Group Policy. Jeremy Moskowitz
another way, if the clickety-clicks are straightforward and easy, why would you want to make it harder on yourself and typety-type your way through the same process?
The answer to that would be if you need to do anything that’s repeatable process. For instance, in this chapter, you’re going to learn how to do things like this:
● Create a Group Policy Object and give it a name.
● Link a Group Policy Object to an OU.
● Order Group Policy Objects at a level, say, the OU level.
Yep, I’m definitely going to show you how to clickety-click your way to success here. But I’m also going to show you the typety-type way using PowerShell. So if you needed to do the same thing over and over again, you could recycle the typety-types and make it a repeatable script.
If you wanted to fully ignore all the PowerShell text, and focus just on the GPMC clickety-clicks, you could do that.
Also, that being said, I’m not going to be going deep into PowerShell, syntax rules, or actually making scripts. There are zillions of PowerShell tutorials and books that talk about how to do that. And, one of the appendices, entitled “Scripting Group Policy Operations with Windows PowerShell,” has a mini-section right at the top entitled “Preparing for Your PowerShell Experience.” There you’ll learn what I think are the three most important pieces of getting started with PowerShell:
● Getting PowerShell up and running
● Downloading the latest help from Microsoft
● Setting up to run actual scripts (which shouldn’t be needed for the one-liners in this chapter)
So, here’s my recommendation for using this chapter:
1. Read this chapter, and do the clickety-clicks.
2. If you’re already reasonably PowerShell savvy, then just go for the PowerShell examples in this chapter if you want to try them out.
3. If you’re warming up to PowerShell, jump to the appendix entitled “Scripting Group Policy Operations with Windows PowerShell” and read the section “Preparing for Your PowerShell Experience,” get set up, then come back to this chapter as a reference for most of what can be done with Group Policy and PowerShell.
Again, you should have already created your management station with the GPMC in the previous chapter. Remember, if you don’t use a Windows 10 machine (or Windows Server 2016) as your management station, you won’t have access to all the latest awesome powers in the Group Policy arsenal. In this chapter, you’re going to be working again with your WIN10MANAGEMENT machine where you’ve already loaded the updated GPMC.
With that in mind, let’s get to know the GPMC a bit better.
I’m going to assume you’ve already installed the GPMC on either your Windows 10 management station (WIN10MANAGEMENT) or your Windows Server 2016 Domain Controller (DC01). If you haven’t tackled those installation steps, go back to Chapter 1 and find the section “Implementing the GPMC on Your Management Station.”
Once you’re ready to get started, from the Start screen, type GPMC.MSC.
Common Procedures with the GPMC and PowerShell
In Chapter 1, we created and linked some GPOs, which we can see in the Group Policy Objects container, to determine how, at each level, we were affecting our users. In the following sections, we’ll continue by working with some advanced options for applying, manipulating, and using Group Policy.
Since we didn’t use PowerShell at all in the last chapter to create and link GPOs, let’s take 30 seconds to do the equivalent of what we did in the last chapter and do it right here, right now, using PowerShell. In short, let’s create a new, blank Group Policy Object, call it GPO123, then link it to the Human Resource Users OU (which is tucked within the Human Resources OU, which itself is within the domain Corp.com).Before we get started though, if you’re using an older version of Windows (and/or and older version of PowerShell) you might need to specify the command to import the Group Policy cmdlets before you get anything useful to happen. So if nothing appears to be working in PowerShell, start out with the command import-module grouppolicy
(which can be seen in Figure 2-1).
If you are not running as the Built-In Administrator account, you will need to launch a PowerShell command prompt with Administrator permissions because you are doing something that requires elevated access and a PowerShell. You can do this by right-clicking the shortcut and then clicking the “Run as Administrator” option.
Now, here are the two PowerShell commands you could type to do the job.
Once you are running with Administrator permissions, you’re ready to continue on as follows. For instance, to create a new Group Policy Object, it’s as simple as:
or
Note how the domain name is proceeded by dc=
and the OUs (parent and child) are proceeded by ou=
in the PowerShell command.
The result can be seen in Figure 2-1.
Note that this didn’t do any real “work” inside the Group Policy Object; it just created it and linked it to our existing OU. If we go back to using the GPMC, you should be able to refresh the GPMC and then verify that the Group Policy Object is now linked to the right OU.
While still in the GPMC, clicking a GPO (or a link) lets you get more information about what it does. For now, feel free to click around, but I suggest that you don’t change anything until we get to the specific examples.
Figure 2-1: You can create and link GPOs using PowerShell. Be sure to put items with spaces in double quotes.
Various tabs are available to you once you click the GPO or a link. For instance, let’s locate the GPO that’s linked to the Human Resources Users OU. We’ll do this by drilling down to Group Policy Management ⇒ Forest ⇒ Domains ⇒ Corp.com ⇒ Human Resources ⇒ Human Resources Users and clicking the one GPO that’s linked there: “Hide Mouse Pointers Option/Restore Screen Saver Option.” With that in mind, let’s examine the various sections of a policy setting; you can flip through each of the tabs to get more information about the GPO you just found.
The Scope Tab Clicking a GPO or a GPO link opens the Scope tab. The Scope tab gives you an at-a-glance view of where and when the GPO will apply. We’ll examine the Scope tab in the sections “Deleting and Unlinking Group Policy Objects” and “Filtering the Scope of Group Policy Objects with Security” later in this chapter and in the WMI section of Chapter 4. For now, you can see that the “Hide Mouse Pointers Option/Restore Screen Saver Option” GPO is linked to the Human Resources Users OU. But you already knew that.
Using Microsoft’s own Group Policy PowerShell cmdlets to detail what Group Policy Objects are linked where is possible, but actually a little tricky. So, we cover how to do that in the PowerShell appendix, in the section “Documenting GPO Links.”
That being said, there is another quick way to do this, if you’re willing to download a third-party (but free) PowerShell cmdlet set from my pal Darren Mar-Elia from SDM Software at:
http://sdmsoftware.com/group-policy-management-products/freeware-group-policy-tools-utilities/.
You’re looking for the SDM GPMC PowerShell cmdlets.
Once