Scripting Group Policy settings!
I spent this weekend playing with a beta copy of SDM Softwares' GPExpert Scripting Toolkit kindly advanced to a colleague of mine and I by Darren Mar Ellia, the CTO of SDMS.
Darren is one of the better known GPO gurus there are out there and when he sniffed on the ActiveDir.org newsgroup during one of our rants, that I worked in an environment with over 2,500 Group policy objects in AD, he offered to let us play with a beta copy.
What it essentially is is a Powershell cmdlet that allows you manage the individual settings within a Group Policy Object.
Already, with PoSH and GPMC installed on an admin workstation, you could, with the APIs exposed by GPMC, create GPOs and even script the production of reports to display the settings within GPOs.
See below for and example of creating a GP object in the domain example.com.
-------------example1-----------------
$gpobj = New-Object -comObject GPMgmt.gpm
$gpConstants =$gpobj.GetConstants()
$myDomain = $gpobj.GetDomain("example.com", "", $gpConstants.UseAnyDC)
$myNewGpo = $myDomain.CreateGPO()
$myNewGpo.DisplayName = "PoSH Group Policy"
-------------/example1-----------------
What could not be done with the GPMC APIs was the configuring of the individual settings within the GPO.
The SDM GPExpert Scripting toolkit fills this gap the PoSH way! You can now extend your powers to scripting the individual settings within the GPO you just created. The example below sets the "rename Guest account" setting in the policy we created earlier called "PoSH Group Policy".
-------------example2-----------------
$gpo = Get-SDMgpobject -gpoName "gpo://example.com/Posh Group Policy" -openByName $true;
$stng = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/ Local Policies/Security Options/Accounts: Rename guest account");
$stng.Put("Defined", $true);
$stng.Put("Value", "62150138"); #all accounts in the Domain use 8 digit usernames.
$stng.Save();
-------------/example2-----------------
I think this is awesome stuff! This will not only ensure some extra degree of reliability in the configuration of the settings of GPOs, it will also save time if these settings need to be changed in large numbers of policies. Anything that increases the automation of group policy creation and configuration, in very predictable ways, is always a good thing. And the learning curve with this is not in any way steep.
I am sure the GPExpert toolkit will be an essential part of every group policy admins "bag 'o tricks" when it's released. Excellent stuff!