In this blog post I am going to describe how to use PowerShell to administer Group Polices in your Active Directory environment. Group Polices control the environment of users and computers. But it´s not just controlling: Goup Polices can help you to make your client and server systems more user-friendly.
The Module Group Policy
All commands can be found in the module Group Policy. Simply run Get-Command on one of your Domain Controllers to get them all.
Get-Command -Module GroupPolicy
Create a GPO
First, we create a simple Group Policy Object without any configuration.
New-GPO -Name "ScreenSaverTimeOut" -Comment "Sets the time to 900 seconds"
Configure the GPO
And now the bad news: You have to enter a registry key.
Set-GPRegistryValue -Name "ScreenSaverTimeOut" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName ScreenSaveTimeOut -Type DWord -Value 900
Link the GPO to an Organizational Unit / Domain / Site
Now we have configured a GPO. The last step is to link it to an Active Directory Object (OU, Domain, Site).
New-GPLink -Name "ScreenSaverTimeOut" -Target "ou=people,dc=pagr,dc=inet"
As you can see it´s not enforced by default. Enforcing a GPO is a very rare configuration. It can be useful when some of our Organizational Units are configured to block inherited GPOs from parent OUs. Then the enforced GPO will override those setting. More about it later.
Review your GPO
You can check your previous configured GPO by using the graphical interface or PowerShell.
Get-GPO -Name "ScreenSaverTimeOut" | Get-GPOReport -ReportType HTML -Path $Home\report.html Invoke-Item $Home\report.html
Or open gpmc.msc and navigate to the object.
Configure Advanced Settings
Inherited Group Policies
To find all inherited Group Policy Objects for an Organizational Unit, run
Get-GPInheritance -Target "ou=people,dc=pagr,dc=inet"
If you want to block all GPOs inherited from parent Organizational Units, run
Set-GPInheritance -Target "ou=people,dc=pagr,dc=inet" -IsBlocked 1
Compare this screenshot to the previous. The Default Domain Policy comes from a parent object and is now gone.
Enforcing Group Policies
As mentioned earlier, enforcing overrides blocking. So, if I enforce my Default Domain Policy, it should be there again.
Set-GPLink -Name "Default Domain Policy" -Target "dc=pagr,dc=inet" -Enforced Yes
And it´s there again:
Get-GPInheritance -Target "ou=people,dc=pagr,dc=inet" | Select InheritedGpoLinks
Configure Security Settings
The default security setting for all newly created GPOs is Authenticated Users (Apply). This means, that all objects in an OU, Site or Domain, where the policy is applied to, have the right to read the GPO and therefore to apply it.
For example, you have 10 users in an OU. You want to apply a GPO to one user only. Then simply modify the rights of the Authenticated Users group.
To do that, remove the authenticated users group. Don´t care about the warnings.
Set-GPPermission -Name "ScreenSaverTimeOut" -TargetName "Authenticated Users" -TargetType User -PermissionLevel None
Then add it again. But now allow only “Read”.
Set-GPPermission -Name "ScreenSaverTimeOut" -TargetName "Authenticated Users" -TargetType User -PermissionLevel GPORead
And finally, add your user and grant the user “GPOApply”.
Set-GPPermission -Name "ScreenSaverTimeOut" -TargetName "Petra" -TargetType User -PermissionLevel GPOApply