powershell commands for GPOs

PowerShell Commands for Deploying and Managing GPOs (GPO Scripts)

Share

In this article, we’ll take a look at some PowerShell commands that you can use to deploy and manage your GPOs.

For a few years now, there has been a steady increase in the number of people using PowerShell in the administration of operating systems and server applications, as well as the deployment of services and infrastructure. This has been pushed by Microsoft and many systems administrators, who are increasingly moving away from the traditional graphic interface.

Those people who have tried administrating services using PowerShell will agree that, even if it is more complicated because of the steep learning curve, a command-based model is much more powerful and provides greater flexibility.

So, having already written several articles dedicated to deploying GPOs using the graphic interface, we thought it would be a good idea to look at how you can deploy GPOs using PowerShell commands. All you need to do is put the commands in a text file, and you’ll have your very own GPO script that you can use to deploy group policies.

NOTE: It’s important to differentiate between GPOs that run PowerShell commands and deploying a GPO using PowerShell commands. The first case involves creating a GPO that runs a file containing PowerShell commands. The second case involves using PowerShell commands to deploy or configure a GPO.

 

Getting Started with PowerShell and GPOs

Before we go much further, we’re going to recap on what you need and what you can do with PowerShell when it comes to Group Policies (GPOs). However, we’re not going to look at all the possible commands available. We’ll stick to just the most important ones for deploying, configuring and updating GPOs, as well as generating reports and removing them when you don’t need them anymore.

 

Importing PowerShell Modules for GPOs

When working with PowerShell, it’s important to know that there are countless commands and library modules available, and you will need to import some modules in order to work with certain services or products. Furthermore, each of these modules has their own supporting documentation that you need to be aware of.

For working with GPOs, the first module you will need, as a requirement, is the Active Directory module (“ActiveDirectory”), which you can install using the following command:

Import-Module ActiveDirectory

This module should also bring with it everything you need to manage Group Policies, but if it doesn’t for some reason, you can always launch the following command:

Import-Module GroupPolicy

GPO Operations Available in PowerShell

To give you an idea of what you can do with PowerShell with respect to policies, you can launch the following command which will return a list of all the commands included in the Group Policy module:

Get-Command –Module GroupPolicy

 

Image - A list of available commands in the Group Policy module
Image – A list of available commands in the Group Policy module

 

Even if you know absolutely nothing about PowerShell, you’ll be able to work out what you can do with each of these commands. But to summarise, with these commands, you can:

  • Perform GPO enquiries
  • Create, copy or delete GPOs
  • Link and unlink GPOs
  • Set permissions and inheritance for GPOs
  • Back up and recover your GPOs

To find out more information about the module, check out the dedicated page at Microsoft Learn.

Now, let’s take a look at how we can perform some of these operations.

 

Display the GPOs in the Domain

You can use the “Get-GPO” command to show all the GPOs in the domain simply by including the domain name. The resulting syntax will look as follows:

Get-GPO -Domain <domain> -All

Where:

  • Domain <domain>: here you need to swap <domain> for the domain name, including the extension (e.g., pruebasnacho.int)

So, here’s an example:

Get-GPO -Domain pruebasnacho.int -All

 

Image - List of all the GPOs in the domain
Image – List of all the GPOs in the domain

 

Creating a New GPO with PowerShell

To create a new GPO using PowerShell, we work in pretty much the same way as if we were using the graphic interface. The first thing you need to do is create a new blank GPO using the following command:

New-GPO -Name <Name> -Comment <Comment>

Where:

  • New-GPO: is the command to create a new GPO.
  • -Name <Name>: <Name> is the name you want to give the new GPO.
  • -Comment <Comment>: <Comment> is an additional comment and is normally used to provide a description of the GPO.

Here’s an example:

New-GPO -Name GPOTest1 -Comment “Comment about my GPO created with PowerShell”

 

Image - Create a new GPO using PowerShell
Image – Create a new GPO using PowerShell

 

Linking a GPO to an OU Using PowerShell

After creating a GPO, the next step is normally to link the GPO to an Organisational Unit (OU), which will be the root directory where the policy is run.

To do this, use the “New-GPLink” command when you create your new GPO. The command will look something like this:

Get-GPO <Name> | New-GPLink -Target “ou=zaragoza, dc=pruebasnacho, dc=int”

Where:

  • Get-GPO <Name>: Substitute <Name> for the name you want to give the GPO that you want to link.
  • Target <Path_OU_Domain>: This is the folder path for the Organisational Unit that you want to link the GPO to. Substitute <Path_OU_Domain> for the folder path of the OU using the format shown below.

Here’s an example of what the command would look like when linking a GPO to the Zaragoza delegation on the domain PruebasNacho.int:

Get-GPO TestGPO | New-GPLink -Target “ou=zaragoza,ou=delegation,dc=pruebasnacho,dc=int”

 

Image - Link the GPO to an OU
Image – Link the GPO to an OU

 

Unlinking a GPO from an OU Using PowerShell

When you want to unlink a GPO from an OU, you should use the “Remove-GPLink” command using the following format:

Remove-GPLink -Name <Name> -Target <Path_OU_Domain>

Where:

  • Name <Nombre>: Gives the name of the GPO. Substitute <Name> for the name.
  • Target <Path_OU_Domain>: Specifies the folder path for the Organisational Unit that you want to unlink from the GPO. Substitute <Path_OU_Domain> for the folder path using the format shown below.

Here’s an example of what the command would look like to unlink the GPO from an OU at the Zaragoza delegation in the Domain PruebasNacho.int:

Remove-GPLink -Name TestGPO -Target “ou=zaragoza,ou=delegation,dc=pruebasnacho,dc=int”

 

Image - Unlinking the GPO from an OU
Image – Unlinking the GPO from an OU

 

Disabling a GPO without Unlinking it from the OU Using Powershell

Another option is to disable a GPO temporarily without unlinking it from the OU. We say “temporarily” because this tends to be used for tests or when changes are being made, but in reality, you can disable it indefinitely if you wish. But if you wanted to do this, it’s probably better to unlink it and remove it to avoid a build-up of trash.

To disable the link between a GPO and an OU, use the following command:

Set-GPLink -Name  <Name> -Target  <Path_OU_Domain> -linkenabled no

Where:

  • Name <Name>: Provides the name of the GPO that you wish to disable. Substitute <Name> for the name of the GPO.
  • Target <Path_OU_Domain>: The folder path of the Organisational Unit that is linked to the GPO. Substitute <Path_OU_Domain> for the folder path using the format in the example below.

Here’s an example of a command to disable a GPO linked to the Zaragoza delegation in the domain PruebasNacho.int:

Set-GPLink -Name TestGPO1 -Target “ou=zaragoza, dc=pruebasnacho, dc=int” -linkenabled no

 

Image - Disabling a GPO linked to an OU
Image – Disabling a GPO linked to an OU

 

Removing a GPO with PowerShell

If a GPO ever starts causing problems, becomes redundant or you simply don’t want it any more, you’ll probably want to remove it. To do this, use the “Remove-GPO” command:

Remove-GPO -Name <Name> -Domain <domain>

Where:

  • Name <Name>: Gives the name of the GPO that you want to remove. Substitute <Name> for the name of the GPO.
  • Domain <domain>: This is not a mandatory parameter, but you can substitute <domain> for the domain name, including the extension (e.g., pruebasnacho.int)

Here’s an example of what this would look like:

Remove-GPO -Name TestGPO -Domain “PruebasNacho.int”

There is also the option to use the “Guid” instead of the name, which is a unique alphanumeric string that identifies the GPO in the domain. In this case, the command would look something like this:

Remove-GPO -Guid 0b14-50c-46dd-3e45-afa0-8b4d-331c-12bc -Domain “PruebasNacho.int”

 

Image - Removing a GPO from an OU
Image – Removing a GPO from an OU

 

Backing up GPOs Using PowerShell (Perfect for creating a GPO script)

Firstly, it’s important to point out that backing up a single GPO is a different procedure from backing up all existing GPOs.

So, to back up all the GPOs on a domain controller, you need to use the following command:

Backup-GPO -All -Path <Destination_Path>

Where:

  • Path <Destination_Path>: should contain the full path of the backup location.

Here’s an example:

Backup-GPO -All -Path F:\Backups\ADDS\GPO\

On the other hand, if you want to copy just one GPO, you should use specify the GPO in question using the following command:

Backup-GPO -Name <Name> -Path <Destination_Path>

Where:

  • Name <Name>: Specifies the name of the GPO that you want to back up.
  • Path <Destination_Path>: should specify the full path of the backup location.

Here’s an example:

Backup-GPO -Name TestGPO -Path F:\Backups\ADDS\GPO\

Again here, there is the option to add comments that can be used to add the backup date to make it easier to keep your backups organised.

In this case, the command would look like this:

Backup-GPO -Name TestGPO -Path F:\Backups\ADDS\GPO\ – Comment “Backup TestGPO 20221107”

This command can be particularly useful if you want to create a GPO script to schedule backups of your policies and store them in a secure storage location in case of any future incidents.

 

Image - Creating a backup of GPOs in the domain
Image – Creating a backup of GPOs in the domain

 

Recovering a GPO Using PowerShell

The process to recover a GPO is very similar to the process to create a backup, which is quite handy when you’re trying to remember how to do it.

If you want to recover a GPO backup, you need to run the following command:

Restore-GPO -Name <Name> -Path <Destination_Path> – Comment <Comment>

Where:

  • Name <Name>: Should be the name of the GPO that you want to recover.
  • Path <Destination_Path>: Is the full destination path for the backup.
  • Comment <Comment>: Should contain the comment that was added to the backup and should refer to a specific backup from a specific time.

An example of this command would be:

Restore-GPO -Name TestGPO -Path F:\Backups\ADDS\GPO\ – Comment “Backup TestGPO 20221107”

 

Updating a GPO Using PowerShell

As anyone who has worked with group policies will already know, GPOs don’t always work the first time, or they don’t always load or update as they should. Sometimes, you need to manually force them to update. To do this, you can use this classic command:

Gpupdate /force

In PowerShell, we have another command that can be used to update policies. This is the “Invoke-GPUpdate” command, which is usually run on the computer on which you wish to update the GPOs:

Invoke-GPUpdate

If you want to refresh your policies using a remote connection, you can also use the following command:

Invoke-GPUpdate -Computer <computer>

Where:

  • <computer>: is the name of the computer on which you want to update the policies. This should be written in the format “dominio\equipo”, for example, “pruebasnacho\laptop1”.

Here’s an example of the complete command:

Invoke-GPUpdate -Computer “pruebasnacho\laptop1”

Usually, you would use this command for all GPOs. However, if you just wanted to update only those applied to users or those applied to computers, you would add the following modifier:

-Target “User”

And, in the case of computers, it would be as follows:

-Target “Computer”

Furthermore, you can update the GPOs for an entire Organisational Unit by using a small “one-line script”:

Get-ADComputer –filter * -Searchbase <OU_Path> | foreach{ Invoke-GPUpdate –computer $_.name -force}

Where:

  • Searchbase <OU_Path>: Is the domain path for the OU that you wish to update.

For example, if you wanted to update the GPOs for the Zaragoza delegation, the command would look like this:

Get-ADComputer –filter * -Searchbase “ou=zaragoza,ou=delegation,dc=pruebasnacho,dc=int” | foreach{ Invoke-GPUpdate –computer $_.name -force}

If you wanted to do this for the entire domain, you would run Searchbase on the domain’s root directory.

So, with all these commands, you can create a GPO script, which will allow you to update GPOs on the computers you need to or even on the entire domain.

 

Generating a Report for a GPO Run Using PowerShell (and GPO Script)

When working with policies, problems can happen, and you may need to run some checks to see where issues are occurring or check your settings.

In this situation, you can use the cmdlet “Get-GPOReport” which generates a report which will output an HTML or XML file that describes the properties and configuration for either a specific GPO or all the GPOs in a domain.

This report includes:

  • Details about the GPOs.
  • Their links.
  • Security filters.
  • WMI Filters.
  • The delegation.
  • The configuration of users and computers.

To generate this type of report, you can use the following command:

Get-GPOReport -name <Name> -ReportType <HTML/XML> -Path <Output_Path>

Where:

  • Name <Name>: Name of the GPO that the report is run for.
  • ReportType <HTML/XML>: Specifies the format of the report, either HTML or XML.
  • Path <Output_Path>: The complete path where the report will be saved, including the filename. For example, “F:\Reports\ADDS\GPO\report.html”.

Here’s an example of what this command might look like:

Get-GPOReport -name TestGPO -ReportType HTML -Path “F:\Reports\ADDS\GPO\report.html”

If you want to generate a report for all policies, you should swap the parameter “-name <Name>” for “-all”.

 

Image - Generating the report and reviewing its content
Image – Generating the report and reviewing its content

 

Conclusion

Group policies (GPOs) are one of the most important tools for keeping your business infrastructure well-managed in a fast and efficient way, especially when you have a lot of hosts.

With GPOs, you can automatically deploy software or apply standard configurations for groups of hosts based on their location within the AD DS structure or their Organisational Unit (OU).

As with most things provided by Microsoft, you can work with GPOs using PowerShell commands. Simply by knowing a relatively small set of cmdlets, you can perform the majority of GPO-related tasks. In fact, with the commands contained in this article, you can even create your own scripts to automatically deploy policies on your AD DS server.

We hope that you found this article interesting. If you have any questions, we recommend you read our article titled “What Are GPOs and What Are They Used for”.

Furthermore, we recommend you check out the following links, where you’ll find additional information and some practical examples of what you can do with group policies:

Thanks for reading!

Category:Cloud and Systems

Other posts that may interest you

9 de August de 2024
Choosing the right cloud service provider is a critical decision that can impact the quality of your software, customer
3 de July de 2024
Here at Jotelulu, we have designed our Disaster Recovery service specifically with SMEs in mind. But what arguments should
2 de July de 2024
In today’s article, we will explain some of the basic concepts that are important to understand about Jotelulu’s Disaster

Fill out the form and one of our Sales team will contact you soon.

growth@jotelulu.com  |  jotelulu.com 

You can unsubscribe from these communications at any time. For more information,  check our Privacy Policy.

 

We make the difficult easy

Existing Disaster Recovery tools often require advanced knowledge to manage, demanding expertise that is difficult to acquire.

Jotelulu’s Disaster Recovery aims to make the difficult easy and offers a very simple deployment based on a three-step configuration:

Origin (Primary Site)
Determine the origin location of the subscription on which the Disaster Recovery service will be established.

Destination (Recovery Site)
Set the destination location (availability zone) where you want the Recovery Site to be deployed.

Replication characteristics
Specify the data related to the number of copies to be kept and the frequency at which the replication will be performed.