Hey, Scripting Guy! Can You Get Me Going on Windows PowerShell Cmdlets for Group Policy?



Hey, Scripting Guy! Question

Hey, Scripting Guy! I need to work with Group Policy Objects (GPOs) by using a Windows PowerShell script. I understand there are new Group Policy cmdlets in Windows 7, but when I use the Get-Command cmdlet, I do not see any cmdlets. Is this a Release-to-Web (RTW) feature, or did it not make the cut for the final product?

— CT


Hey, Scripting Guy! Answer

Hello CT,

Microsoft Scripting Guy Ed Wilson here. Today is going to be a great day. It began with a flurry of Twitter messages, continued by my updating our departmental calendar with three presentations to various user groups, and followed by a couple of meetings this afternoon. I am sipping a cup of green tea with a cinnamon stick in it, listening to Deep Purple on my Zune HD, and answering email sent to scripter@microsoft.com.

CT, the Windows PowerShell cmdlets for Group Policy do in fact exist, but you probably need to take an extra step to gain access to them. If you are working on a Windows Server 2008 R2 server, you need to add the Group Policy Management Console (GPMC). To do this, use the Add Features Wizard and select Group Policy Management from the list of features to install on the server, as shown in the following image.

Image of using Add Features Wizard

You do not have to use the GUI wizard if you do not wish to do so. In addition, you do not have to use Remote Desktop to work remotely. Using Windows PowerShell 2.0, you can easily create a remote session on the remote server from your desktop computer. After the remote session is established, I like to change my working directory to the root of the c:\ drive to free up some of the command line. This is shown here:

PS C:\> Enter-PSSession -ComputerName hyperv-box
[hyperv-box]: PS C:\Users\ed\Documents> sl c:\
[hyperv-box]: PS C:\>

You will need to load a module to perform server management. If you are not sure of the exact name of the module, you can obtain a listing of all modules by using the Get-Module cmdlet with the –listavailable switch. This is seen here.

[hyperv-box]: PS C:\> Get-Module -ListAvailable

ModuleType Name                      ExportedCommands
———- —-                      —————-
Manifest   ActiveDirectory           {}
Manifest   ADRMS                     {}
Manifest   ADRMSAdmin                {}
Manifest   AppLocker                 {}
Manifest   BestPractices             {}
Manifest   BitsTransfer              {}
Manifest   FailoverClusters          {}
Manifest   GroupPolicy               {}
Manifest   NetworkLoadBalancingCl… {}
Manifest   PSDiagnostics             {}
Manifest   ServerManager             {}
Manifest   TroubleshootingPack       {}
Manifest   WebAdministration         {}

[hyperv-box]: PS C:\>

ServerManager is the module that provides the ability to add and to remove features. To import it into the current session, use the Import-Module cmdlet. The cool thing is that while the ServerManager module exists on the remote Windows Server 2008 R2 server, it does not exist on the Windows 7 computer that I am using to perform the configuration. If ServerManager is too much typing, you can use wildcard characters to shorten the name. The import-manager command is shown here:

[hyperv-box]: PS C:\> Import-Module server*
[hyperv-box]: PS C:\>

To see what commands are exported to the Windows PowerShell session by the ServerManager module use the Get-Command cmdlet with the –module switch. This is shown here:

[hyperv-box]: PS C:\> Get-Command -Module server*

CommandType     Name                               Definition
———–     —-                               ———-
Cmdlet          Add-WindowsFeature                 Add-WindowsFeature [-Name] <Fe…
Cmdlet          Get-WindowsFeature                 Get-WindowsFeature [[-Name] <S…
Cmdlet          Remove-WindowsFeature              Remove-WindowsFeature [-Name] …

[hyperv-box]: PS C:\>

The Add-WindowsFeature cmdlet is used to add features to the Windows Server 2008 R2 machine. The problem now is that there is no telling what the Group Policy Management Console feature is called from the command line. To determine the information need to add the feature, use the Get-Feature cmdlet to create a list. Choose both the name and the displayname of the feature. I also sort the name of features, and format it in a table. The command and the associated output is shown here:

[hyperv-box]: PS C:\> Get-WindowsFeature | Sort-Object -Property displayname | Format
-Table displayname, name -AutoSize

DisplayName                                               Name
———–                                               —-
.NET Environment                                          WAS-NET-Environment
.NET Extensibility                                        Web-Net-Ext
.NET Framework 3.5.1                                      AS-NET-Framework
.NET Framework 3.5.1                                      NET-Framework-Core
.NET Framework 3.5.1 Features                             NET-Framework
Active Directory Administrative Center                    RSAT-AD-AdminCenter
Active Directory Certificate Services                     AD-Certificate
Active Directory Certificate Services Tools               RSAT-ADCS
Active Directory Domain Controller                        ADDS-Domain-Controller
Active Directory Domain Services                          AD-Domain-Services
Active Directory Federation Services                      AD-Federation-Services
Active Directory Lightweight Directory Services           ADLDS
Active Directory module for Windows PowerShell            RSAT-AD-PowerShell
Active Directory Rights Management Server                 ADRMS-Server
Active Directory Rights Management Services               ADRMS
Active Directory Rights Management Services Tools         RSAT-RMS
AD DS and AD LDS Tools                                    RSAT-AD-Tools
AD DS Snap-Ins and Command-Line Tools                     RSAT-ADDS-Tools
AD DS Tools                                               RSAT-ADDS
AD FS Web Agents                                          ADFS-Web-Agents
AD LDS Snap-Ins and Command-Line Tools                    RSAT-ADLDS
Administration Tools                                      ADDS-IDMU-Tools
Application Development                                   Web-App-Dev
Application Server                                        Application-Server
ASP                                                       Web-ASP
ASP.NET                                                   Web-Asp-Net
Background Intelligent Transfer Service (BITS)            BITS
Basic Authentication                        &nbs
BitLocker Drive Encryption                                BitLocker
BitLocker Drive Encryption Administration Utilities       RSAT-BitLocker
BitLocker Drive Encryption Tools                          RSAT-Bitlocker-DriveEnc
BitLocker Recovery Password Viewer                        RSAT-Bitlocker-RecPwd
BITS Server Extensions Tools                              RSAT-Bits-Server
BranchCache                                               BranchCache
BranchCache for network files                             FS-BranchCache
Certificate Enrollment Policy Web Service                 ADCS-Enroll-Web-Pol
Certificate Enrollment Web Service                        ADCS-Enroll-Web-Svc
Certification Authority                                   ADCS-Cert-Authority
Certification Authority Tools                             RSAT-ADCS-Mgmt
Certification Authority Web Enrollment                    ADCS-Web-Enrollment
CGI                                                       Web-CGI
Claims-aware Agent                                        ADFS-Claims
Client Certificate Mapping Authentication                 Web-Client-Auth
COM+ Network Access                                       AS-Ent-Services
Command-line Tools                                        Backup-Tools
Common HTTP Features                                      Web-Common-Http
Compact Server                                            BITS-Compact-Server
Configuration APIs                                        WAS-Config-APIs
Connection Manager Administration Kit                     CMAK
Custom Logging                                            Web-Custom-Logging
Default Document                                          Web-Default-Doc
Deployment Server                                         WDS-Deployment
Desktop Experience                                        Desktop-Experience
DFS Namespaces                                            FS-DFS-Namespace
DFS Replication                                           FS-DFS-Replication
DHCP Server                                           &nbs
DHCP Server Tools                                         RSAT-DHCP
Digest Authentication                                     Web-Digest-Auth
DirectAccess Management Console                           DAMC
Directory Browsing                                        Web-Dir-Browsing
Directory Service Integration                             MSMQ-Directory
Distributed File System                                   FS-DFS
Distributed File System Tools                             RSAT-DFS-Mgmt-Con
Distributed Scan Server                                   Print-Scan-Server
Distributed Transactions                                  AS-Dist-Transaction
DNS Server                                                DNS
DNS Server Tools                                          RSAT-DNS-Server
Dynamic Content Compression                               Web-Dyn-Compression
Failover Clustering Tools                                 RSAT-Clustering
Fax Server                                                Fax
Fax Server Tools                                          RSAT-Fax
Feature Administration Tools                              RSAT-Feature-Tools
Federation Service                                        ADFS-Federation
Federation Service Proxy                                  ADFS-Proxy
File Server                                               FS-FileServer
File Server Resource Manager                              FS-Resource-Manager
File Server Resource Manager Tools                        RSAT-FSRM-Mgmt
File Services                                             File-Services
File Services Tools                                       RSAT-File-Services
FTP Extensibility                                         Web-Ftp-Ext
FTP Server                                                Web-Ftp-Server
FTP Service                                               Web-Ftp-Service
Group Policy Management                               &nb

àOutput Truncated à
[hyperv-box]: PS C:\>

The name of the feature is GPMC. Armed with this information, it is easy to use the Add-WindowsFeature cmdlet to add the GPMC feature. After you have run the command, use the Get-WindowsFeature to reassure yourself that the feature is actually installed:

[hyperv-box]: PS C:\> Add-WindowsFeature -Name gpmc

Success Restart Needed Exit Code Feature Result
——- ————– ——— ————–
True    No             Success   {Group Policy Management}

[hyperv-box]: PS C:\> Get-WindowsFeature -Name gpmc

Display Name                                            Name
————                                            —-
[X] Group Policy Management                             GPMC

[hyperv-box]: PS C:\>

While the feature is being installed, a progress bar is produced across the top of the Windows PowerShell console. This is shown in the following image.

Image of progress bar

On a Windows 7 computer, you will need to add the Remote Server Administration Tools (RSAT) to gain access to the Group Policy cmdlets. You will first need to download the RSAT tools for your platform, either 64 bit or 32 bit Windows 7. The amd64fre_GRMRSATX_MSU.msu version works on my Intel 64-bit computer.

Once you have downloaded and installed the proper RSAT package, you have to go into Control Panel/Programs and Features and choose Turn Windows Features on or off. This step requires admin rights. The RSAT package adds the Remote Server Administration Tools item in the dialog box. The dialog is shown in the following image.

Image of turning Windows features on

Because we are talking about using Windows PowerShell to manage Group Policy make sure you select the Group Policy Management Tools. Go ahead and add other tools that you feel you would like to have as well. Unfortunately, there does not seem to be an “Add all tools” button, and therefore you are forced to navigate through dozens and dozens of nested little check boxes to add all the tools. This is seen in the following image.

Image of navigating through myriad check boxes

After you have added the Group Policy Management Tools you can import the grouppolicy module and begin using the cmdlets. We will look at that tomorrow.

CT that is all there is to installing and accessing the Group Policy Management Windows PowerShell cmdlets. Group Policy Week will continue tomorrow when we will talk about importing the GroupPolicy module into the current Windows PowerShell session and exploring the available cmdlets.

If you would like to follow us on Twitter or Facebook we would love to interact with you. Some of the ideas for this week’s Group Policy articles came from suggestions I received on Twitter. If you have any questions, send e-mail to us at scripter@microsoft.com or post them on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson and Craig Liebendorfer, Scripting Guys




No Comments.