Windows administration At a glance: What is Windows PowerShell? How GPOs were managed previously Migrating scripts to Windows PowerShell Simplify Group Policy administration with Windows PowerShell Thorbjörn Sjövold Microsoft Group Policy is the management backbone of nearly every organisation with a Windows infrastructure. I have a feeling this is exactly what will hap­ technology didn’t ™ pen with Windows PowerShell , the latest catch on overnight management technology from Microsoft. In fact, Windows PowerShell is likely to make – it was somewhat your job as a Group Policy administrator sig­ nificantly easier. difficult to understand In this article, I show how the Micro­ soft Group Policy Management Console and required that you (GPMC) APIs written for Windows Script­ ing Host languages like VBScript (and COM­ adopt Active Directory, based scripting languages in general) can be consumed directly from Windows Power­ a strange, new service Shell to simplify the way you manage Group Policy in your environment. that looked nothing like Scripting Group Policy tasks the Account/Resource When Microsoft released GPMC a few years ago, Group Policy administrators sudden­ domains that were the ly had a number of handy features at their disposal. In particular, the Group­Policy­fo­ standard at the time. cused MMC snap­in represented a huge step forward for Group Policy management, es­ Today, Group Policy pecially compared to Active Directory Users TechNet Magazine July 2007 69 69_74_GPPowerShell_desfin.indd 69 8/6/07 11:22:14 Windows administration and Computers. Moreover, there was a brand commands. In addition, Windows PowerShell new API that let administrators use COM­ has functions that work much like subrou­ based languages such as VBScript to perform tines in VBScript, and that can be created in Group Policy administration of tasks, such real time at the Windows PowerShell com­ as backing up and restoring Group Policy mand prompt. Objects (GPOs), migrating GPOs between Even better, Windows PowerShell is built on the Microsoft .NET Framework, while VBScript relies on older COM technology. The vast amount of .NET This means that the vast amount of .NET code being produced today can be used di­ code being produced today rectly from within Windows PowerShell. What it comes down to is that with Win­ can be used directly from dows PowerShell, you get full scripting sup­ port and interactive mode, all in one package. within Windows PowerShell The examples I provide here will all be com­ mand­line input so you can type as you read; however, they’ll work equally well if you put domains, configuring security settings on them in a Windows PowerShell script file GPOs and links, and reporting. and run it. Unfortunately, GPMC did not provide the ability to edit the actual configured settings Recreate old scripts using Windows inside the GPOs. In other words, you could PowerShell perform operations on the GPO container, The last thing you want to do when you start such as reading GPO versions, reading mod­ with a new technology is toss out all your ify dates, creating brand new GPOs, backing previous work. There are three approach­ up and restoring/importing GPOs from dif­ es you can use to access COM objects from ferent domains, and so forth, but you couldn’t the GPMC API, or basically to reuse any old programmatically add or change the content VBScript out there. You can select one of of the GPO, for example adding a new redi­ these three options: rected folder or a new software installation. • Create a Windows PowerShell cmdlet us­ What you generally did instead was create ing a programming language like C# or the GPO and configure all settings manu­ managed C++. ally using the Group Policy Object Editor, • Use Windows PowerShell to access the then back it up and import it into a test ScriptControl in MSScript.ocx to wrap environment. When everything was verified old scripts. and working properly, you would import • Wrap the COM calls in reusable Windows it into the live environment. Despite the PowerShell functions or else call the COM missing feature, the use of scripts instead objects directly. of manual interaction with the GPMC API resulted in a tremendous amount of time, I’m going to focus mainly on the third op­ effort and error saved in day­to­day Group tion, but let’s have a quick look at all the op­ Policy administration. tions first. The next level Creating a Windows PowerShell Cmdlet How is Windows PowerShell different from Microsoft included a large number of cmd­ scripting languages like VBScript? For start­ lets with Windows PowerShell, allowing you ers, Windows PowerShell is a shell and, at to copy files, format output, retrieve the date least for our purposes, you can think of a and time, and so on, but you can create your shell as a command­line interpreter. Though own cmdlets as well. The process is fully doc­ VBScript can be run from the command line, umented at www.microsoft.com/uk/tech­ a VBScript file cannot be run line by line. A netmagazine/cmdlet. Here are the steps: Windows PowerShell script, in contrast, can • Create a class library DLL in a .NET pro­ be created on the fly as a series of individual gramming language such as C#. 70 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine 69_74_GPPowerShell_desfin.indd 70 8/6/07 11:22:15 • Create a new class and inherit from the it’s a FileInfo object that can be used to get base class cmdlet. the size of the file: • Set attributes that determine the name, $netObject = New-Object System.IO.FileInfo( “C:\boot.ini”) # Create an instance of FileInfo usage, input parameters, and so forth, and # representing c:\boot.ini add your code. Note that # is used in Windows PowerShell Because Windows PowerShell is built on for inline comments. Using this newly in­ the .NET Framework, any types, such as a stantiated FileInfo object, you can easily get string, object, and so forth, that are being re­ the size of boot.ini by simply typing the fol­ turned or passed as parameters are exactly the lowing code: same in the code as in Windows PowerShell; $netObject.Length # Display the size in bytes of the no special type conversion is needed. # file in the command line interface The real power of this solution is that you have a complete programming language at Wait, weren’t we supposed to talk about your disposal. COM objects and VBScript conversion? Yes, but look at the following command: Wrapping old scripts using the $comFileSystemObject = New-Object –ComObject Scripting.FileSystemObject ScriptControl object in MSScript.ocx Obviously, you need the VBScript engine to You’ll notice that the syntax is basically the run a VBScript file. What is not so obvious is same as I used previously to create native ob­ that this engine is a COM object and, since jects from the .NET Framework, with two you can use COM objects from Windows differences. First, I added the –ComObject PowerShell, you can invoke the VBScript en­ switch that points Windows PowerShell to­ gine. Here’s how this could look: ward the COM world instead of the .NET world. Second, I use a COM ProgID instead $scriptControl = New-Object -ComObject ScriptControl $scriptControl.Language = ‘VBScript’ $scriptControl.AddCode( ‘Function ShowMessage(messageToDisplay) MsgBox messageToDisplay End Function’) Figure 1 Custom functions in the download $scriptControl.ExecuteStatement(‘ShowMessage “Hello World”’) Function Name Description BackupAllGpos Backs up all GPOs in a domain If you enter this code in the Windows PowerShell Command Line Interface (CLI), BackupGpo Backs up a single GPO the VBScript function ShowMessage is RestoreAllGpos Restores all GPOs from a backup to a domain called and executed with a parameter, result­ RestoreGpo Restores a single GPO from a backup ing in a Message Box displayed with the text Hello World. GetAllBackedUpGpos Retrieves the latest version of GPO backups from a given path Now some of you might think, “Great! I’ve mastered the art of using COM from CopyGpo Copies the settings in a GPO to another GPO Windows PowerShell and I can stop reading CreateGpo Creates a new empty GPO this article and start filling the ScriptControl DeleteGpo Deletes a GPO object with my collection of old GPMC scripts.” Unfortunately, that’s not the case. FindDisabledGpos Returns all GPOs where both the user and com- puter part are disabled This technique quickly becomes very com­ plex and tough to debug as soon as the scripts FindUnlinkedGpos Returns all GPOs that have no links get larger. CreateReportForGpo Creates an XML report for a single GPO in a domain Wrapping COM objects CreateReportForAllGpos Creates a separate XML report for each GPO in a So the best option is the third: wrapping domain the COM calls in reusable Windows Power­ GetGpoByNameOrID Finds a GPO by its display name or GPO ID Shell functions, which lets you consume the GetBackupByNameOrId Finds a GPO backup by its display name or GPO COM objects in the GPMC API. The line be­ ID low shows how to create a .NET object di­ GetAllGposInDomain Returns all GPOs in a domain rectly in Windows PowerShell. In this case, TechNet Magazine July 2007 71 69_74_GPPowerShell_desfin.indd 71 8/6/07 11:22:15 Windows administration of a .NET constructor, in this case Scripting. PowerShell, but you’ll find a full set of Win­ Wrap the FileSystemObject. The ProgID is the same dows PowerShell functions to manage name you’ve always used. In VBScript, the Group Policy in the code download related COM calls equivalent would be: to this article, online at technetmagazine. Set comFileSystemObject = CreateObject( com/code07.aspx.