1
00:00:03,050 --> 00:00:07,820
In this module, I'm going to talk about and introduce the concept of group policy scripting.

2
00:00:08,660 --> 00:00:13,550
Now, primarily, this is going to be a PowerShell discussion, but I will touch on some capabilities

3
00:00:13,550 --> 00:00:18,410
that are still available via VBScript that provides some neat functions and neat capabilities within

4
00:00:18,410 --> 00:00:19,580
group policy management.

5
00:00:20,480 --> 00:00:26,300
So Microsoft, since Windows seven, has provided this PowerShell module for group policy as a function

6
00:00:26,300 --> 00:00:27,220
of EMC.

7
00:00:28,160 --> 00:00:34,640
So when you install PMC on Windows seven or as it comes installed by default in Server 2012 and server

8
00:00:34,640 --> 00:00:40,670
2016 or server 2022, you will get the command lets the PowerShell command lets the come with the group

9
00:00:40,670 --> 00:00:42,680
policy module installed by default.

10
00:00:43,580 --> 00:00:46,580
So once PMC is installed, you're all good to go.

11
00:00:47,420 --> 00:00:51,950
And I'll talk a little bit more about what that limit is and what you can and can't do with the command

12
00:00:51,950 --> 00:00:52,280
lets.

13
00:00:53,180 --> 00:00:54,950
So this is just a screenshot.

14
00:00:54,950 --> 00:01:00,080
If I type get command dash modal space group policy lists out all the command lets and a couple aliases

15
00:01:00,080 --> 00:01:02,420
within the group policy model on Windows Server.

16
00:01:03,290 --> 00:01:08,510
And these command, let's really provide capabilities over a range of management tasks.

17
00:01:09,410 --> 00:01:12,540
So if you call that, PowerShell has this kind of verb noun structure.

18
00:01:12,560 --> 00:01:14,600
Get GPO, backup GPO.

19
00:01:15,410 --> 00:01:23,300
These are all the verbs available under the GPO noun backup copy get import new remove, rename and

20
00:01:23,300 --> 00:01:23,870
restore.

21
00:01:24,730 --> 00:01:30,370
In terms of GPL permissions you can get in set permissions and these are permissions on the GPO itself.

22
00:01:31,260 --> 00:01:33,090
You can get her said inheritance.

23
00:01:33,240 --> 00:01:38,100
And this is really just a matter of getting or setting that flag that you can stick on or use and domains

24
00:01:38,100 --> 00:01:39,110
to block inheritance.

25
00:01:39,990 --> 00:01:46,520
So you can either get the value of that or you or domain or set the value for GB link, which is the

26
00:01:46,520 --> 00:01:47,760
a link on a site domain.

27
00:01:47,760 --> 00:01:53,910
Or you you can create a new link, you can remove a link and you can set the link so you can change

28
00:01:53,910 --> 00:01:58,170
the properties on a link using the set verb with GPO report.

29
00:01:58,230 --> 00:02:02,880
This is simply a group policy settings report in either HTML or XAML format.

30
00:02:03,780 --> 00:02:10,740
You can get that and you can get or create new starter GPOs, so you can create a new starter GPO using

31
00:02:10,740 --> 00:02:12,660
the new starter GPO Command.

32
00:02:12,660 --> 00:02:15,330
Let invoke update.

33
00:02:16,210 --> 00:02:18,970
It was actually added in Windows eight and beyond.

34
00:02:19,840 --> 00:02:23,410
And it is basically a remote group policy update or update.

35
00:02:24,250 --> 00:02:30,550
So you can literally invoke a remote update just like you can from the UI and PMC, you can do it from

36
00:02:30,550 --> 00:02:31,180
PowerShell.

37
00:02:32,050 --> 00:02:39,160
The get result instead of policy essentially lets you run an RSP report against a remote system so you

38
00:02:39,160 --> 00:02:46,270
can get RSP data from that command one and the final two verb noun combinations are get remove and set

39
00:02:46,600 --> 00:02:52,630
pref registry value and get remove set GP registry value and they respectively let you set or get GP

40
00:02:52,630 --> 00:02:55,540
preference registry settings and admin template settings.

41
00:02:56,440 --> 00:03:00,010
That GP registry value lets you set admin template settings.

42
00:03:00,910 --> 00:03:02,890
So I'm not going to go into that.

43
00:03:03,810 --> 00:03:09,510
I sort of consider those to be a little bit more advanced commandments, but those are the limitations

44
00:03:09,510 --> 00:03:11,790
right now for being able to modify settings.

45
00:03:12,720 --> 00:03:16,050
So let's kind of look overall at the limitations in the current command.

46
00:03:16,050 --> 00:03:19,590
Let's set so that you know what you can and cannot do with the PowerShell command.

47
00:03:19,590 --> 00:03:24,630
Let's so today there is really no support outside of the two areas that I just mentioned.

48
00:03:24,630 --> 00:03:27,090
Admin templates in GP Preferences Registry.

49
00:03:27,090 --> 00:03:32,940
If no support for readying or modifying settings in PowerShell from Microsoft, there's no support for

50
00:03:32,940 --> 00:03:34,470
retrieving GPO links.

51
00:03:35,340 --> 00:03:37,980
So for example, there's no get GP link.

52
00:03:38,870 --> 00:03:42,560
You can set links, you can create new links, but you can't get links.

53
00:03:43,430 --> 00:03:47,990
You can't get information about existing links, which is, I think, a big oversight.

54
00:03:48,830 --> 00:03:56,300
And by the way, my GMC complete GMC module does include a get link function, no support at all for

55
00:03:56,300 --> 00:03:59,780
creating, linking, editing or deleting WMI filter.

56
00:03:59,810 --> 00:04:04,310
So you can't really do anything in PowerShell with respect to managing WMI filters.

57
00:04:05,180 --> 00:04:07,520
No support for setting the GPO status.

58
00:04:08,410 --> 00:04:10,840
It can be done, but it's an indirect thing.

59
00:04:11,710 --> 00:04:18,370
So there's no blood set that says said GPIO status, for example, no support for managing the delegation

60
00:04:18,370 --> 00:04:22,330
other than the actual GPIO delegation or the permissions on the GPIO.

61
00:04:23,170 --> 00:04:28,570
So if you remember from my module on GPIO delegation, we could set delegation for things like who can

62
00:04:28,570 --> 00:04:32,560
link to which I'll use that's not supported in the command links.

63
00:04:33,460 --> 00:04:38,470
I will say that a lot of the functionality that Microsoft provides in PMC is available through a call

64
00:04:38,560 --> 00:04:43,480
API that's used indirectly by these PowerShell command lets and you can use PowerShell to interact with

65
00:04:43,480 --> 00:04:48,490
the com APIs directly to get access to funds, a tonality that's not available in the Microsoft Command

66
00:04:48,490 --> 00:04:48,820
lets.

67
00:04:49,660 --> 00:04:54,070
Now I'm not going to cover that again because it's a little bit more of an advanced topic.

68
00:04:54,920 --> 00:05:00,680
But there's lots of information out on the Internet about using the COM APIs and GM PC directly from

69
00:05:00,680 --> 00:05:01,310
PowerShell.

70
00:05:02,180 --> 00:05:06,740
So let's kind of dig in and look at just sort of take a tour around the group policy module and see

71
00:05:06,740 --> 00:05:07,370
how it works.