SID-500

Home » PowerShell » Configuring Group Policies using Windows PowerShell

Configuring Group Policies using Windows PowerShell

In this blog post I am going to describe how to use PowerShell to administer Group Polices in your Active Directory environment. Group Polices control the environment of users and computers. But it´s not just controlling: Goup Polices can help you to make your client and server systems more user-friendly.

The Module Group Policy

All commands can be found in the module Group Policy. Simply run Get-Command on one of your Domain Controllers to get them all.

Get-Command -Module GroupPolicy

Unbenannt.PNG

Create a GPO

First, we create a simple Group Policy Object without any configuration.

New-GPO -Name "ScreenSaverTimeOut" -Comment "Sets the time to 900 seconds"

Unbenannt.PNG

Configure the GPO

And now the bad news: You have to enter a registry key.

Set-GPRegistryValue -Name "ScreenSaverTimeOut" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut -Type DWord -Value 900

Unbenannt.PNG

Link the GPO to an Organizational Unit / Domain / Site

Now we have configured a GPO. The last step is to link it to an Active Directory Object (OU, Domain, Site).

New-GPLink -Name "ScreenSaverTimeOut" -Target "ou=people,dc=pagr,dc=inet"

Unbenannt.PNG

As you can see it´s not enforced by default. Enforcing a GPO is a very rare configuration. It can be useful when some of our Organizational Units are configured to block inherited GPOs from parent OUs. Then the enforced GPO will override those setting. More about it later.

Review your GPO

You can check your previous configured GPO by using the graphical interface or PowerShell.

Get-GPO -Name "ScreenSaverTimeOut" | Get-GPOReport -ReportType HTML -Path $Home\report.html
Invoke-Item $Home\report.html

Unbenannt.PNG

Or open gpmc.msc and navigate to the object.

Unbenannt.PNG

Configure Advanced Settings

Inherited Group Policies

To find all inherited Group Policy Objects for an Organizational Unit, run

Get-GPInheritance -Target "ou=people,dc=pagr,dc=inet"

Unbenannt.PNG

Blocking inheritance

If you want to block all GPOs inherited from parent Organizational Units, run

Set-GPInheritance -Target "ou=people,dc=pagr,dc=inet" -IsBlocked 1

1.PNG

Compare this screenshot to the previous. The Default Domain Policy comes from a parent object and is now gone.

Enforcing Group Policies

As mentioned earlier, enforcing overrides blocking. So, if I enforce my Default Domain Policy, it should be there again.

Set-GPLink -Name "Default Domain Policy" -Target "dc=pagr,dc=inet" -Enforced Yes

Unbenannt.PNG

And it´s there again:

Get-GPInheritance -Target "ou=people,dc=pagr,dc=inet" | Select InheritedGpoLinks

Unbenannt.PNG

Configure Security Settings

The default security setting for all newly created GPOs is Authenticated Users (Apply). This means, that all objects in an OU, Site or Domain, where the policy is applied to, have the right to read the GPO and therefore to apply it.

For example, you have 10 users in an OU. You want to apply a GPO to one user only. Then simply modify the rights of the Authenticated Users group.

Unbenannt.PNG

To do that, remove the authenticated users group. Don´t care about the warnings.

Set-GPPermission -Name "ScreenSaverTimeOut" -TargetName "Authenticated Users" -TargetType User -PermissionLevel None

Then add it again. But now allow only “Read”.

Set-GPPermission -Name "ScreenSaverTimeOut" -TargetName "Authenticated Users" -TargetType User -PermissionLevel GPORead

And finally, add your user and grant the user “GPOApply”.

Set-GPPermission -Name "ScreenSaverTimeOut" -TargetName "Petra" -TargetType User -PermissionLevel GPOApply

Unbenannt.PNG

See also

PowerShell: Force gpupdate on all Domain Computers


1 Comment

  1. […] For configuring Group Policies with PowerShell, have a look over my article Configuring Group Policies using Windows PowerShell. […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

WHOIS

My name is Patrick Grünauer (pewa2303). I am from Austria. On sid-500 I write about Windows, Cisco and IT-Security in English and German. Have fun while reading!

Patrick Gruenauer
Follow SID-500 on WordPress.com