ADM421 Scripting Group Policy Operations BJ Whalen Program Manager Windows Server Microsoft Corporation

Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

Overview Group Policy is now scriptable! Via COM objects Provided by the Group Policy Management Console (GPMC) Scriptability was a key design goal of the GPMC The GPMC interfaces Serve as backend to GPMC UI Are accessible via scripts and C++ Can manage Windows 2000 and Windows Server 2003 domains

What Is Scriptable? Creating/deleting/renaming GPOs Linking GPOs and WMI filters Delegation Security on GPOs and WMI filters GP-related security on sites, domains, OUs Creation rights for GPOs and WMI filters Generating reports of GPO settings Generating reports of RSOP data Backup/Restore of GPOs Import/Export, Copy/Paste Search for GPOs

What Is Not Scriptable? Settings within a GPO Examples “Remove Run command from Start Menu” Redirect “My Documents” to \\server\foo\\server\foo Workaround for many cases Script the creation of GPO and import settings from an exported GPO

Scripting System Requirements In order to script GP operations GPMC must be installed on the machine where you execute scripts GPMC runs on Windows ® Server 2003 or Windows ® XP with SP1.NET Framework Post SP1 QFE (included with GPMC) which updates GPEdit.dll

Windows 2000 domains GPMC can manage Windows ® 2000 domains GPMC itself must run on XP or Server 2003 Some capabilities only available in Windows Server 2003 forests or domains WMI Filters Group Policy Modeling Delegation of Group Policy Results

GPMC Scripting Examples demo demo

Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

Object Model Intro Central Object is “GPM” All other objects are accessible through GPM Creating GPM Set GPM = CreateObject(“gpmgmt.GPM”)

Scope Of Management (SOM) SOM = A DS container where GPOs can be linked A GPO link is a property of the SOM, not the GPO Same GPO can have multiple links to different SOMs Types of SOMs Sites Domains OUs

Object Model Overview GPM GPMSitescontainerGPMDomain GPMGPO GPMWMIFilter GPMSOM GPMGPOLink GPMSecurityInfo GPMPermission GPMSearchCriteria GPMConstants GPMBackupDir GPMMigrationTable

GPMDomain Object Purpose: access and search for GPOs and WMI Filters Create, search, get, restore SOMs: (Domain and OU only) Get and search SOMs Key methods GetGPO(), SearchGPOs() CreateGPO(), RestoreGPO() GetSOM(), SearchSOMs() GetWMIFilter(), SearchWMIFilters() Properties Domain, DomainController

Creating GPMDomain Accessed from GPM.GetDomain() Specify Domain and DC (optional) when created Domain name must be full DNS name If no DC specified, PDC used by default unless using “UseAnyDC” flag Example Set GPMDomain = GPM.GetDomain(“corp.mycompany.com”, GPM.GetDomain(“corp.mycompany.com”, “CORP-DC-01”, 0) “CORP-DC-01”, 0)

GPMSitesContainer Object Purpose: access and search sites Key Methods GetSite() SearchSites() Properties Domain DomainController Forest

Using GPMSitesContainer Accessed from GPM.GetSitesContainer() Specify Forest, Domain, DC when created Naming Format Forest, Domain in DNS DC can be either DNS or NetBIOS If no DC specified, PDC used by default unless using “UseAnyDC” flag Example Set GPMSitesContainer = GPM.GetSitesContainer(“corp.mycompany.com”, GPM.GetSitesContainer(“corp.mycompany.com”, “europe.corp.mycompany.com”,“EUR-DC-01”,0) “europe.corp.mycompany.com”,“EUR-DC-01”,0)

DC Selection DCs can only be specified at GPMDomain and GPMSitesContainer PDC is default choice Can optionally specify Choose any DC Choose a particular DC Once chosen, same DC is used by all child objects

GPMGPO Object Purpose: manage an individual GPO Key Methods Backup() Import() CopyTo() Get/SetSecurityInfo() Delete() GenerateReportToFile() Key properties DisplayName ID Status Version info

Using GPMGPO Accessed from GPMDomain.CreateGPO() GPMDomain.GetGPO() GPMDomain.SearchGPOs() Examples Set MyGPO1 = GPMDomain.CreateGPO MyGPO1.DisplayName = “My New GPO” strGUID = “{31B2F D-11D2-945F-00C04FB984F9}” Set MyGPO2 = GPMDomain.GetGPO(strGUID)

GPMSOM Object Purpose Create/Delete/Manage links on a SOM Get/Set policy-related security on SOM Key methods CreateGPOLink() GetGPOLinks() GetInheritedGPOLinks() GetSecurityInfo(), SetSecurityInfo() Key properties Path Type (e.g., Site, Domain, OU) Name

Using GPMSOM Accessed from GPMSitesContainer.GetSite() GPMDomain.GetSOM() Name Format Sites: specify friendly site name Domain and OUs: specify distinguished name Tip: use ADSI to retrieve distinguished name based on friendly name Example strSOMPath = “ou=Mktg,dc=corp,dc=mycompany,dc=com” Set MySOM = GPMDomain.GetSOM(strSomPath)

Creating A Link To link a GPO to a SOM Use GPMSOM.CreateGPOLink() CreateGPOLink() takes two parameters Link position Use -1 to add to the end A GPMGPO object representing the GPO to link Example Set MyGPOLink = MySOM.CreateGPOLink(-1, MyGPO)

Getting All Links For A SOM Use GPMSOM.GetGPOLinks() Returns a collection of GPMGPOLink objects Note: all GPMC collections are 1-based Example Set Links = GPMSOM.GetGPOLinks()

Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

Search Overview GPMC allows you to search for GPOs, WMI Filters, SOMs, Backups Based on friendly name and other attributes Examples Find objects without knowing GUIDs Where is the ‘Managed Desktops’ GPO linked? E.g.: find all SOMs that are linked to ‘Managed Desktops’ GPO

Search Methods GPMDomain.SearchGPOs() GPMDomain.SearchSOMs() GPMDomain.SearchWMIFilters() GPMSitesContainer.SearchSites() GPMBackupDir.SearchBackups() Each Search Method takes a GPMSearchCriteria object

Search Results Results are returned as collections of GPMC objects GPMGPOCollection GPMWMIFilterCollection GPMSOMCollection GPMBackupCollection Can enumerate the collections using normal scripting methods ‘For Each’ in Visual Basic ® Scripting Edition ‘Enumerator’ object in JScript ®

GPMSearchCriteria Object Can hold multiple criteria Each criteria consists of Property being searched (e.g., GPO Name) Comparison Operator: Equals, NotEquals, Contains, NotContains Value being searched for (e.g., “TestGPO”) All criteria are then AND’ed together

GPO Searches Can search for GPOs based on Display Name Permissions Effective Permissions WMI Filter Policy Extensions set in the GPOs Example Find all GPOs that “Policy Admins” group has rights to edit and that have Folder Redirection policy set Use GPMDomain.SearchGPOs() Use an empty GPMSearchCriteria to enumerate all GPOs in the domain

GPO Search Example To get the “Managed Desktops” GPO, without needing to know its GUID Set GPMSearchCriteria = GPM.CreateSearchCriteria strGPOName = “Managed Desktops” GPMSearchCriteria.AddGPMConstants.SearchPropertyGPODisplayName, GPMConstants.SearchOpEquals, strGPOName GPMConstants.SearchOpEquals, strGPOName Set GPOList = GPMDomain.SearchGPOs(GPMSearchCriteria) Set MyGPO = GPOList.item(1)

SOM Searches Used to find all SOMs where a given GPO is linked Two methods GPMDomain.SearchSOMs() GPMSitesContainer.SearchSites() Use ADSI for other SOM-based searches

SOM Search Example To find all OUs that are linked to the “Managed Desktops” GPO Assume MyGPO = “Managed Desktops” GPO from previous example Set GPMSearchCriteria = GPM.CreateSearchCriteriaGPMSearchCriteria.Add GPMConstants.SearchPropertySOMLinks, GPMConstants.SearchOpContains, MyGPO Set SOMList = GPMDomain.SearchSOMs(GPMSearchCriteria)

Agenda Introduction Object Model Overview Searching Managing Permissions Backup and Restore Import and Copy Migration Tables Scenario: Creating a staging environment Resources

Permissions Overview Goal: simplify handling of GP permissions GPMC manages permissions using predefined levels Each level in GPMC corresponds to a specific set of Windows NT permissions (read, write, create child objects, etc.) Example Editing a GPO requires four individual NT permissions GPMC manages this as a single permission For ACEs that don’t match predefined levels, GPMC returns “custom”

Understanding Permissions GPMSecurityInfo object Represents set of GP-related permissions for a given object Can apply to GPOs, WMI filters, SOMs GPMPermission object Represents the permission level for a given security principal Each GPMSecurityInfo is a collection of GPMPermission objects

GPO Permissions GPMPermission levels for GPOs Apply the GPO Read the GPO Edit the GPO Edit, modify security, delete the GPO Custom Apply is “special” It includes Read, but is independent from other permission levels Can be combined with Edit or Edit/Security “Custom” can only be read, not set Can be deleted

Example: GPO Permissions Task: grant edit permissions on a GPO to “Policy Admins” group Note: get the GPMGPO object using search methods ‘ Create a Permission object w/ Edit perms Set GPMPerm = GPM.CreatePermission("Policy Admins", GPM.CreatePermission("Policy Admins", GPMConstants.PermGPOEdit) GPMConstants.PermGPOEdit) ‘ Set the permission on the GPO Set GPMSecInfo = MyGPO.GetSecurityInfo GPMSecInfo.Add GPMPerm MyGPO.SetSecurityInfo GPMSecInfo

GPO Security demo demo

SOM Permissions GPMPermission levels for SOMs Linking GPOs Performing RSoP planning analysis Remotely access RSoP logging data RSOP delegation not applicable for sites

Domain-specific permissions Creating GPOs By default, “Group Policy Creator Owners” group has this permission Can create GPOs in the domain, but cannot edit other GPOs they didn’t create Creating WMI filters By default, “Group Policy Creator Owners” group has this permission Can create WMI filters in the domain, but cannot edit filters they didn’t create Full control for all WMI filters Can create WMI filters in the domain Members have full control over all WMI filters in the domain These are accessed from the domain SOM

Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

Backing Up A GPO A backup transfers to the file system Policy Settings in the GPO ACLs on the GPO Link to the WMI Filter Report of the settings NOTE: Does NOT back up links to the GPO To create a backup Use GPMGPO.Backup() Backup() takes two parameters File system folder Comment Example Set MyBackup = MyGPO.Backup(“\\svr\GPOs”, “Test”)

Managing Backups Each backup instance Represented by GPMBackup object Has a unique Backup ID (GUID) Can be identified by GPO Name, Description, Domain, Timestamp, GPO GUID Multiple backups can be stored in the same location Multiple GPOs Multiple versions of the same GPO GPMBackupDir object Represents set of backups stored in the file system at a given location Query for GPMBackups using GPMBackupDir.SearchBackups()

Backup Searches Can search for backups based on Domain GPO ID GPO Display Name Most Recent Backup Example Find the most recent backup in backup folder z:\GPOBackups for GPO ‘Default Domain Policy’ Use GPMBackupDir.SearchBackups()

Example Finding GPMBackup To get the most recent GPO Backup for MyGPO in CORP Set GPMSearchCriteria = GPM.CreateSearchCriteria strDomain = “corp.mycompany.com” strGPO_ID = MyGPO.ID GPMSearchCriteria.AddGPMConstants.SearchPropertyGPODomain, GPMConstants.SearchOpEquals, strDomain GPMSearchCriteria.AddGPMConstants.SearchPropertyGPOID, GPMConstants.SearchOpEquals, strGPO_ID GPMSearchCriteria.AddGPMConstants.SearchPropertyBackupMostRecent, GPMConstants.SearchOpEquals, TRUE Set BackupList = GPMBackupDir.SearchBackups(GPMSearchCriteria)

Restore Definition Restores all attributes of the GPO Policy settings in the GPO ACLs on the GPO Links to the WMI Filter Does NOT modify links to the GPO This is an attribute of the SOM Permission required to restore Existing GPO: edit/delete/modify security on the GPO Deleted GPO: GPO Creation rights

Restoring A GPO To restore a GPO Use GPMDomain.RestoreGPO() RestoreGPO() takes two parameters GPMBackup object containing the GPO to restore Flag to specify whether to validate if Windows Server 2003 DC Only relevant if GPO contains Software Settings Note: Need to get GPMBackup from GPMBackupDir Restore is same domain only Example strBackupID = "{ FEDD-4779-B9FD-5D9D69A585A4}" Set BackupDir = GPM.GetBackupDir("z:\GPOBackups") Set MyBackup = BackupDir.GetBackup(strBackupID) Set GPMResult = GPMDomain.RestoreGPO(MyBackup, 0)

Backing Up All GPOs In The Domain demo demo

Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

Import And Copy Transfers policy settings only Does not modify links to GPO Can be used same domain, cross domain, cross forest Cross domain/forest operations facilitated by Migration Tables Enables “templatization” of managed configurations Key difference is source/destination behavior Import: from file system to existing GPO Copy: from live GPO to new GPO

Cross Domain/Forest Migration overview Key challenge - some settings are domain/forest specific References to users, groups, and computers References to UNC paths Solution: migration table Maps a reference in source GPO to a new reference in destination GPO

Scenario Test to production C B A D F E Test forest Production forest GPO X User rights B\PilotUsersGroupB\\TestServer\%username%A\PilotUserRemoteGroupC\\TestServer\STD Copy of GPO X User rights E\RedmondUsersE\CPITGFS01\%username%D\RemoteUsersGroupF\\CPITGSD05\STD

Scenario Production to production C B A GPO X User rights B\JapanUsersB\\CPITGFSD01\STDA\\CPITGFS01\%username% Copy of GPO X User rights C\JapanUsersC\\CPITGFSD01\STDA\CPITGFS02\%UserName% Production forest

Import Settings Into A GPO To import settings Use GPMGPO.Import() Import () takes three parameters Flag to indicate whether to use migration table exclusively GPMBackup object containing the settings to import Optional instance of a GPMMigrationTable object Example strBackupID = "{ FEDD-4779-B9FD-5D9D69A585A4}" Set MyMigrationTable = GPM.GetMigrationTable(“MyTable.xml”) Set BackupDir = GPM.GetBackupDir("z:\GPOBackups") Set MyBackup = GPMBackupDir.GetBackup(strBackupID) Set GPMResult = MyGPO.Import(0, MyBackup, MyMigrationTable)

Copying A GPO To copy a live GPO Use GPMGPO.CopyTo() CopyTo() creates a new GPO containing the same policy settings as the source GPO CopyTo() takes four parameters Flag indicating whether to Copy the ACL on the GPO (if not specified, use default ACL for new GPOs) Use migration table exclusively GPMDomain object (for target domain) Optional display name to use for the copied GPO If not specified, the default name for new GPOs is used Optional instance of a GPMMigrationTable object Example CopyFlags = GPMConstants.ProcessSecurity Set NewGPMGPO = MyGPO.CopyTo (CopyFlags,GPMTargetDomain,“Copy of MyGPO”)

Sample Migration Table <MigrationTable xmlns=" GPOOperations/MigrationTable><Mapping><Type>GlobalGroup</Type><Source>TESTDOMAIN1\GroupXYZ</Source> TESTDOMAIN2\GroupABC TESTDOMAIN2\GroupABC A sample is installed to %programfiles%\gpmc\scripts when you install GPMC

Using Migration Tables To create a migration table GPM.CreateMigrationTable() To open an existing migration table GPM.GetMigrationTable() To edit a migration table, use GPMMigrationTable object You can auto-populate the migration table based on the contents of an existing GPO or backup Pass either GPMGPO or GPMBackup to GPMMigrationTable.Add() You can create and delete individual entries in the migration table using GPMMigrationTable.AddEntry() GPMMigrationTable.GetEntry() GPMMigrationTable.DeleteEntry() See sample script: “CreateMigrationTable.wsf” in %programfiles%\gpmc\scripts directory.

Creating A Staging Environment Background Deployment from Test to Production Configure policy in sandbox environment Once tested, replicate to production Efficiently Error free Issue: how create the staging environment? GPMC enables this…

Create A Staging Environment Details GPMC provides two sample scripts for this CreateXMLFromEnvironment.wsf Allows you to represent DS structure in XML GPOs and OUs GPO security GPO links Users and security groups Exports all GPOs to file system CreateEnvironmentFromXML.wsf Recreates DS structure in target domain Imports GPOs from file system

Resources GPMC Web site Link to download site GPMC White Paper Migrating GPOs Technical article Scripting resources 32 sample scripts included with the product %programfiles%\gpmc\scripts GPMC SDK Installed to %programfiles%\gpmc\scripts\gpmc.chm Also in Platform SDK Group Policy Web sites Newsgroup Microsoft.public.windows.group_policy

Community Resources Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide User Groups Meet and learn with your peers

The tools you need to put technology to work! Suggested Reading And Resources TITLE Available Today Active Directory® for Microsoft® Windows® Server 2003 Technical Reference: Microsoft® Windows® Server 2003 Administrator's Companion: Today Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluations evaluations

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.