ADM 421 Scripting Group Policy Operations BJ Whalen

ADM 421 Scripting Group Policy Operations BJ Whalen Program Manager Windows Server Microsoft Corporation

Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

Overview Group Policy is now scriptable! Via COM objects Provided by the Group Policy Management Console (GPMC) Scriptability was a key design goal of the GPMC The GPMC interfaces Serve as backend to GPMC UI Are accessible via scripts and C++ Can manage Windows 2000 and Windows Server 2003 domains

What Is Scriptable? Creating/deleting/renaming GPOs Linking GPOs and WMI filters Delegation Security on GPOs and WMI filters GP-related security on sites, domains, OUs Creation rights for GPOs and WMI filters Generating reports of GPO settings Generating reports of RSOP data Backup/Restore of GPOs Import/Export, Copy/Paste Search for GPOs

What Is Not Scriptable? Settings within a GPO Examples “Remove Run command from Start Menu” Redirect “My Documents” to \serverfoo Workaround for many cases Script the creation of GPO and import settings from an exported GPO

Scripting System Requirements In order to script GP operations GPMC must be installed on the machine where you execute scripts GPMC runs on Windows® Server 2003 or Windows® XP with SP 1. NET Framework Post SP 1 QFE (included with GPMC) which updates GPEdit. dll

Windows 2000 domains GPMC can manage Windows® 2000 domains GPMC itself must run on XP or Server 2003 Some capabilities only available in Windows Server 2003 forests or domains WMI Filters Group Policy Modeling Delegation of Group Policy Results

demo GPMC Scripting Examples

Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

Object Model Intro Central Object is “GPM” All other objects are accessible through GPM Creating GPM Set GPM = Create. Object(“gpmgmt. GPM”)

Scope Of Management (SOM) SOM = A DS container where GPOs can be linked A GPO link is a property of the SOM, not the GPO Same GPO can have multiple links to different SOMs Types of SOMs Sites Domains OUs

Object Model Overview GPMSitescontainer GPMDomain GPMGPO GPMWMIFilter GPMSOM GPMSearch. Criteria GPMBackup. Dir GPMMigration. Table GPMConstants GPMGPOLink GPMSecurity. Info GPMPermission

GPMDomain Object Purpose: access and search for GPOs and WMI Filters Create, search, get, restore SOMs: (Domain and OU only) Get and search SOMs Key methods Get. GPO(), Search. GPOs() Create. GPO(), Restore. GPO() Get. SOM(), Search. SOMs() Get. WMIFilter(), Search. WMIFilters() Properties Domain, Domain. Controller

Creating GPMDomain Accessed from GPM. Get. Domain() Specify Domain and DC (optional) when created Domain name must be full DNS name If no DC specified, PDC used by default unless using “Use. Any. DC” flag Example Set GPMDomain = GPM. Get. Domain(“corp. mycompany. com”, “CORP-DC-01”, 0)

GPMSites. Container Object Purpose: access and search sites Key Methods Get. Site() Search. Sites() Properties Domain. Controller Forest

Using GPMSites. Container Accessed from GPM. Get. Sites. Container() Specify Forest, Domain, DC when created Naming Format Forest, Domain in DNS DC can be either DNS or Net. BIOS If no DC specified, PDC used by default unless using “Use. Any. DC” flag Example Set GPMSites. Container = GPM. Get. Sites. Container(“corp. mycompany. com”, “europe. corp. mycompany. com”, “EUR-DC-01”, 0)

DC Selection DCs can only be specified at GPMDomain and GPMSites. Container PDC is default choice Can optionally specify Choose any DC Choose a particular DC Once chosen, same DC is used by all child objects

GPMGPO Object Purpose: manage an individual GPO Key Methods Backup() Import() Copy. To() Get/Set. Security. Info() Delete() Generate. Report. To. File() Key properties Display. Name ID Status Version info

Using GPMGPO Accessed from GPMDomain. Create. GPO() GPMDomain. Get. GPO() GPMDomain. Search. GPOs() Examples Set My. GPO 1 = GPMDomain. Create. GPO My. GPO 1. Display. Name = “My New GPO” str. GUID = “{31 B 2 F 340 -016 D-11 D 2 -945 F-00 C 04 FB 984 F 9}” Set My. GPO 2 = GPMDomain. Get. GPO(str. GUID)

GPMSOM Object Purpose Create/Delete/Manage links on a SOM Get/Set policy-related security on SOM Key methods Create. GPOLink() Get. GPOLinks() Get. Inherited. GPOLinks() Get. Security. Info(), Set. Security. Info() Key properties Path Type (e. g. , Site, Domain, OU) Name

Using GPMSOM Accessed from GPMSites. Container. Get. Site() GPMDomain. Get. SOM() Name Format Sites: specify friendly site name Domain and OUs: specify distinguished name Tip: use ADSI to retrieve distinguished name based on friendly name Example str. SOMPath = “ou=Mktg, dc=corp, dc=mycompany, dc=com” Set My. SOM = GPMDomain. Get. SOM(str. Som. Path)

Creating A Link To link a GPO to a SOM Use GPMSOM. Create. GPOLink() takes two parameters Link position Use -1 to add to the end A GPMGPO object representing the GPO to link Example Set My. GPOLink = My. SOM. Create. GPOLink(-1, My. GPO)

Getting All Links For A SOM Use GPMSOM. Get. GPOLinks() Returns a collection of GPMGPOLink objects Note: all GPMC collections are 1 -based Example Set Links = GPMSOM. Get. GPOLinks()

Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

Search Overview GPMC allows you to search for GPOs, WMI Filters, SOMs, Backups Based on friendly name and other attributes Examples Find objects without knowing GUIDs Where is the ‘Managed Desktops’ GPO linked? E. g. : find all SOMs that are linked to ‘Managed Desktops’ GPO

Search Methods GPMDomain. Search. GPOs() GPMDomain. Search. SOMs() GPMDomain. Search. WMIFilters() GPMSites. Container. Search. Sites() GPMBackup. Dir. Search. Backups() Each Search Method takes a GPMSearch. Criteria object

Search Results are returned as collections of GPMC objects GPMGPOCollection GPMWMIFilter. Collection GPMSOMCollection GPMBackup. Collection Can enumerate the collections using normal scripting methods ‘For Each’ in Visual Basic® Scripting Edition ‘Enumerator’ object in JScript®

GPMSearch. Criteria Object Can hold multiple criteria Each criteria consists of Property being searched (e. g. , GPO Name) Comparison Operator: Equals, Not. Equals, Contains, Not. Contains Value being searched for (e. g. , “Test. GPO”) All criteria are then AND’ed together

GPO Searches Can search for GPOs based on Display Name Permissions Effective Permissions WMI Filter Policy Extensions set in the GPOs Example Find all GPOs that “Policy Admins” group has rights to edit and that have Folder Redirection policy set Use GPMDomain. Search. GPOs() Use an empty GPMSearch. Criteria to enumerate all GPOs in the domain

GPO Search Example To get the “Managed Desktops” GPO, without needing to know its GUID Set GPMSearch. Criteria = GPM. Create. Search. Criteria str. GPOName = “Managed Desktops” GPMSearch. Criteria. Add GPMConstants. Search. Property. GPODisplay. Name, GPMConstants. Search. Op. Equals, str. GPOName Set GPOList = GPMDomain. Search. GPOs(GPMSearch. Criteria) Set My. GPO = GPOList. item(1)

SOM Searches Used to find all SOMs where a given GPO is linked Two methods GPMDomain. Search. SOMs() GPMSites. Container. Search. Sites() Use ADSI for other SOM-based searches

SOM Search Example To find all OUs that are linked to the “Managed Desktops” GPO Assume My. GPO = “Managed Desktops” GPO from previous example Set GPMSearch. Criteria = GPM. Create. Search. Criteria GPMSearch. Criteria. Add GPMConstants. Search. Property. SOMLinks, GPMConstants. Search. Op. Contains, My. GPO Set SOMList = GPMDomain. Search. SOMs(GPMSearch. Criteria)

Agenda Introduction Object Model Overview Searching Managing Permissions Backup and Restore Import and Copy Migration Tables Scenario: Creating a staging environment Resources

Permissions Overview Goal: simplify handling of GP permissions GPMC manages permissions using predefined levels Each level in GPMC corresponds to a specific set of Windows NT permissions (read, write, create child objects, etc. ) Example Editing a GPO requires four individual NT permissions GPMC manages this as a single permission For ACEs that don’t match predefined levels, GPMC returns “custom”

Understanding Permissions GPMSecurity. Info object Represents set of GP-related permissions for a given object Can apply to GPOs, WMI filters, SOMs GPMPermission object Represents the permission level for a given security principal Each GPMSecurity. Info is a collection of GPMPermission objects

GPO Permissions GPMPermission levels for GPOs Apply the GPO Read the GPO Edit, modify security, delete the GPO Custom Apply is “special” It includes Read, but is independent from other permission levels Can be combined with Edit or Edit/Security “Custom” can only be read, not set Can be deleted

Example: GPO Permissions Task: grant edit permissions on a GPO to “Policy Admins” group Note: get the GPMGPO object using search methods ‘ Create a Permission object w/ Edit perms Set GPMPerm = GPM. Create. Permission("Policy Admins", GPMConstants. Perm. GPOEdit) ‘ Set the permission on the GPO Set GPMSec. Info = My. GPO. Get. Security. Info GPMSec. Info. Add GPMPerm My. GPO. Set. Security. Info GPMSec. Info

demo GPO Security

SOM Permissions GPMPermission levels for SOMs Linking GPOs Performing RSo. P planning analysis Remotely access RSo. P logging data RSOP delegation not applicable for sites

Domain-specific permissions Creating GPOs By default, “Group Policy Creator Owners” group has this permission Can create GPOs in the domain, but cannot edit other GPOs they didn’t create Creating WMI filters By default, “Group Policy Creator Owners” group has this permission Can create WMI filters in the domain, but cannot edit filters they didn’t create Full control for all WMI filters Can create WMI filters in the domain Members have full control over all WMI filters in the domain These are accessed from the domain SOM

Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

Backing Up A GPO A backup transfers to the file system Policy Settings in the GPO ACLs on the GPO Link to the WMI Filter Report of the settings NOTE: Does NOT back up links to the GPO To create a backup Use GPMGPO. Backup() takes two parameters File system folder Comment Example Set My. Backup = My. GPO. Backup(“\svrGPOs”, “Test”)

Managing Backups Each backup instance Represented by GPMBackup object Has a unique Backup ID (GUID) Can be identified by GPO Name, Description, Domain, Timestamp, GPO GUID Multiple backups can be stored in the same location Multiple GPOs Multiple versions of the same GPO GPMBackup. Dir object Represents set of backups stored in the file system at a given location Query for GPMBackups using GPMBackup. Dir. Search. Backups()

Backup Searches Can search for backups based on Domain GPO ID GPO Display Name Most Recent Backup Example Find the most recent backup in backup folder z: GPOBackups for GPO ‘Default Domain Policy’ Use GPMBackup. Dir. Search. Backups()

Example Finding GPMBackup To get the most recent GPO Backup for My. GPO in CORP Set GPMSearch. Criteria = GPM. Create. Search. Criteria str. Domain = “corp. mycompany. com” str. GPO_ID = My. GPO. ID GPMSearch. Criteria. Add GPMConstants. Search. Property. GPODomain, GPMConstants. Search. Op. Equals, str. Domain GPMSearch. Criteria. Add GPMConstants. Search. Property. GPOID, GPMConstants. Search. Op. Equals, str. GPO_ID GPMSearch. Criteria. Add GPMConstants. Search. Property. Backup. Most. Recent, GPMConstants. Search. Op. Equals, TRUE Set Backup. List = GPMBackup. Dir. Search. Backups(GPMSearch. Criteria)

Restore Definition Restores all attributes of the GPO Policy settings in the GPO ACLs on the GPO Links to the WMI Filter Does NOT modify links to the GPO This is an attribute of the SOM Permission required to restore Existing GPO: edit/delete/modify security on the GPO Deleted GPO: GPO Creation rights

Restoring A GPO To restore a GPO Use GPMDomain. Restore. GPO() takes two parameters GPMBackup object containing the GPO to restore Flag to specify whether to validate if Windows Server 2003 DC Only relevant if GPO contains Software Settings Note: Need to get GPMBackup from GPMBackup. Dir Restore is same domain only Example str. Backup. ID = "{73330457 -FEDD-4779 -B 9 FD-5 D 9 D 69 A 585 A 4}" Set Backup. Dir = GPM. Get. Backup. Dir("z: GPOBackups") Set My. Backup = Backup. Dir. Get. Backup(str. Backup. ID) Set GPMResult = GPMDomain. Restore. GPO(My. Backup, 0)

demo Backing Up All GPOs In The Domain

Agenda Introduction Object model overview Searching Managing permissions Backup and restore Import and copy Migration tables Scenario: creating a staging environment Resources

Import And Copy Transfers policy settings only Does not modify links to GPO Can be used same domain, cross forest Cross domain/forest operations facilitated by Migration Tables Enables “templatization” of managed configurations Key difference is source/destination behavior Import: from file system to existing GPO Copy: from live GPO to new GPO

Cross Domain/Forest Migration overview Key challenge - some settings are domain/forest specific References to users, groups, and computers References to UNC paths Solution: migration table Maps a reference in source GPO to a new reference in destination GPO

Scenario Test to production Production forest Test forest D A B E C GPO X F Copy of GPO X User rights BPilot. Users. Group B\Test. Server%username% APilot. User. Remote. Group C\Test. ServerSTD User rights ERedmond. Users ECPITGFS 01%username% DRemote. Users. Group F\CPITGSD 05STD

Scenario Production to production Production forest A GPO X B Copy of GPO X User rights BJapan. Users B\CPITGFSD 01STD A\CPITGFS 01%username% C User rights CJapan. Users C\CPITGFSD 01STD ACPITGFS 02%User. Name%

Import Settings Into A GPO To import settings Use GPMGPO. Import() Import () takes three parameters Flag to indicate whether to use migration table exclusively GPMBackup object containing the settings to import Optional instance of a GPMMigration. Table object Example str. Backup. ID = "{73330457 -FEDD-4779 -B 9 FD-5 D 9 D 69 A 585 A 4}" Set My. Migration. Table = GPM. Get. Migration. Table(“My. Table. xml”) Set Backup. Dir = GPM. Get. Backup. Dir("z: GPOBackups") Set My. Backup = GPMBackup. Dir. Get. Backup(str. Backup. ID) Set GPMResult = My. GPO. Import(0, My. Backup, My. Migration. Table)

Copying A GPO To copy a live GPO Use GPMGPO. Copy. To() creates a new GPO containing the same policy settings as the source GPO Copy. To() takes four parameters Flag indicating whether to Copy the ACL on the GPO (if not specified, use default ACL for new GPOs) Use migration table exclusively GPMDomain object (for target domain) Optional display name to use for the copied GPO If not specified, the default name for new GPOs is used Optional instance of a GPMMigration. Table object Example Copy. Flags = GPMConstants. Process. Security Set New. GPMGPO = My. GPO. Copy. To (Copy. Flags, GPMTarget. Domain, “Copy of My. GPO”)

Sample Migration Table <? xml version="1. 0" encoding="utf-16"? > <Migration. Table xmlns="http: //www. microsoft. com/Group. Policy/ GPOOperations/Migration. Table> <Mapping> <Type>Global. Group</Type> <Source>TESTDOMAIN 1Group. XYZ</Source> <Destination>TESTDOMAIN 2Group. ABC</Destination> </Mapping> <Type>User</Type> <Source>user 1@test 2. nttest. microsoft. com</Source> <Destination. None/> </Mapping> <Type>UNCPath</Type> <Source>\Server 01share</Source> <Destination>\server 02sharefolder</Destination> </Mapping> </Migration. Table> A sample is installed to %programfiles%gpmcscripts when you install GPMC

Using Migration Tables To create a migration table GPM. Create. Migration. Table() To open an existing migration table GPM. Get. Migration. Table() To edit a migration table, use GPMMigration. Table object You can auto-populate the migration table based on the contents of an existing GPO or backup Pass either GPMGPO or GPMBackup to GPMMigration. Table. Add() You can create and delete individual entries in the migration table using GPMMigration. Table. Add. Entry() GPMMigration. Table. Get. Entry() GPMMigration. Table. Delete. Entry() See sample script: “Create. Migration. Table. wsf” in %programfiles%gpmcscripts directory.

Creating A Staging Environment Background Deployment from Test to Production Configure policy in sandbox environment Once tested, replicate to production Efficiently Error free Issue: how create the staging environment? GPMC enables this…

Create A Staging Environment Details GPMC provides two sample scripts for this Create. XMLFrom. Environment. wsf Allows you to represent DS structure in XML GPOs and OUs GPO security GPO links Users and security groups Exports all GPOs to file system Create. Environment. From. XML. wsf Recreates DS structure in target domain Imports GPOs from file system

Resources GPMC Web site www. microsoft. com/windowsserver 2003/gpmc/ Link to download site GPMC White Paper Migrating GPOs Technical article Scripting resources 32 sample scripts included with the product %programfiles%gpmcscripts GPMC SDK Installed to %programfiles%gpmcscriptsgpmc. chm Also in Platform SDK Group Policy Web sites www. microsoft. com/grouppolicy www. microsoft. com/technet/grouppolicy Newsgroup Microsoft. public. windows. group_policy

Community Resources http: //www. microsoft. com/communities/default. mspx Most Valuable Professional (MVP) http: //www. mvp. support. microsoft. com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http: //www. microsoft. com/communities/newsgroups/default. mspx User Groups Meet and learn with your peers http: //www. microsoft. com/communities/usergroups/default. mspx

Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Active Directory® for Microsoft® Windows® Server 2003 Technical Reference: 0 -7356 -1577 -2 Today Microsoft® Windows® Server 2003 Administrator's Companion: 07356 -1367 -2 Today Microsoft Press books are 20% off at the Tech. Ed Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluations

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.