Group Policy Cmdlets in Windows PowerShell

The Windows PowerShell command-line and scripting language can be used to automate many Group Policy tasks, including configuring registry-based policy settings and various Group Policy Management Console (GPMC) tasks. To help you perform these tasks, the Group Policy module for Windows PowerShell provides the cmdlets covered in this section.

You can use these Group Policy cmdlets to perform the following tasks for domain-based Group Policy objects (GPOs):

  • Maintain GPOs: GPO creation, removal, backup, reporting, and import.

  • Associate GPOs with Active Directory Directory Services (AD DS) containers: Group Policy link creation, update, and removal.

  • Set inheritance and permissions on AD DS organizational units (OUs) and domains.

  • Configure registry-based policy settings and Group Policy Preferences Registry settings.

Group Policy Cmdlet Prerequisites

To use the Windows PowerShell cmdlets for Group Policy, you must be running one of the following:

Windows Server 2008 R2 on a domain controller

--or--

Windows Server 2008 R2 on a member server that has the GPMC installed

--or--

Windows® 7 with Remote Server Administration Tools (RSAT) installed. (RSAT includes the GPMC and the Group Policy cmdlets)

Getting Started with the Group Policy Cmdlets

You must use the import-module grouppolicy command to import the Group Policy module before you use the Group Policy cmdlets. You can also modify your Windows PowerShell profile to import the Group Policy module every time you start a session. For more information, see about_Modules.

You can use the get-command –module grouppolicy to get a list of all Group Policy commands.

You can get help for all Group Policy commands at once by using the get-command –module grouppolicy | get-help command.

Note

For more information about the Group Policy cmdlets, you can use the get-help<cmdlet-name> and get-help<cmdlet_name>-detailed commands to display basic and detailed help, respectively.
Because the information displayed by the get-help cmdlet can span many screens, the help alias is provided to display the first page of information. You can then press the spacebar to view subsequent pages of information. This has the same effect as using the more command—for example, get-help <your parameters> | more.

Group Policy Cmdlets

Name Description

Backup-GPO

Backs up one GPO or all the GPOs in a domain.

Copy-GPO

Copies a GPO.

Get-GPInheritance

Retrieves Group Policy inheritance information for a specified domain or OU.

Get-GPO

Gets one GPO or all the GPOs in a domain.

Get-GPOReport

Generates a report in either XML or HTML format for a specified GPO or for all GPOs in a domain.

Get-GPPermissions

Gets the permission level for one or more security principals on a specified GPO.

Get-GPPrefRegistryValue

Retrieves one or more registry preference items under either Computer Configuration or User Configuration in a GPO.

Get-GPRegistryValue

Retrieves one or more registry-based policy settings under either Computer Configuration or User Configuration in a GPO.

Get-GPResultantSetOfPolicy

Outputs the Resultant Set of Policy (RSoP) information to a file, for a user, a computer, or both.

Get-GPStarterGPO

Gets one Starter GPO or all Starter GPOs in a domain.

Import-GPO

Imports the Group Policy settings from a backed-up GPO into a specified GPO.

New-GPLink

Links a GPO to a site, domain, or OU.

New-GPO

Creates a new GPO.

New-GPStarterGPO

Creates a new Starter GPO.

Remove-GPLink

Removes a GPO link from a site, domain, or OU.

Remove-GPO

Deletes a GPO.

Remove-GPPrefRegistryValue

Removes one or more registry preference items from either Computer Configuration or User Configuration in a GPO.

Remove-GPRegistryValue

Removes one or more registry-based policy settings from either Computer Configuration or User Configuration in a GPO.

Rename-GPO

Assigns a new display name to a GPO.

Restore-GPO

Restores one GPO or all GPOs in a domain from one or more GPO backup files.

Set-GPInheritance

Blocks or unblocks inheritance for a specified domain or OU.

Set-GPLink

Sets the properties of the specified GPO link.

Set-GPPermissions

Grants a level of permissions to a security principal for one GPO or for all the GPOs in a domain.

Set-GPPrefRegistryValue

Configures a registry preference item under either Computer Configuration or User Configuration in a GPO.

Set-GPRegistryValue

Configures one or more registry-based policy settings under either Computer Configuration or User Configuration in a GPO.