Presentation is loading. Please wait.

Presentation is loading. Please wait.

ADM421 Scripting Group Policy Operations BJ Whalen Program Manager Windows Server Microsoft Corporation.

Published byArnold Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "ADM421 Scripting Group Policy Operations BJ Whalen Program Manager Windows Server Microsoft Corporation."— Presentation transcript:

1 ADM421 Scripting Group Policy Operations BJ Whalen Program Manager Windows Server Microsoft Corporation

2 Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

3 Overview Group Policy is now scriptable! Via COM objects Provided by the Group Policy Management Console (GPMC) Scriptability was a key design goal of the GPMC The GPMC interfaces Serve as backend to GPMC UI Are accessible via scripts and C++ Can manage Windows 2000 and Windows Server 2003 domains

4 What Is Scriptable? Creating/deleting/renaming GPOs Linking GPOs and WMI filters Delegation Security on GPOs and WMI filters GP-related security on sites, domains, OUs Creation rights for GPOs and WMI filters Generating reports of GPO settings Generating reports of RSOP data Backup/Restore of GPOs Import/Export, Copy/Paste Search for GPOs

5 What Is Not Scriptable? Settings within a GPO Examples “Remove Run command from Start Menu” Redirect “My Documents” to \\server\foo\\server\foo Workaround for many cases Script the creation of GPO and import settings from an exported GPO

6 Scripting System Requirements In order to script GP operations GPMC must be installed on the machine where you execute scripts GPMC runs on Windows ® Server 2003 or Windows ® XP with SP1.NET Framework Post SP1 QFE (included with GPMC) which updates GPEdit.dll

7 Windows 2000 domains GPMC can manage Windows ® 2000 domains GPMC itself must run on XP or Server 2003 Some capabilities only available in Windows Server 2003 forests or domains WMI Filters Group Policy Modeling Delegation of Group Policy Results

8 GPMC Scripting Examples demo demo

9 Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

10 Object Model Intro Central Object is “GPM” All other objects are accessible through GPM Creating GPM Set GPM = CreateObject(“gpmgmt.GPM”)

11 Scope Of Management (SOM) SOM = A DS container where GPOs can be linked A GPO link is a property of the SOM, not the GPO Same GPO can have multiple links to different SOMs Types of SOMs Sites Domains OUs

12 Object Model Overview GPM GPMSitescontainerGPMDomain GPMGPO GPMWMIFilter GPMSOM GPMGPOLink GPMSecurityInfo GPMPermission GPMSearchCriteria GPMConstants GPMBackupDir GPMMigrationTable

13 GPMDomain Object Purpose: access and search for GPOs and WMI Filters Create, search, get, restore SOMs: (Domain and OU only) Get and search SOMs Key methods GetGPO(), SearchGPOs() CreateGPO(), RestoreGPO() GetSOM(), SearchSOMs() GetWMIFilter(), SearchWMIFilters() Properties Domain, DomainController

14 Creating GPMDomain Accessed from GPM.GetDomain() Specify Domain and DC (optional) when created Domain name must be full DNS name If no DC specified, PDC used by default unless using “UseAnyDC” flag Example Set GPMDomain = GPM.GetDomain(“corp.mycompany.com”, GPM.GetDomain(“corp.mycompany.com”, “CORP-DC-01”, 0) “CORP-DC-01”, 0)

15 GPMSitesContainer Object Purpose: access and search sites Key Methods GetSite() SearchSites() Properties Domain DomainController Forest

16 Using GPMSitesContainer Accessed from GPM.GetSitesContainer() Specify Forest, Domain, DC when created Naming Format Forest, Domain in DNS DC can be either DNS or NetBIOS If no DC specified, PDC used by default unless using “UseAnyDC” flag Example Set GPMSitesContainer = GPM.GetSitesContainer(“corp.mycompany.com”, GPM.GetSitesContainer(“corp.mycompany.com”, “europe.corp.mycompany.com”,“EUR-DC-01”,0) “europe.corp.mycompany.com”,“EUR-DC-01”,0)

17 DC Selection DCs can only be specified at GPMDomain and GPMSitesContainer PDC is default choice Can optionally specify Choose any DC Choose a particular DC Once chosen, same DC is used by all child objects

18 GPMGPO Object Purpose: manage an individual GPO Key Methods Backup() Import() CopyTo() Get/SetSecurityInfo() Delete() GenerateReportToFile() Key properties DisplayName ID Status Version info

19 Using GPMGPO Accessed from GPMDomain.CreateGPO() GPMDomain.GetGPO() GPMDomain.SearchGPOs() Examples Set MyGPO1 = GPMDomain.CreateGPO MyGPO1.DisplayName = “My New GPO” strGUID = “{31B2F340-016D-11D2-945F-00C04FB984F9}” Set MyGPO2 = GPMDomain.GetGPO(strGUID)

20 GPMSOM Object Purpose Create/Delete/Manage links on a SOM Get/Set policy-related security on SOM Key methods CreateGPOLink() GetGPOLinks() GetInheritedGPOLinks() GetSecurityInfo(), SetSecurityInfo() Key properties Path Type (e.g., Site, Domain, OU) Name

21 Using GPMSOM Accessed from GPMSitesContainer.GetSite() GPMDomain.GetSOM() Name Format Sites: specify friendly site name Domain and OUs: specify distinguished name Tip: use ADSI to retrieve distinguished name based on friendly name Example strSOMPath = “ou=Mktg,dc=corp,dc=mycompany,dc=com” Set MySOM = GPMDomain.GetSOM(strSomPath)

22 Creating A Link To link a GPO to a SOM Use GPMSOM.CreateGPOLink() CreateGPOLink() takes two parameters Link position Use -1 to add to the end A GPMGPO object representing the GPO to link Example Set MyGPOLink = MySOM.CreateGPOLink(-1, MyGPO)

23 Getting All Links For A SOM Use GPMSOM.GetGPOLinks() Returns a collection of GPMGPOLink objects Note: all GPMC collections are 1-based Example Set Links = GPMSOM.GetGPOLinks()

24 Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

25 Search Overview GPMC allows you to search for GPOs, WMI Filters, SOMs, Backups Based on friendly name and other attributes Examples Find objects without knowing GUIDs Where is the ‘Managed Desktops’ GPO linked? E.g.: find all SOMs that are linked to ‘Managed Desktops’ GPO

26 Search Methods GPMDomain.SearchGPOs() GPMDomain.SearchSOMs() GPMDomain.SearchWMIFilters() GPMSitesContainer.SearchSites() GPMBackupDir.SearchBackups() Each Search Method takes a GPMSearchCriteria object

27 Search Results Results are returned as collections of GPMC objects GPMGPOCollection GPMWMIFilterCollection GPMSOMCollection GPMBackupCollection Can enumerate the collections using normal scripting methods ‘For Each’ in Visual Basic ® Scripting Edition ‘Enumerator’ object in JScript ®

28 GPMSearchCriteria Object Can hold multiple criteria Each criteria consists of Property being searched (e.g., GPO Name) Comparison Operator: Equals, NotEquals, Contains, NotContains Value being searched for (e.g., “TestGPO”) All criteria are then AND’ed together

29 GPO Searches Can search for GPOs based on Display Name Permissions Effective Permissions WMI Filter Policy Extensions set in the GPOs Example Find all GPOs that “Policy Admins” group has rights to edit and that have Folder Redirection policy set Use GPMDomain.SearchGPOs() Use an empty GPMSearchCriteria to enumerate all GPOs in the domain

30 GPO Search Example To get the “Managed Desktops” GPO, without needing to know its GUID Set GPMSearchCriteria = GPM.CreateSearchCriteria strGPOName = “Managed Desktops” GPMSearchCriteria.AddGPMConstants.SearchPropertyGPODisplayName, GPMConstants.SearchOpEquals, strGPOName GPMConstants.SearchOpEquals, strGPOName Set GPOList = GPMDomain.SearchGPOs(GPMSearchCriteria) Set MyGPO = GPOList.item(1)

31 SOM Searches Used to find all SOMs where a given GPO is linked Two methods GPMDomain.SearchSOMs() GPMSitesContainer.SearchSites() Use ADSI for other SOM-based searches

32 SOM Search Example To find all OUs that are linked to the “Managed Desktops” GPO Assume MyGPO = “Managed Desktops” GPO from previous example Set GPMSearchCriteria = GPM.CreateSearchCriteriaGPMSearchCriteria.Add GPMConstants.SearchPropertySOMLinks, GPMConstants.SearchOpContains, MyGPO Set SOMList = GPMDomain.SearchSOMs(GPMSearchCriteria)

33 Agenda Introduction Object Model Overview Searching Managing Permissions Backup and Restore Import and Copy Migration Tables Scenario: Creating a staging environment Resources

34 Permissions Overview Goal: simplify handling of GP permissions GPMC manages permissions using predefined levels Each level in GPMC corresponds to a specific set of Windows NT permissions (read, write, create child objects, etc.) Example Editing a GPO requires four individual NT permissions GPMC manages this as a single permission For ACEs that don’t match predefined levels, GPMC returns “custom”

35 Understanding Permissions GPMSecurityInfo object Represents set of GP-related permissions for a given object Can apply to GPOs, WMI filters, SOMs GPMPermission object Represents the permission level for a given security principal Each GPMSecurityInfo is a collection of GPMPermission objects

36 GPO Permissions GPMPermission levels for GPOs Apply the GPO Read the GPO Edit the GPO Edit, modify security, delete the GPO Custom Apply is “special” It includes Read, but is independent from other permission levels Can be combined with Edit or Edit/Security “Custom” can only be read, not set Can be deleted

37 Example: GPO Permissions Task: grant edit permissions on a GPO to “Policy Admins” group Note: get the GPMGPO object using search methods ‘ Create a Permission object w/ Edit perms Set GPMPerm = GPM.CreatePermission("Policy Admins", GPM.CreatePermission("Policy Admins", GPMConstants.PermGPOEdit) GPMConstants.PermGPOEdit) ‘ Set the permission on the GPO Set GPMSecInfo = MyGPO.GetSecurityInfo GPMSecInfo.Add GPMPerm MyGPO.SetSecurityInfo GPMSecInfo

38 GPO Security demo demo

39 SOM Permissions GPMPermission levels for SOMs Linking GPOs Performing RSoP planning analysis Remotely access RSoP logging data RSOP delegation not applicable for sites

40 Domain-specific permissions Creating GPOs By default, “Group Policy Creator Owners” group has this permission Can create GPOs in the domain, but cannot edit other GPOs they didn’t create Creating WMI filters By default, “Group Policy Creator Owners” group has this permission Can create WMI filters in the domain, but cannot edit filters they didn’t create Full control for all WMI filters Can create WMI filters in the domain Members have full control over all WMI filters in the domain These are accessed from the domain SOM

41 Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

42 Backing Up A GPO A backup transfers to the file system Policy Settings in the GPO ACLs on the GPO Link to the WMI Filter Report of the settings NOTE: Does NOT back up links to the GPO To create a backup Use GPMGPO.Backup() Backup() takes two parameters File system folder Comment Example Set MyBackup = MyGPO.Backup(“\\svr\GPOs”, “Test”)

43 Managing Backups Each backup instance Represented by GPMBackup object Has a unique Backup ID (GUID) Can be identified by GPO Name, Description, Domain, Timestamp, GPO GUID Multiple backups can be stored in the same location Multiple GPOs Multiple versions of the same GPO GPMBackupDir object Represents set of backups stored in the file system at a given location Query for GPMBackups using GPMBackupDir.SearchBackups()

44 Backup Searches Can search for backups based on Domain GPO ID GPO Display Name Most Recent Backup Example Find the most recent backup in backup folder z:\GPOBackups for GPO ‘Default Domain Policy’ Use GPMBackupDir.SearchBackups()

45 Example Finding GPMBackup To get the most recent GPO Backup for MyGPO in CORP Set GPMSearchCriteria = GPM.CreateSearchCriteria strDomain = “corp.mycompany.com” strGPO_ID = MyGPO.ID GPMSearchCriteria.AddGPMConstants.SearchPropertyGPODomain, GPMConstants.SearchOpEquals, strDomain GPMSearchCriteria.AddGPMConstants.SearchPropertyGPOID, GPMConstants.SearchOpEquals, strGPO_ID GPMSearchCriteria.AddGPMConstants.SearchPropertyBackupMostRecent, GPMConstants.SearchOpEquals, TRUE Set BackupList = GPMBackupDir.SearchBackups(GPMSearchCriteria)

46 Restore Definition Restores all attributes of the GPO Policy settings in the GPO ACLs on the GPO Links to the WMI Filter Does NOT modify links to the GPO This is an attribute of the SOM Permission required to restore Existing GPO: edit/delete/modify security on the GPO Deleted GPO: GPO Creation rights

47 Restoring A GPO To restore a GPO Use GPMDomain.RestoreGPO() RestoreGPO() takes two parameters GPMBackup object containing the GPO to restore Flag to specify whether to validate if Windows Server 2003 DC Only relevant if GPO contains Software Settings Note: Need to get GPMBackup from GPMBackupDir Restore is same domain only Example strBackupID = "{73330457-FEDD-4779-B9FD-5D9D69A585A4}" Set BackupDir = GPM.GetBackupDir("z:\GPOBackups") Set MyBackup = BackupDir.GetBackup(strBackupID) Set GPMResult = GPMDomain.RestoreGPO(MyBackup, 0)

48 Backing Up All GPOs In The Domain demo demo

49 Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

50 Import And Copy Transfers policy settings only Does not modify links to GPO Can be used same domain, cross domain, cross forest Cross domain/forest operations facilitated by Migration Tables Enables “templatization” of managed configurations Key difference is source/destination behavior Import: from file system to existing GPO Copy: from live GPO to new GPO

51 Cross Domain/Forest Migration overview Key challenge - some settings are domain/forest specific References to users, groups, and computers References to UNC paths Solution: migration table Maps a reference in source GPO to a new reference in destination GPO

52 Scenario Test to production C B A D F E Test forest Production forest GPO X User rights B\PilotUsersGroupB\\TestServer\%username%A\PilotUserRemoteGroupC\\TestServer\STD Copy of GPO X User rights E\RedmondUsersE\CPITGFS01\%username%D\RemoteUsersGroupF\\CPITGSD05\STD

53 Scenario Production to production C B A GPO X User rights B\JapanUsersB\\CPITGFSD01\STDA\\CPITGFS01\%username% Copy of GPO X User rights C\JapanUsersC\\CPITGFSD01\STDA\CPITGFS02\%UserName% Production forest

54 Import Settings Into A GPO To import settings Use GPMGPO.Import() Import () takes three parameters Flag to indicate whether to use migration table exclusively GPMBackup object containing the settings to import Optional instance of a GPMMigrationTable object Example strBackupID = "{73330457-FEDD-4779-B9FD-5D9D69A585A4}" Set MyMigrationTable = GPM.GetMigrationTable(“MyTable.xml”) Set BackupDir = GPM.GetBackupDir("z:\GPOBackups") Set MyBackup = GPMBackupDir.GetBackup(strBackupID) Set GPMResult = MyGPO.Import(0, MyBackup, MyMigrationTable)

55 Copying A GPO To copy a live GPO Use GPMGPO.CopyTo() CopyTo() creates a new GPO containing the same policy settings as the source GPO CopyTo() takes four parameters Flag indicating whether to Copy the ACL on the GPO (if not specified, use default ACL for new GPOs) Use migration table exclusively GPMDomain object (for target domain) Optional display name to use for the copied GPO If not specified, the default name for new GPOs is used Optional instance of a GPMMigrationTable object Example CopyFlags = GPMConstants.ProcessSecurity Set NewGPMGPO = MyGPO.CopyTo (CopyFlags,GPMTargetDomain,“Copy of MyGPO”)

56 Sample Migration Table <MigrationTable xmlns="http://www.microsoft.com/GroupPolicy/ GPOOperations/MigrationTable><Mapping><Type>GlobalGroup</Type><Source>TESTDOMAIN1\GroupXYZ</Source> TESTDOMAIN2\GroupABC TESTDOMAIN2\GroupABC </Mapping><Mapping><Type>User</Type><Source>user1@test2.nttest.microsoft.com</Source><DestinationNone/></Mapping><Mapping><Type>UNCPath</Type><Source>\\Server01\share</Source><Destination>\\server02\share\folder</Destination></Mapping></MigrationTable> A sample is installed to %programfiles%\gpmc\scripts when you install GPMC

57 Using Migration Tables To create a migration table GPM.CreateMigrationTable() To open an existing migration table GPM.GetMigrationTable() To edit a migration table, use GPMMigrationTable object You can auto-populate the migration table based on the contents of an existing GPO or backup Pass either GPMGPO or GPMBackup to GPMMigrationTable.Add() You can create and delete individual entries in the migration table using GPMMigrationTable.AddEntry() GPMMigrationTable.GetEntry() GPMMigrationTable.DeleteEntry() See sample script: “CreateMigrationTable.wsf” in %programfiles%\gpmc\scripts directory.

58 Creating A Staging Environment Background Deployment from Test to Production Configure policy in sandbox environment Once tested, replicate to production Efficiently Error free Issue: how create the staging environment? GPMC enables this…

59 Create A Staging Environment Details GPMC provides two sample scripts for this CreateXMLFromEnvironment.wsf Allows you to represent DS structure in XML GPOs and OUs GPO security GPO links Users and security groups Exports all GPOs to file system CreateEnvironmentFromXML.wsf Recreates DS structure in target domain Imports GPOs from file system

60 Resources GPMC Web site www.microsoft.com/windowsserver2003/gpmc/ Link to download site GPMC White Paper Migrating GPOs Technical article Scripting resources 32 sample scripts included with the product %programfiles%\gpmc\scripts GPMC SDK Installed to %programfiles%\gpmc\scripts\gpmc.chm Also in Platform SDK Group Policy Web sites www.microsoft.com/grouppolicy www.microsoft.com/technet/grouppolicy Newsgroup Microsoft.public.windows.group_policy

61 Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx

62 The tools you need to put technology to work! Suggested Reading And Resources TITLE Available Today Active Directory® for Microsoft® Windows® Server 2003 Technical Reference: 0-7356-1577-2 Microsoft® Windows® Server 2003 Administrator's Companion: 0-7356-1367-2 Today Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

63 evaluations evaluations

64 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "ADM421 Scripting Group Policy Operations BJ Whalen Program Manager Windows Server Microsoft Corporation."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.

Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.
Understanding Group Policy on Windows Server 2003 Michael J. Murphy TechNet Presenter

Understanding Group Policy on Windows Server 2003 Michael J. Murphy TechNet Presenter
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Managing User Settings with Group Policy

Managing User Settings with Group Policy
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Clyde G. Johnson.  Test Environment  Tools of the trade  Demo  Central Store  Show  Group Policy Spreadsheets  Demo  Planning and Deployment.

Clyde G. Johnson.  Test Environment  Tools of the trade  Demo  Central Store  Show  Group Policy Spreadsheets  Demo  Planning and Deployment.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK

Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
OFC302 Building Smart Document Solutions in Word & Excel Martin Sawicki Lead Program Manager.

OFC302 Building Smart Document Solutions in Word & Excel Martin Sawicki Lead Program Manager.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.

Similar presentations

Ads by Google