Script GPO operations using PowerShell

Posted on by alexvgemst
 
If you are like me – so you’re both a PowerShell enthousiast and you don’t like repetitive (boring!) work,
you try to automate stuff that you need to do more than a few times.
 
In this case I was working with GPOs.
I needed to add lots of computer objects to a GPO’s security filtering list, you know what I mean:
 
 
In this case I couldn’t use groups, so I had to add all the objects seperately…(don’t ask)
Another challenge was, that it concerned a domain not trusted by my workstation’s domain.
 
I looked into the VBscripts that come with GPMC in Windows 2003 (in the ‘\Program FilesGPMC\Scripts’ Folder),
following command looks like it should work, but I doesn’t seem to work for user objects in a non-trusted domain,
and the script doesn’t seem to work for computer objects at all:
Cscript SetGPOPermissions.wsf "MyGPO" "MyServer" /Permission:Apply /Domain:wedonttrustyou.local
 
I also tried porting the script to PowerShell, using the same GPMgmt.GPM Com Interface,
but that seems to have issues as well, so there might be inherent issues with this interface and using it for
non-trusted domains, as far as I can tell.
I did find a good starting point for that kind of scripting, in an old Technet Magazine:
There is also some code for download there, including a ‘GPMC PowerShell Functions.txt’
If you load this in your Posh Profile or dot-source it in a session,
you have a lot of functions at your disposal, to do different Group Policy tasks.
 
 
 
But I had to look for an alternative…
I remembered I downloaded and installed the SDM GPMC Powershell CmdLets 1.3 once, but I hadn’t put much use in them yet..
Check out: http://www.sdmsoftware.com/freeware.php for these and other nice tools.
 
I even had The SDMSoftware.PowerShell.GPMC snap-in loaded already through my PoSh profile script, so I was ready to go!
I quickly discovered the Add-SDMgpoSecurity CmdLet, which looked right for the job.
After a few typos I had it working in a few minutes!
 
In a session, started with alternate credentials for the non-trusted domain,
I could use following command to get the job done:
Add-SDMgpoSecurity  -name "MyGPO" -Trustee "MyServer" -PermApply -Domain "wedonttrustyou.local"
 
After that I could pipe the entire list of computers to the command and relax,
and next time the command will be at my disposal at will (if I forget I can check this blogpost I guess 😉
 
 

Leave a comment