The challenge<\/h2>\n
Welcome back! Part 1 looked at my script, Comprehensive Group Policy Backup Script<\/a>. Part 2 is about a Group Policy import script. Previously done, you say? True, but I have yet to find a script that mirrors all of the following configuration items to a test domain:<\/p>\n Until now. This script can also process a Migration Table<\/a>. Let’s discuss it…<\/p>\n The import script flow is determined by the backup script’s output. What do we have? A folder with the normal Backup-GPO<\/b> cmdlet results. In the same folder, there’s an XML file that has the details of any WMI filters from the source domain. The Export-Clixml<\/b> cmdlet created this file. We need to import it with the Import-Clixml<\/b> cmdlet:<\/p>\n $WmiFilters = Import-Clixml -Path $WmiXML<\/p>\n $WmiFIlters<\/b> has the configuration information for each WMI filter from the source domain.<\/p>\n We also have another XML file, GpoDetails.xml, with information for reconstructing GPO settings that were not captured by Backup-GPO<\/b>. This is imported too:<\/p>\n $CustomGpoInfo = Import-Clixml -Path $CustomGpoXML<\/p>\n In $CustomGpoInfo<\/b>, there’s an object for each backed-up GPO. Each object has the following properties:<\/p>\n For example:<\/p>\n Let’s look at the SOMs<\/b> property in detail. Scope-of-management refers to a site, domain, or organizational unite where a GPO is linked. Each SOM<\/b> object in the SOMs<\/b> array has that information and more:<\/p>\n “$SomDN:$SomInheritance:$LinkEnabled:$LinkOrder:$LinkEnforced"<\/p>\n For example:<\/p>\n There are five pieces of information for each entry. Each piece is separated by a colon. Here’s what they represent:<\/p>\n The backup folder might also contain a migration table to translate domain-specific information from one domain to another. This should be manually updated after the Backup_GPOs<\/a> script has completed.<\/p>\n To process the backup output, the import script needs five sections:<\/p>\n The script also records key actions. A script log shows script activity and aids troubleshooting. For years, I’ve logged script output in a format that can be parsed by the SMS Trace application (part of the Systems Management Server 2003 Toolkit 2<\/a>, which is now superseded by CM Trace). This allows me to match events to script components, highlight key information, filter, search, and even look up error codes.<\/p>\n Here are some sample log entries:<\/p>\n You can download the entire function from the Script Center Repository: Log-ScriptEvent Function<\/a>.<\/p>\n Now, let’s look at the script sections in detail…<\/p>\n If the WmiFilter<\/b> script switch is specified, this section is executed. A loop processes each filter in the $WmiFilters<\/b> array. The DomainDN<\/b> portion of the current filter’s DistinguishedName<\/b> property is updated to reflect the target domain, and then saved to a variable ($SourceDomainDN<\/b> and $TargetDomainDN<\/b> have been defined earlier in the script).<\/p>\n ForEach ($WMI in $WmiFilters) {<\/p>\n $TargetWmiDN = $WMI.DistinguishedName –Replace $SourceDomainDN, $TargetDomainDN<\/p>\n For example:<\/p>\n Is updated to:<\/p>\n This variable is then supplied to Get-ADObject<\/b> to test whether the filter already exists in the target domain.<\/p>\n TargetWMI = Get-ADObject -Identity $TargetWmiDN<\/p>\n If the filter does exist, properties from the backup are added to a hash table with the [Ordered] type<\/b> declaration. [Ordered]<\/b> ensures that the properties stay in the defined order.<\/p>\n $Properties = [Ordered]@{<\/p>\n "msWMI-Author" = $WMI."msWMI-Author"<\/p>\n "msWMI-ChangeDate" = "$(Get-Date -Format yyyyMMddhhmmss).706000-000"<\/p>\n "msWMI-ID" = $WMI."msWMI-ID" <\/p>\n "msWMI-Name" = $WMI."msWMI-Name"<\/p>\n "msWMI-Parm1" = $WMI."msWMI-Parm1"<\/p>\n "msWMI-Parm2" = $WMI."msWMI-Parm2"<\/p>\n } #End of $Properties<\/p>\n The Set-ADObject<\/b> cmdlet is then used to update the filter with $Properties<\/b> passed to the Replace<\/b> parameter:<\/p>\n $UpdateWmiFilter = Set-ADObject -Identity $TargetWmiDN -Replace $Properties<\/p>\n If the filter doesn’t exist, the hash table of properties is given an additional attribute: “msWMI-CreationDate”<\/b>:<\/p>\n "msWMI-CreationDate" = "$(Get-Date -Format yyyyMMddhhmmss).706000-000"<\/p>\n The New-ADObject<\/b> cmdlet is then called:<\/p>\n $NewWmiFilter = New-ADObject -Name $WMI."msWMI-ID" -Type $WMI.ObjectClass `<\/p>\n -Path "CN=SOM,CN=WMIPolicy,CN=System,$TargetDomainDN" `<\/p>\n -OtherAttributes $Properties<\/p>\n Here’s an explanation of its parameters.<\/p>\n When every WMI filter is imported, the parent loop is closed.<\/p>\n A parent loop processes each object in the $CustomGpoInfo<\/b> array:<\/p>\n ForEach ($CustomGpo in $CustomGpoInfo) {<\/p>\n The Import-GPO<\/b> cmdlet is executed:<\/p>\n $ImportedGpo = Import-GPO -BackupId $CustomGpo.BackupGuid<\/p>\n -Path $BackupFolder<\/p>\n -CreateIfNeeded<\/p>\n -Domain $DomainFQDN<\/p>\n -TargetName $CustomGpo.Name<\/p>\n -MigrationTable $MigrationFile<\/p>\n The parameters:<\/p>\n A backed-up GPO object is imported into the target domain. What about those additional GPO configuration settings?<\/b><\/p>\n Before the next GPO is processed, this section is executed only if the WmiFilter<\/b> script switch is activated. If the current custom GPO object has a WMI filter property, the corresponding filter in the target domain is linked to the newly imported GPO.<\/p>\n Use the WmiFilter<\/b> property of the current custom GPO to construct the path to the WMI filter in the target domain:<\/p>\n $TargetWmiDN = "CN=$($CustomGpo.WmiFilter),CN=SOM,CN=WMIPolicy,CN=System,$TargetDomainDN"<\/p>\n Test that the filter is present and include the msWMI-Name<\/b> value in the properties that are returned:<\/p>\n $TargetWMI = Get-ADObject -Identity $TargetWmiDN -Property "msWMI-Name"<\/p>\n If the filter is present, use the Id<\/b> property of the imported GPO to construct the path to the corresponding Group Policy container in the target domain:<\/p>\n $TargetGpoDN = "CN={$($ImportedGpo.Id)},CN=Policies,CN=System,$TargetDomainDN"<\/p>\n What’s a Group Policy container? A GPO is made up of two components. The first is the Group Policy container, which includes settings that are stored in Active Directory (there’s an attribute for the linked WMI filter). The second is a Group Policy template, which has settings that are stored in the System Volume (SYSVOL). (This provides a file system share that is replicated to all domain controllers).<\/p>\n To finish, use the path to the Group Policy container to update the WMI filter attribute gPCWQLFilter<\/b> on the Group Policy container object: <\/p>\n $UpdateGpoFilter = Set-ADObject $TargetGpoDN -Replace @{gPCWQLFilter = "[$TargetDomainFQDN;$($TargetWMI.Name);0]"}<\/p>\n The Replace<\/b> parameter accepts a hash table of attributes. In this instance, the value that is associated with the gPCWQLFilter<\/b> attribute has an interesting format constructed by using the FQDN of the target domain and the name of the target WMI filter (the msWMI-Name<\/b> value). Here’s an example:<\/p>\n The information in this section is executed only if the SomInfo<\/b> script switch is activated. If the current custom GPO object has a populated SOMs<\/b> property, each SOM<\/b> entry from the array is evaluated in a child loop. The aim is to link the imported GPO to corresponding SOMs<\/b> in the target domain.<\/p>\n $SOMs = $CustomGpo | Select-Object -ExpandProperty SOMs<\/p>\n ForEach ($SOM in $SOMs) {<\/p>\n To obtain the original SOM distinguished name, the $SOM<\/b> string is split by using the “:<\/b>” delimiter, and the first element of the array is assigned to a variable:<\/p>\n $SomDN = ($SOM –Split ":")[0]<\/p>\n For example:<\/p>\n The DomainDN<\/b> of the string is then replaced with the distinguished name of the target domain:<\/p>\n $SomDN = $SomDN –Replace $CustomGpo.DomainDN, $DomainDN<\/p>\n For example:<\/p>\n Next, check that the updated SOMDN<\/b> exists by using the Get-ADObject<\/b> cmdlet:<\/p>\n $TargetSom = Get-ADObject -Identity $SomDn<\/p>\n Note<\/b> It is assumed that a matching path already exists in the target test domain.<\/p>\n If the distinguished name doesn’t exist, an error is logged, and we move to the next SOM<\/b>. If the distinguished name exists, create a new link to it by using the New-GPLink<\/b> cmdlet:<\/p>\n $SomLink = New-GPLink -Guid $ImportedGpo.Id -Domain $DomainFQDN -Target $SomDN<\/p>\n Remember $ImportedGPO<\/b>? It contains the result of the Import-GPO<\/b> cmdlet. Its Id<\/b> property is the GPO GUID of the imported policy in the target domain.<\/p>\n Onward…<\/p>\n Each SOM<\/b> is processed and the SOM<\/b> child loop is exited. The current custom GPO from the $CustomGpoInfo<\/b> array is updated. The GPO GUID of the newly imported policy is added as a property called NewGpoGuid<\/b>:<\/p>\n $CustomGpo | Add-Member -MemberType NoteProperty -Name NewGpoGuid -Value $ImportedGpo.Id<\/p>\n For example:<\/p>\n The process is repeated for each custom GPO object. The parent loop is then exited.<\/p>\n Time to process the block inheritance, link enabled, link order, and link enforced details. As in the Import Backed-Up GPOs<\/i> section, a parent loop processes each object in the $CustomGpoInfo<\/b> array. The SOMs<\/b> property is expanded, and a child loop processes each entry.<\/p>\n Again, the $SomDN<\/b> value is obtained by splitting the $SOM<\/b> string. This time, though, we’re also interested in the other elements, for example:<\/p>\n The Set-GPLink<\/b> cmdlet doesn’t understand Boolean values, so these have to be converted to Yes<\/b> or No<\/b>. Here’s how the $LinkEnabled<\/b> value is processed. The $SOM<\/b> string is split at the “:<\/b>”, and the second index of the array is tested for $True<\/b> or $False<\/b>:<\/p>\n Switch ($SOM.Split(":")[2]) {<\/p>\n $True {<\/p>\n #Set the GP link enabled variable to Yes<\/p>\n $LinkEnabled = "Yes"<\/p>\n } #End of $True<\/p>\n $False {<\/p>\n #Set the GP link enabled variable to No<\/p>\n $LinkEnabled = "No"<\/p>\n } #End of $False<\/p>\n } #End of Switch ($SOM.Split(":")[2])<\/p>\n Note<\/b> The Switch<\/b> statement is very powerful. It accepts wildcard characters, regular expressions, or the content of a file as input. It can even loop. Have a look at Get-Help about_Switch.<\/p>\n The $LinkEnforced<\/b> value is obtained by using the same Switch<\/b> statement. This time, the fourth index of the array is used. $LinkOrder<\/b> is grabbed from the third index.<\/p>\n Here’s what the Set-GPLink<\/b> syntax looks like:<\/p>\n $SomLink = Set-GPLink -Guid $CustomGpo.NewGpoGuid<\/p>\n -Domain $DomainFQDN<\/p>\n -Target $SomDN<\/p>\n -LinkEnabled $LinkEnabled<\/p>\n -Order $LinkOrder<\/p>\n -Enforced $LinkEnforced<\/p>\n The value that is fed to the Guid<\/b> parameter is the NewGpoGuid<\/b> property that was recently added to the current custom GPO object. After executing Set-GPLink<\/b>, almost all of the additional data is restored.<\/p>\n Here’s the last piece of the puzzle. The Set-GPInheritance<\/b> cmlet is only called to configure block inheritance when the corresponding value is True<\/b>:<\/p>\n If ($SomInheritance -eq $True) {<\/p>\n #Set block inheritance<\/p>\n $SetInheritance = Set-GPInheritance -Target $SomDn -IsBlocked Yes<\/p>\n Note<\/b> In PFE, we don’t recommend the use of the enforced or the block inheritance options because they can complicate troubleshooting. If the script enables either of these options, a warning will be logged (highlighted in yellow in the following example):<\/p>\n Then, on to the next SOM<\/b> entry until all link details are processed. Then, on to the next GPO import until all backed-up GPOs are processed.<\/p>\n Now inspect the script log. It will be in the directory from which the import script was executed. Target any red. Finally, fire up the GPMC for the test domain…Cool, eh?<\/p>\n Well, I enjoyed that and I hope you did too. Have fun!<\/p>\n You can download the entire script from the Script Center Repository: Comprehensive Group Policy Import Script<\/a>.<\/p>\n ~Ian<\/p>\n Thank you, Ian. Join me tomorrow as the Scripting Wife reveals the top five Hey, Scripting Guy! Blog posts of 2013. It is cool stuff—you will not want to miss it.<\/p>\n I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n Ed Wilson, Microsoft Scripting Guy<\/b><\/p>\n","protected":false},"excerpt":{"rendered":" Summary: Microsoft PFE, Ian Farr talks about using Windows PowerShell to import Group Policy Objects. Microsoft Scripting Guy, Ed Wilson, is here. Yesterday, guest blogger, Ian Farr talked about backing up Group Policy Objects (GPOs) in his post Using PowerShell to Back Up Group Policy Objects. He continues his GPO series today… The challenge Welcome […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[152,56,472,3,61,45],"class_list":["post-2282","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-group-policy","tag-guest-blogger","tag-ian-farr","tag-scripting-guy","tag-weekend-scripter","tag-windows-powershell"],"acf":[],"blog_post_summary":" Summary: Microsoft PFE, Ian Farr talks about using Windows PowerShell to import Group Policy Objects. Microsoft Scripting Guy, Ed Wilson, is here. Yesterday, guest blogger, Ian Farr talked about backing up Group Policy Objects (GPOs) in his post Using PowerShell to Back Up Group Policy Objects. He continues his GPO series today… The challenge Welcome […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=2282"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2282\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=2282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=2282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=2282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
The import<\/h2>\n
\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/8015.wes-1-5-14-1.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/3051.wes-1-5-14-2.png\" "\\"Image")
<\/a><\/p>\n\n
\n
Logging on<\/h2>\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/8688.wes-1-5-14-3.png\" "\\"Image")
<\/a><\/p>\nImport WMI filters<\/h3>\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/8764.wes-1-5-14-4.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5277.wes-1-5-14-5.png\" "\\"Image")
<\/a><\/p>\n\n
Import backed-up GPOs<\/h3>\n
\n
Link WMI filters<\/h3>\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/4786.wes-1-5-14-6.png\" "\\"Image")
<\/a><\/p>\nCreate GPO links<\/h3>\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/8623.wes-1-5-14-7.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6165.wes-1-5-14-8.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/7217.wes-1-5-14-9.png\" "\\"Image")
<\/a><\/p>\nConfigure GPO links<\/h3>\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-1-5-14-10.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-1-5-14-11.png\" "\\"Image")
<\/a><\/p>\n