Compartir a través de


PowerShell Script with GP cmdlets: Registry setting, Link

 The following is a sample script that sets a Preference registry value in a GPO, then compares that same value to all of the GPO's linked in the same domain. If the value is not already set in a linked GPO, the new GPO is linked to that domain as well.

You can copy and paste the following text into a .ps1 file and run it, given a few modifications (the comments denote where you should replace my example names with your own GPO and domain names). The # symbols act like comments in the .ps1 file so you don't need to worry about them being run or printing out.

Hope this helps!

 LiliaG, Group Policy PM

 

## The following script sets a Preference registry value in a GPO, then compares that same value to all of the GPO's linked in the same domain
## it depends on being opened from the Active Directory provider shortcut to the PowerShell console, or navigating to that AD provider first

# necessary for any work with group policy cmdlets
import-module grouppolicy

# create new GPO. Replace "GPDEMO" with the name of your choice

new-GPO GPDEMO

# set the variable $key to the string value of the registry key to be set

$key = 'HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader8.0InstallPath'

# set GP Pref Registry Value

Set-GPPrefRegistryValue -Name GPDEMO -Context User -Key $key -ValueName (Default) -Value "C:ProgramFiles(x86)AdobeReader8.0Reader" -Type String -Action Create

#get all GPO's linked in the domain you choose
#first step is to get the domain object you want

#Replace <your domain here> with the NetBIOS, DNS, SID, or Distinguished Name of the domain

$domain = get-ADDomain -Identity <your domain here>

# enter "get-ADDomain -?" for help

# the next step gets all the GPO's currently linked to that domain and extends the attributes to include the GUID of those GPO's

# the second portion of this line is important for parsing the resulting list of GPOs, do not skip it! You must get the " -properties Name " in order to refer to the GPO's by their GUID.

$GPOList = $domain.AppliedGroupPolicies | %{Get-ADObject $_ -Properties Name}

# sets up the variable to be compared against the other GPO's in the domain

$preference = get-GPPrefRegistryValue -Name GPDEMO -Context User -Key $key -ValueName (Default)

# warning: this does not check to see if there are other GPO's linked to the domain, this loop will break if there is only one GPO linked in the domain

# loop through

$i = 0
$redundantSetting = 0

while ($i -lt $GPOList.count) {

$CompareGPO = get-GPO -GUID $GPOList[$i].Name

# report out equality

if (($preference.Value).equals($comparePref.Value))
  {
    "Equal!"
     $redundantSetting++
  } else {
     "Not Equal!"
  }

# reset the loop

$comparePref = 0
$i++
}

# if none of the GPO's linked to the domain have the setting, link this new GPO. Otherwise, do not link it.

if ($redundantSetting -gt 0)
  {
     new-GPLink GPDEMO -Target $domain
  } else {
    "Not linking a redundant GPO"
  }

Now, when I detect a redundant setting, I just print something out to the screen. You can do something more interesting, like write to a file, trigger another script, send an email, etc. In fact, I hope you do! Let me know what you do with this script, how you improve it, if/how you use it, or if it causes you any trouble.

Comments

  • Anonymous
    January 01, 2003
    PingBack from http://domains.linkedz.info/2009/04/28/group-policy-team-blog-powershell-script-with-gp-cmdlets/

  • Anonymous
    January 01, 2003
    Hey Matt - Thanks for stopping by! I hope you find something useful here. Have you gotten a chance to use the GP cmdlets or GPPreferences? -LiliaG

  • Anonymous
    January 01, 2003
    Great to see that more GP= stuff can be scripted with Powershell. Modifying the content of a GPO was not possible so far... But of course, if there is a "Set-GPPrefRegistryValue" function there is the question about others, e.g. "Set-GPPrefDriveMap" or "Set-GPPrefFilesAction" ? Will there be support for more (or even all) type of settings ?

  • Anonymous
    May 01, 2009
    Lilia, Thanks for presenting today at MMS.  I just wanted to let you know that I came and checked out the blog like you wanted.

  • Anonymous
    May 05, 2009
    Hi Lilia,         I was also at MMS and I must say... You're pulling me back into PowerShell to manage our GPs!  I'm glad I attended your session and had a chance to chat afterwards.

  • Anonymous
    July 23, 2009
    Hi guys, I'm trying to find a way to edit (with a powershell script) the GPPs of a GPO so that it automatically creates shortcuts in users' start menu. Basically I would like to know how I can script what can be done manually using the Group Policy Management Editor in the "User Configuration/Preferences/Windows Settings/Shortcuts" section. Any insights? Thanks!


I'm using the Powershell 2.0 embedded in Windows Server 2008 R2 RC

  • Anonymous
    September 25, 2009
    I'm curious why the GPO DN (as returned by the .linkedGroupPolicyObjects attribute) is not usable as an -Identity for Get-GPO? I guess I could always create an alias to simulate that, but most other AD/GP cmdlets seem to use the DN as a valid -Identity... (or perhaps thats just my assumption - I've ony been using them for a few hours now.) And related to that, it seems a shame that GPMC is still easier to use to find all links for a GPO in a forest. I have inherited a large number of dodgy GPOs named "New Group Policy Object" - it would be lovely to be able to quickly find the ones that are not linked anywhere in my forest. Combined with the version numbers and enabled properties, it would be reasonably easy to backup, and purge the empty/useless GPOs.