Hey, Scripting Guy! I need to work with Group Policy Objects (GPOs) by using a Windows PowerShell script. I understand there are new Group Policy cmdlets in Windows 7, but when I use the Get-Command cmdlet, I do not see any cmdlets. Is this a Release-to-Web (RTW) feature, or did it not make the cut for the final product?
— CT
Hello CT,
Microsoft Scripting Guy Ed Wilson here. Today is going to be a great day. It began with a flurry of Twitter messages, continued by my updating our departmental calendar with three presentations to various user groups, and followed by a couple of meetings this afternoon. I am sipping a cup of green tea with a cinnamon stick in it, listening to Deep Purple on my Zune HD, and answering email sent to scripter@microsoft.com.
CT, the Windows PowerShell cmdlets for Group Policy do in fact exist, but you probably need to take an extra step to gain access to them. If you are working on a Windows Server 2008 R2 server, you need to add the Group Policy Management Console (GPMC). To do this, use the Add Features Wizard and select Group Policy Management from the list of features to install on the server, as shown in the following image.
You do not have to use the GUI wizard if you do not wish to do so. In addition, you do not have to use Remote Desktop to work remotely. Using Windows PowerShell 2.0, you can easily create a remote session on the remote server from your desktop computer. After the remote session is established, I like to change my working directory to the root of the c:\ drive to free up some of the command line. This is shown here:
PS C:\> Enter-PSSession -ComputerName hyperv-box
[hyperv-box]: PS C:\Users\ed\Documents> sl c:\
[hyperv-box]: PS C:\>
You will need to load a module to perform server management. If you are not sure of the exact name of the module, you can obtain a listing of all modules by using the Get-Module cmdlet with the –listavailable switch. This is seen here.
[hyperv-box]: PS C:\> Get-Module -ListAvailable
ModuleType Name ExportedCommands
———- —- —————-
Manifest ActiveDirectory {}
Manifest ADRMS {}
Manifest ADRMSAdmin {}
Manifest AppLocker {}
Manifest BestPractices {}
Manifest BitsTransfer {}
Manifest FailoverClusters {}
Manifest GroupPolicy {}
Manifest NetworkLoadBalancingCl… {}
Manifest PSDiagnostics {}
Manifest ServerManager {}
Manifest TroubleshootingPack {}
Manifest WebAdministration {}
[hyperv-box]: PS C:\>
ServerManager is the module that provides the ability to add and to remove features. To import it into the current session, use the Import-Module cmdlet. The cool thing is that while the ServerManager module exists on the remote Windows Server 2008 R2 server, it does not exist on the Windows 7 computer that I am using to perform the configuration. If ServerManager is too much typing, you can use wildcard characters to shorten the name. The import-manager command is shown here:
[hyperv-box]: PS C:\> Import-Module server*
[hyperv-box]: PS C:\>
To see what commands are exported to the Windows PowerShell session by the ServerManager module use the Get-Command cmdlet with the –module switch. This is shown here:
[hyperv-box]: PS C:\> Get-Command -Module server*
CommandType Name Definition
———– —- ———-
Cmdlet Add-WindowsFeature Add-WindowsFeature [-Name] <Fe…
Cmdlet Get-WindowsFeature Get-WindowsFeature [[-Name] <S…
Cmdlet Remove-WindowsFeature Remove-WindowsFeature [-Name] …
[hyperv-box]: PS C:\>
The Add-WindowsFeature cmdlet is used to add features to the Windows Server 2008 R2 machine. The problem now is that there is no telling what the Group Policy Management Console feature is called from the command line. To determine the information need to add the feature, use the Get-Feature cmdlet to create a list. Choose both the name and the displayname of the feature. I also sort the name of features, and format it in a table. The command and the associated output is shown here:
[hyperv-box]: PS C:\> Get-WindowsFeature | Sort-Object -Property displayname | Format
-Table displayname, name -AutoSize
DisplayName Name
———– —-
.NET Environment WAS-NET-Environment
.NET Extensibility Web-Net-Ext
.NET Framework 3.5.1 AS-NET-Framework
.NET Framework 3.5.1 NET-Framework-Core
.NET Framework 3.5.1 Features NET-Framework
Active Directory Administrative Center RSAT-AD-AdminCenter
Active Directory Certificate Services AD-Certificate
Active Directory Certificate Services Tools RSAT-ADCS
Active Directory Domain Controller ADDS-Domain-Controller
Active Directory Domain Services AD-Domain-Services
Active Directory Federation Services AD-Federation-Services
Active Directory Lightweight Directory Services ADLDS
Active Directory module for Windows PowerShell RSAT-AD-PowerShell
Active Directory Rights Management Server ADRMS-Server
Active Directory Rights Management Services ADRMS
Active Directory Rights Management Services Tools RSAT-RMS
AD DS and AD LDS Tools RSAT-AD-Tools
AD DS Snap-Ins and Command-Line Tools RSAT-ADDS-Tools
AD DS Tools RSAT-ADDS
AD FS Web Agents ADFS-Web-Agents
AD LDS Snap-Ins and Command-Line Tools RSAT-ADLDS
Administration Tools ADDS-IDMU-Tools
Application Development Web-App-Dev
Application Server Application-Server
ASP Web-ASP
ASP.NET Web-Asp-Net
Background Intelligent Transfer Service (BITS) BITS
Basic Authentication &nbs
p; Web-Basic-Auth
BitLocker Drive Encryption BitLocker
BitLocker Drive Encryption Administration Utilities RSAT-BitLocker
BitLocker Drive Encryption Tools RSAT-Bitlocker-DriveEnc
BitLocker Recovery Password Viewer RSAT-Bitlocker-RecPwd
BITS Server Extensions Tools RSAT-Bits-Server
BranchCache BranchCache
BranchCache for network files FS-BranchCache
Certificate Enrollment Policy Web Service ADCS-Enroll-Web-Pol
Certificate Enrollment Web Service ADCS-Enroll-Web-Svc
Certification Authority ADCS-Cert-Authority
Certification Authority Tools RSAT-ADCS-Mgmt
Certification Authority Web Enrollment ADCS-Web-Enrollment
CGI Web-CGI
Claims-aware Agent ADFS-Claims
Client Certificate Mapping Authentication Web-Client-Auth
COM+ Network Access AS-Ent-Services
Command-line Tools Backup-Tools
Common HTTP Features Web-Common-Http
Compact Server BITS-Compact-Server
Configuration APIs WAS-Config-APIs
Connection Manager Administration Kit CMAK
Custom Logging Web-Custom-Logging
Default Document Web-Default-Doc
Deployment Server WDS-Deployment
Desktop Experience Desktop-Experience
DFS Namespaces FS-DFS-Namespace
DFS Replication FS-DFS-Replication
DHCP Server &nbs
p; DHCP
DHCP Server Tools RSAT-DHCP
Digest Authentication Web-Digest-Auth
DirectAccess Management Console DAMC
Directory Browsing Web-Dir-Browsing
Directory Service Integration MSMQ-Directory
Distributed File System FS-DFS
Distributed File System Tools RSAT-DFS-Mgmt-Con
Distributed Scan Server Print-Scan-Server
Distributed Transactions AS-Dist-Transaction
DNS Server DNS
DNS Server Tools RSAT-DNS-Server
Dynamic Content Compression Web-Dyn-Compression
Failover Clustering Tools RSAT-Clustering
Fax Server Fax
Fax Server Tools RSAT-Fax
Feature Administration Tools RSAT-Feature-Tools
Federation Service ADFS-Federation
Federation Service Proxy ADFS-Proxy
File Server FS-FileServer
File Server Resource Manager FS-Resource-Manager
File Server Resource Manager Tools RSAT-FSRM-Mgmt
File Services File-Services
File Services Tools RSAT-File-Services
FTP Extensibility Web-Ftp-Ext
FTP Server Web-Ftp-Server
FTP Service Web-Ftp-Service
Group Policy Management &nb
sp; GPMC
àOutput Truncated à
[hyperv-box]: PS C:\>
The name of the feature is GPMC. Armed with this information, it is easy to use the Add-WindowsFeature cmdlet to add the GPMC feature. After you have run the command, use the Get-WindowsFeature to reassure yourself that the feature is actually installed:
[hyperv-box]: PS C:\> Add-WindowsFeature -Name gpmc
Success Restart Needed Exit Code Feature Result
——- ————– ——— ————–
True No Success {Group Policy Management}
[hyperv-box]: PS C:\> Get-WindowsFeature -Name gpmc
Display Name Name
———— —-
[X] Group Policy Management GPMC
[hyperv-box]: PS C:\>
While the feature is being installed, a progress bar is produced across the top of the Windows PowerShell console. This is shown in the following image.
On a Windows 7 computer, you will need to add the Remote Server Administration Tools (RSAT) to gain access to the Group Policy cmdlets. You will first need to download the RSAT tools for your platform, either 64 bit or 32 bit Windows 7. The amd64fre_GRMRSATX_MSU.msu version works on my Intel 64-bit computer.
Once you have downloaded and installed the proper RSAT package, you have to go into Control Panel/Programs and Features and choose Turn Windows Features on or off. This step requires admin rights. The RSAT package adds the Remote Server Administration Tools item in the dialog box. The dialog is shown in the following image.
Because we are talking about using Windows PowerShell to manage Group Policy make sure you select the Group Policy Management Tools. Go ahead and add other tools that you feel you would like to have as well. Unfortunately, there does not seem to be an “Add all tools” button, and therefore you are forced to navigate through dozens and dozens of nested little check boxes to add all the tools. This is seen in the following image.
After you have added the Group Policy Management Tools you can import the grouppolicy module and begin using the cmdlets. We will look at that tomorrow.
CT that is all there is to installing and accessing the Group Policy Management Windows PowerShell cmdlets. Group Policy Week will continue tomorrow when we will talk about importing the GroupPolicy module into the current Windows PowerShell session and exploring the available cmdlets.
If you would like to follow us on Twitter or Facebook we would love to interact with you. Some of the ideas for this week’s Group Policy articles came from suggestions I received on Twitter. If you have any questions, send e-mail to us at scripter@microsoft.com or post them on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson and Craig Liebendorfer, Scripting Guys
0 comments