kind of verb noun structure.

01:12.560 --> 01:14.600
Get GPO, backup GPO.

01:15.410 --> 01:23.300
These are all the verbs available under the GPO noun backup copy get import new remove, rename and

01:23.300 --> 01:23.870
restore.

01:24.730 --> 01:30.370
In terms of GPL permissions you can get in set permissions and these are permissions on the GPO itself.

01:31.260 --> 01:33.090
You can get her said inheritance.

01:33.240 --> 01:38.100
And this is really just a matter of getting or setting that flag that you can stick on or use and domains

01:38.100 --> 01:39.110
to block inheritance.

01:39.990 --> 01:46.520
So you can either get the value of that or you or domain or set the value for GB link, which is the

01:46.520 --> 01:47.760
a link on a site domain.

01:47.760 --> 01:53.910
Or you you can create a new link, you can remove a link and you can set the link so you can change

01:53.910 --> 01:58.170
the properties on a link using the set verb with GPO report.

01:58.230 --> 02:02.880
This is simply a group policy settings report in either HTML or XAML format.

02:03.780 --> 02:10.740
You can get that and you can get or create new starter GPOs, so you can create a new starter GPO using

02:10.740 --> 02:12.660
the new starter GPO Command.

02:12.660 --> 02:15.330
Let invoke update.

02:16.210 --> 02:18.970
It was actually added in Windows eight and beyond.

02:19.840 --> 02:23.410
And it is basically a remote group policy update or update.

02:24.250 --> 02:30.550
So you can literally invoke a remote update just like you can from the UI and PMC, you can do it from

02:30.550 --> 02:31.180
PowerShell.

02:32.050 --> 02:39.160
The get result instead of policy essentially lets you run an RSP report against a remote system so you

02:39.160 --> 02:46.270
can get RSP data from that command one and the final two verb noun combinations are get remove and set

02:46.600 --> 02:52.630
pref registry value and get remove set GP registry value and they respectively let you set or get GP

02:52.630 --> 02:55.540
preference registry settings and admin template settings.

02:56.440 --> 03:00.010
That GP registry value lets you set admin template settings.

03:00.910 --> 03:02.890
So I'm not going to go into that.

03:03.810 --> 03:09.510
I sort of consider those to be a little bit more advanced commandments, but those are the limitations

03:09.510 --> 03:11.790
right now for being able to modify settings.

03:12.720 --> 03:16.050
So let's kind of look overall at the limitations in the current command.

03:16.050 --> 03:19.590
Let's set so that you know what you can and cannot do with the PowerShell command.

03:19.590 --> 03:24.630
Let's so today there is really no support outside of the two areas that I just mentioned.

03:24.630 --> 03:27.090
Admin templates in GP Preferences Registry.

03:27.090 --> 03:32.940
If no support for readying or modifying settings in PowerShell from Microsoft, there's no support for

03:32.940 --> 03:34.470
retrieving GPO links.

03:35.340 --> 03:37.980
So for example, there's no get GP link.

03:38.870 --> 03:42.560
You can set links, you can create new links, but you can't get links.

03:43.430 --> 03:47.990
You can't get information about existing links, which is, I think, a big oversight.

03:48.830 --> 03:56.300
And by the way, my GMC complete GMC module does include a get link function, no support at all for

03:56.300 --> 03:59.780
creating, linking, editing or deleting WMI filter.

03:59.810 --> 04:04.310
So you can't really do anything in PowerShell with respect to managing WMI filters.

04:05.180 --> 04:07.520
No support for setting the GPO status.

04:08.410 --> 04:10.840
It can be done, but it's an indirect thing.

04:11.710 --> 04:18.370
So there's no blood set that says said GPIO status, for example, no support for managing the delegation

04:18.370 --> 04:22.330
other than the actual GPIO delegation or the permissions on the GPIO.

04:23.170 --> 04:28.570
So if you remember from my module on GPIO delegation, we could set delegation for things like who can

04:28.570 --> 04:32.560
link to which I'll use that's not supported in the command links.

04:33.460 --> 04:38.470
I will say that a lot of the functionality that Microsoft provides in PMC is available through a call

04:38.560 --> 04:43.480
API that's used indirectly by these PowerShell command lets and you can use PowerShell to interact with

04:43.480 --> 04:48.490
the com APIs directly to get access to funds, a tonality that's not available in the Microsoft Command

04:48.490 --> 04:48.820
lets.

04:49.660 --> 04:54.070
Now I'm not going to cover that again because it's a little bit more of an advanced topic.

04:54.920 --> 05:00.680
But there's lots of information out on the Internet about using the COM APIs and GM PC directly from

05:00.680 --> 05:01.310
PowerShell.

05:02.180 --> 05:06.740
So let's kind of dig in and look at just sort of take a tour around the group policy module and see

05:06.740 --> 05:07.370
how it works.