Scripting Group Policy-related Tasks
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The GPMC user interface is based on a set of COM interfaces that accomplish most of the operations performed by GPMC. These interfaces are available to Windows scripting technologies like JScript and VBScript as well as programming languages such as Visual Basic and VC++. For example, the following capabilities are scriptable using these interfaces:
Creating/deleting/renaming GPOs.
Linking/unlinking GPOs and WMI filters.
Delegation:
Security on GPOs and WMI filters.
Group Policy-related security on sites, domains, OUs.
Creation rights for GPOs and WMI filters.
Generating reports of GPO settings.
Generating reports of RSOP data.
Backup/Restore of GPOs.
Import/Export, Copy/Paste of GPOs.
Search for GPOs, WMI filters, SOMs, and backups.
These interfaces are discussed in detail in the GPMC software development kit (SDK) located in the %programfiles%\gpmc\scripts\gpmc.chm help file on systems where GPMC has been installed. The contents of the GPMC SDK are also available in the Platform SDK.
GPMC comes with a number of sample scripts (written mostly in VBScript but some JScript) that form a toolkit of scripts that administrators can use to directly administer a Group Policy environment or as examples to build more elaborate management tools. The scripts are installed in the %programfiles%\gpmc\scripts directory. Table 5 shows a list of scripts that are provided to do the associated types of Group Policy administrative tasks:
Table 5
| Administrative task | Script name | Description |
|---|---|---|
Back up a GPO |
BackupGPO.wsf |
Backs up all GPOs in a domain to the specified backup directory. |
Back up all GPOs in a domain |
BackupAllGPOs.wsf |
Given a GPO name or a GUID, backs up the GPO to a specified backup directory. |
Create a GPO with default options |
CreateGPO.wsf |
Creates a GPO with the specified name, in the current domain, using the default options. |
Create a migration table |
CreateMigrationTable.wsf |
Populates the entries of a migration table with security principals and UNC paths that are referenced in a GPO or backup. |
Copy a GPO |
CopyGPO.wsf |
Creates a new GPO and copies the settings from the source GPO into the new destination GPO, given a source GPO name or GUID and a new destination GPO name. |
Create a policy environment using an XML representation |
CreateEnvironmentFromXML.wsf |
Reads an XML file that specifies a policy environment; for example, OUs, GPOs, links, and security groups. The script can either create the environment in a domain by creating the objects, or delete the environment by deleting objects specified in the XML file. |
Create an XML representation of a policy environment |
CreateXMLFromEnvironment.wsf |
Reads an existing policy environment and creates an XML file representing that environment. The XML file captures information about OUs, GPOs, and GPO links, and security on GPOs. You can use this script in conjunction with the CreateEnvironmentFromXML.wsf script to create a replica of domain for staging purposes. |
Delete a GPO |
DeleteGPO.wsf |
Deletes the specified GPO when given a GPO name or GUID. By default the script deletes links to that GPO within the same domain. |
Grant Permissions for all GPOs in a Domain |
GrantPermissionOnAllGPOs.wsf |
Grants a user or group the specified level of permission for all GPOs in the specified domain. |
Generate a report for a GPO |
GetReportsForGPO.wsf |
Creates an HTML and XML report for a given GPO at a given location in the file system. |
Generate a report for all GPOs in the domain |
GetReportsForAllGPOs.wsf |
Creates HTML and XML reports for all GPOs in the domain, at a given location in the file system. |
Import settings into a GPO |
ImportGPO.wsf |
Imports the settings from the specified backup to the existing destination GPO in the domain |
Import multiple GPOs into a domain |
ImportAllGPOs.wsf |
Creates a new GPO and imports settings into that GPO for each backed-up GPO stored at a specific file system location. |
Restore a GPO |
RestoreGPO.wsf |
Restores a backed-up GPO. |
Restore all GPOs |
RestoreAllGPOs.wsf |
Restores all GPOs that are stored at a given file system location |
Grant permissions for GPOs linked to a domain, OU, or site |
SetGPOSecurityBySOM.wsf |
Grants a user or group the specified permission type for all GPOs that are linked to a specified domain, OU, or site. You can specify Read, Apply, Edit, FullEdit, or None for the permission type. |
Set GPO permissions |
SetGPOPermissions.wsf |
Sets the permission level for a security principal on a given GPO. You can specify Read, Apply, Edit, FullEdit, or None for the permission type. |
Set permissions to create GPOs |
SetGPOCreationPermissions.wsf |
Grants or removes the ability to create GPOs in a domain for a given security principal. |
Set policy-related permissions on a given site, domain, or OU |
SetSOMPermissions.wsf |
Sets policy-related permissions on a given scope of management (SOM). A SOM is any site, domain, or OU. |
List all GPOs in a domain |
ListAllGPOs.wsf |
Prints all GPOs in the specified domain. |
List disabled GPOs |
FindDisabledGPOs.wsf |
Prints all GPOs in the specified domain that are disabled or partially disabled. |
List GPO information |
DumpGPOInfo.wsf |
Prints the information for a specific GPO, including creation time, modification time, owner, status, version number, links, security groups that filter the GPO, and security groups that have full control, edit, read, or custom permissions. |
List scope of management information |
DumpSOMInfo.wsf |
Prints all information for a specific Scope of Management (SOM), including GPO links and policy related permissions on the SOM. A SOM is any site, domain, or OU. |
List GPO by policy extension |
FindGPOsByPolicyExtension.wsf |
Prints all GPOs in the specified domain for which a specific policy extension is configured; for example, find all GPOs that contain the Software Installation or Folder Redirection policy settings. |
List GPOs by security group |
FindGPOsBySecurityGroup.wsf |
Prints all GPOs that for which a given security principal has the specified permission on that GPO. You can specify Read, Apply, Edit, or Fulledit for the permission type. |
List GPOs with duplicate names |
FindDuplicateNamedGPOs.wsf |
Prints all GPOs in the specified domain that have duplicate names. |
List GPOs without Apply permission |
GPOsWithNoSecurityFiltering.wsf |
Prints all GPOs in the specified domain that do not apply to anyone because Apply permission is not set on the GPO. |
List GPOs Orphaned in SYSVOL |
FindOrphanedGPOsInSYSVOL.wsf |
Finds and prints all GPOs in SYSVOL with no corresponding component in Active Directory. |
List domains and OUs with external GPO links |
FindSOMsWithExternalGPOLinks.wsf |
Prints all domains and OUs in the specified domain that link to a GPO in a different domain. |
List unlinked GPOs in a domain |
FindUnlinkedGPOs.wsf |
Prints all GPOs in the specified domain that have no links. Links outside the domain, including site links, are not checked. |
Print the scope of management policy tree |
ListSOMPolicyTree.wsf |
Prints all SOMs in the specified domain with the list of GPOs that are linked to the domain and each OU. |
List GPO backups in a given file system location |
QueryBackupLocation.wsf |
Prints information about all backed up GPOs at the file system location specified by the user. |
All of the scripts are intended for command line operation. The user can execute a script using the following command (using the CreateGPO script as an example) from a command shell:
Cscript CreateGPO.wsf
Alternatively, you can set Cscript to be the default scripting engine by using this command:
cscript //H:cscript
The user will need to run the scripts from the %programfiles%\gpmc\scripts directory or by specifying the path to the scripts directory. To see usage details for any script, use the “/?” command line option.