{"id":54413,"date":"2009-02-11T21:09:00","date_gmt":"2009-02-11T21:09:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2009\/02\/11\/hey-scripting-guy-how-can-i-create-new-group-policy-objects\/"},"modified":"2009-02-11T21:09:00","modified_gmt":"2009-02-11T21:09:00","slug":"hey-scripting-guy-how-can-i-create-new-group-policy-objects","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-create-new-group-policy-objects\/","title":{"rendered":"Hey, Scripting Guy! How Can I Create New Group Policy Objects?"},"content":{"rendered":"

\"Hey, <\/h2>\n

Hey, Scripting Guy! Good morning. We are in the process of modifying our Group Policy implementation, and I anticipate having to create 15 or so new Group Policy objects. I know that I can open the Group Policy Management Console, right-click, and go through the wizard, but I would prefer to have a script that would create the Group Policy objects for me. Can this be done?<\/p>\n

– CC<\/p>\n

\"Spacer\"\"Hey,<\/p>\n

Hi CC,<\/p>\n

The good news is that we can do exactly what you asked. We can create new Group Policy objects from a script. The bad news is that we cannot do what you probably wanted to do, and that is to create a Group Policy object that does anything. There are third-party tools that will allow you to both create and configure Group Policy objects via script. In Windows 2008 R2, there are some pretty cool Group Policy cmdlets that provide additional capabilities. Without access to either of those solutions, you can create a Group Policy object via script and configure it later\u2014so it helps.<\/p>\n\n<\/thead>\n\n\n
\n

This week is Group Policy week. We will spend the week looking at some of the things you can do using Windows PowerShell when you have access to the COM object that ships with the Group Policy Management Console. There are some good VBScripts that illustrate working with Group Policy in the Script Center Script Repository<\/a>, and in the Community-Submitted Scripts Center<\/a>. You can also download a collection of sample Group Policy management scripts<\/a>.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/div>\n

The script that will create a GPO is called, surprisingly enough, CreateGPO.ps1<\/b>.<\/p>\n

CreateGPO.ps1<\/b><\/p>\n

param(\n      $domain = $env:userDNSdomain,\n      $gpoName = ($paramMissing=$true),\n      [switch]$whatif,\n      [switch]$help,\n      [switch]$examples,\n      [switch]$min,\n      [switch]$full\n      ) #end param\n# Begin Functions\nfunction Get-HelpTopic()\n{\n $descriptionText= `\n@\"\n NAME: CreateGPO.ps1\n DESCRIPTION:\n Creates a new GPO in a specified Domain by\n using default settings. This GPO can then\n easily be modified by using the GPMC\n This script supports prototyping by using\n the -whatif switch.\n PARAMETERS:\n -Domain domain to create the new GPO\n -gpoName name of the GPO to create\n -whatif prototypes the command\n -help prints help description and parameters file\n -examples prints only help examples of syntax\n -full prints complete help information\n -min prints minimal help. Modifies -help\n\"@ #end descriptionText\n$examplesText= `\n@\"\n SYNTAX:\n CreateGPO.ps1\n Displays an error missing parameter, and calls help\n CreateGPO.ps1  -gpoName \"SetScreenSaverTimeout\"\n Creates a GPO named SetScreenSaverTimeout in the local\n domain using the default GPO settings\n CreateGPO.ps1 -gpoName \"SetScreenSaverTimeout\" -domain \"nwtraders.com\n Creates a GPO named SetScreenSaverTimeout in the nwtraders.com domain\n CreateGPO.ps1 -gpoName \"SetScreenSaverTimeout\" -domain \"nwtraders.com -whatif\n Displays what if: Perform operation create GPO SetScreenSaverTimeout in\n domain nwtraders.com\n CreateGPO.ps1 -help\n Prints the help topic for the script\n CreateGPO.ps1 -help -full\n Prints full help topic for the script\n CreateGPO.ps1 -help -examples\n Prints only the examples for the script\n CreateGPO.ps1 -examples\n Prints only the examples for the script\n\"@ #end examplesText\n$remarks = `\n\"\nREMARKS\n     For more information, type: $($MyInvocation.ScriptName) -help -full\n\" #end remarks\n  if($examples) { $examplesText ; $remarks ; exit }\n  if($full)     { $descriptionText; $examplesText ; exit }\n  if($min)      { $descriptionText ; exit }\n  $descriptionText; $remarks\n  exit\n} #end Get-HelpTopic function\nfunction New-Line (\n                  $strIN,\n                  $char = \"=\",\n                  $sColor = \"Yellow\",\n                  $uColor = \"darkYellow\",\n                  [switch]$help\n                 )\n{\n if($help)\n  {\n    $local:helpText = `\n@\"\n     New-Line accepts inputs: -strIN for input string and -char for seperator\n     -sColor for the string color, and -uColor for the underline color. Only\n     the -strIn is required. The others have the following default values:\n     -char: =, -sColor: Yellow, -uColor: darkYellow\n     Example:\n     New-Line -strIN \"Hello world\"\n     New-Line -strIn \"Morgen welt\" -char \"-\" -sColor \"blue\" -uColor \"yellow\"\n     New-Line -help\n\"@\n   $local:helpText\n   break\n  } #end New-Line help\n $strLine= $char * $strIn.length\n Write-Host -ForegroundColor $sColor $strIN\n Write-Host -ForegroundColor $uColor $strLine\n} #end New-Line function\nFunction Get-Whatif()\n{\n \"what if: Perform operation create GPO $gpoName in domain $domain\"\n exit\n} #end Get-Whatif\nFunction New-GPO()\n{\n$error.clear()\n $gpm = new-object -comobject GPMgmt.gpm\n $constants = $gpm.getConstants()\n $gpmDomain = $gpm.getDomain($domain,$null, $constants.UseAnyDC)\n $gpmGPO = $gpmDomain.CreateGPO()\n $gpmGPO.DisplayName = $gpoName\n if($error.count -ne 0)\n   {\n    $GPMGPO.Delete()\n    New-Line -strIN \"An error occurred creating $gpoName\" -scolor red\n    \"The error was $($error.categoryInfo)\"\n  }\n else\n  {\n   Write-host \"Created GPO $($gpmGPO.displayname)\"\n  }\n} #end New-GPO\n# Entry Point\nif($help)      { Get-HelpTopic }\nif($examples)  { Get-HelpTopic }\nif($full)      { Get-HelpTopic }\nif($whatif)    { Get-Whatif }\nif($paramMissing) { \"GPO name is required\" ; Get-HelpTopic }\nif($gpoName) { New-GPO }\n <\/pre>\n
The CreateGPO.ps1<\/b> is written in the same style as the other GPO scripts we have seen this week. Please refer to the articles from Monday<\/a> and Tuesday<\/a> to see information about the command-line parameters and the help function.<\/p>\n
After we get past the command-line parameters and the help function, the next function to talk about is the Get-Whatif<\/b> function, which tells us what the script will do after you have configured the parameters. An example of running the script with whatif<\/b> is seen here:<\/p>\n
CreateGPO.ps1 -gpoName \"SetScreenSaverTimeout\" -domain \"nwtraders.com \u2013whatif<\/pre>\n
When the above command is typed, it displays what if: Perform operation create GPO SetScreenSaverTimeout in domain nwtraders.com<\/b>. This is useful not only because it will give you confidence about what the command will actually do, but also because it will give troubleshooting help. This is because it lets you know which values have been received for which parameters. The Get-Whatif<\/b> function basically prints out a string and the values that are supplied to the $gpoName<\/b> variable and the $domain<\/b> variable. Both of these variables obtain their value from the command line when the script is launched; however,. by default the $domain<\/b> variable is obtained by reading the environmental variable userDNSDomain<\/b> off the environmental drive. The Get-Whatif<\/b> function is seen  here:<\/p>\n
Function Get-Whatif()\n{\n \"what if: Perform operation create GPO $gpoName in domain $domain\"\n exit\n} #end Get-Whatif\n<\/pre>\n
The main portion of the script is the New-GPO<\/b> function. The first thing we do is create an instance of the GPMgmt.gpm<\/b> object. We can use this object if the Group Policy Management Console is installed. For Windows Vista with SP1, you will need to install RSAT<\/a>. Here is the line of code that creates the GPMgmt.gpm<\/b> object:<\/p>\n
$gpm = new-object -comobject GPMgmt.gpm<\/pre>\n
The next thing we need to do is to use the GetConstants<\/b> method, which returns the constants and their associated values to use with the GPMgmt.gpm<\/b> object. All the constants and their values are seen in Table 1.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Table 1 Group Policy Management API constant values<\/td>\n<\/tr>\n
Constant<\/td>\nValue<\/td>\n<\/tr>\n<\/thead>\n
\n
permGPOApply<\/p>\n<\/td>\n
\n
65536<\/p>\n<\/td>\n<\/tr>\n
\n
permGPORead<\/p>\n<\/td>\n
\n
65792<\/p>\n<\/td>\n<\/tr>\n
\n
permGPOEdit<\/p>\n<\/td>\n
\n
65793<\/p>\n<\/td>\n<\/tr>\n
\n
permGPOEditSecurityAndDelete<\/p>\n<\/td>\n
\n
65794<\/p>\n<\/td>\n<\/tr>\n
\n
permGPOCustom<\/p>\n<\/td>\n
\n
65794<\/p>\n<\/td>\n<\/tr>\n
\n
permWMIFilterEdit<\/p>\n<\/td>\n
\n
131072<\/p>\n<\/td>\n<\/tr>\n
\n
permWMIFilterFullControl<\/p>\n<\/td>\n
\n
131073<\/p>\n<\/td>\n<\/tr>\n
\n
permWMIFilterCustom<\/p>\n<\/td>\n
\n
131074<\/p>\n<\/td>\n<\/tr>\n
\n
permSOMLink<\/p>\n<\/td>\n
\n
1835008<\/p>\n<\/td>\n<\/tr>\n
\n
permSOMLogging<\/p>\n<\/td>\n
\n
1573120<\/p>\n<\/td>\n<\/tr>\n
\n
permSOMPlanning<\/p>\n<\/td>\n
\n
1573376<\/p>\n<\/td>\n<\/tr>\n
\n
permSOMGPOCreate<\/p>\n<\/td>\n
\n
1049600<\/p>\n<\/td>\n<\/tr>\n
\n
permSOMWMICreate<\/p>\n<\/td>\n
\n
1049344<\/p>\n<\/td>\n<\/tr>\n
\n
permSOMWMIFullControl<\/p>\n<\/td>\n
\n
1049345<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyGPOPermissions<\/p>\n<\/td>\n
\n
0<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyGPOEffectivePermissions<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyGPODisplayName<\/p>\n<\/td>\n
\n
2<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyGPOWMIFilter<\/p>\n<\/td>\n
\n
3<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyGPOID<\/p>\n<\/td>\n
\n
4<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyGPOComputerExtensions<\/p>\n<\/td>\n
\n
5<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyGPOUserExtensions<\/p>\n<\/td>\n
\n
6<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertySOMLinks<\/p>\n<\/td>\n
\n
7<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyGPODomain<\/p>\n<\/td>\n
\n
8<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyBackupMostRecent<\/p>\n<\/td>\n
\n
9<\/p>\n<\/td>\n<\/tr>\n
\n
SearchOpEquals<\/p>\n<\/td>\n
\n
0<\/p>\n<\/td>\n<\/tr>\n
\n
SearchOpContains<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
SearchOpNotContains<\/p>\n<\/td>\n
\n
2<\/p>\n<\/td>\n<\/tr>\n
\n
SearchOpNotEquals<\/p>\n<\/td>\n
\n
3<\/p>\n<\/td>\n<\/tr>\n
\n
UsePDC<\/p>\n<\/td>\n
\n
0<\/p>\n<\/td>\n<\/tr>\n
\n
UseAnyDC<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
DoNotUseW2KDC<\/p>\n<\/td>\n
\n
2<\/p>\n<\/td>\n<\/tr>\n
\n
somSite<\/p>\n<\/td>\n
\n
0<\/p>\n<\/td>\n<\/tr>\n
\n
somDomain<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
somOU<\/p>\n<\/td>\n
\n
2<\/p>\n<\/td>\n<\/tr>\n
\n
DoNotValidateDC<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
ReportHTML<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
ReportXML<\/p>\n<\/td>\n
\n
0<\/p>\n<\/td>\n<\/tr>\n
\n
RSOPModeUnknown<\/p>\n<\/td>\n
\n
0<\/p>\n<\/td>\n<\/tr>\n
\n
RSOPModePlanning<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
RSOPModeLogging<\/p>\n<\/td>\n
\n
2<\/p>\n<\/td>\n<\/tr>\n
\n
EntryTypeUser<\/p>\n<\/td>\n
\n
0<\/p>\n<\/td>\n<\/tr>\n
\n
EntryTypeComputer<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
EntryTypeLocalGroup<\/p>\n<\/td>\n
\n
2<\/p>\n<\/td>\n<\/tr>\n
\n
EntryTypeGlobalGroup<\/p>\n<\/td>\n
\n
3<\/p>\n<\/td>\n<\/tr>\n
\n
EntryTypeUniversalGroup<\/p>\n<\/td>\n
\n
4<\/p>\n<\/td>\n<\/tr>\n
\n
EntryTypeUNCPath<\/p>\n<\/td>\n
\n
5<\/p>\n<\/td>\n<\/tr>\n
\n
EntryTypeUnknown<\/p>\n<\/td>\n
\n
6<\/p>\n<\/td>\n<\/tr>\n
\n
DestinationOptionSameAsSource<\/p>\n<\/td>\n
\n
0<\/p>\n<\/td>\n<\/tr>\n
\n
DestinationOptionNone<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
DestinationOptionByRelativeName<\/p>\n<\/td>\n
\n
2<\/p>\n<\/td>\n<\/tr>\n
\n
DestinationOptionSet<\/p>\n<\/td>\n
\n
3<\/p>\n<\/td>\n<\/tr>\n
\n
MigrationTableOnly<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
ProcessSecurity<\/p>\n<\/td>\n
\n
2<\/p>\n<\/td>\n<\/tr>\n
\n
RsopLoggingNoComputer<\/p>\n<\/td>\n
\n
65536<\/p>\n<\/td>\n<\/tr>\n
\n
RsopLoggingNoUser<\/p>\n<\/td>\n
\n
131072<\/p>\n<\/td>\n<\/tr>\n
\n
RsopPlanningAssumeSlowLink<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
RsopPlanningAssumeUserWQLFilterTrue<\/p>\n<\/td>\n
\n
8<\/p>\n<\/td>\n<\/tr>\n
\n
RsopPlanningAssumeCompWQLFilterTrue<\/p>\n<\/td>\n
\n
16<\/p>\n<\/td>\n<\/tr>\n
\n
BackupTypeGPO<\/p>\n<\/td>\n
\n
0<\/p>\n<\/td>\n<\/tr>\n
\n
BackupTypeStarterGPO<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
StarterGPOTypeSystem<\/p>\n<\/td>\n
\n
0<\/p>\n<\/td>\n<\/tr>\n
\n
StarterGPOTypeCustom<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyStarterGPOPermissions<\/p>\n<\/td>\n
\n
10<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyStarterGPOEffectivePermissions<\/p>\n<\/td>\n
\n
11<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyStarterGPODisplayName<\/p>\n<\/td>\n
\n
12<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyStarterGPOID<\/p>\n<\/td>\n
\n
13<\/p>\n<\/td>\n<\/tr>\n
\n
SearchPropertyStarterGPODomain<\/p>\n<\/td>\n
\n
14<\/p>\n<\/td>\n<\/tr>\n
\n
permStarterGPORead<\/p>\n<\/td>\n
\n
197888<\/p>\n<\/td>\n<\/tr>\n
\n
permStarterGPOEdit<\/p>\n<\/td>\n
\n
197889<\/p>\n<\/td>\n<\/tr>\n
\n
permStarterGPOFullControl<\/p>\n<\/td>\n
\n
197890<\/p>\n<\/td>\n<\/tr>\n
\n
permStarterGPOCustom<\/p>\n<\/td>\n
\n
197891<\/p>\n<\/td>\n<\/tr>\n
\n
ReportLegacy<\/p>\n<\/td>\n
\n
0<\/p>\n<\/td>\n<\/tr>\n
\n
ReportComments<\/p>\n<\/td>\n
\n
1<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
<\/div>\n
After we have created the constants and stored them in a variable, we can use them directly when we obtain a connection to the domain. This is seen here:<\/p>\n
$constants = $gpm.getConstants()\n $gpmDomain = $gpm.getDomain($domain,$null, $constants.UseAnyDC)\n<\/pre>\n
After we have connected to the domain, we use the CreateGPO<\/b> method to create a Group Policy object. And after we have created the GPO, we need to specify the display name for it:<\/p>\n
$gpmGPO = $gpmDomain.CreateGPO()\n $gpmGPO.DisplayName = $gpoName\n<\/pre>\n
Because we are creating a new GPO, we might be interested in seeing if it was actually created. To do this, we check the error count. If the error count is not equal to 0, a problem occurred and we delete the GPO. Otherwise, the operation was successful and everything is groovy. This is seen here:<\/p>\n
if($error.count -ne 0)\n   {\n    $GPMGPO.Delete()\n    New-Line -strIN \"An error occurred creating $gpoName\" -scolor red\n    \"The error was $($error.categoryInfo)\"\n  }\n else\n  {\n   Write-host \"Created GPO $($gpmGPO.displayname)\"\n  }\n} #end New-GPO\n<\/pre>\n
Well, CC, that is the good news when it comes to creating GPOs: you can do it via scripting. Hope this helps, and that it saves you some time and effort in your new Group Policy plan. Join us tomorrow when we will talk about finding GPOs that have no security filtering applied. See you then.<\/p>\n
 <\/p>\n
Ed Wilson and Craig Liebendorfer, Scripting Guys<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! Good morning. We are in the process of modifying our Group Policy implementation, and I anticipate having to create 15 or so new Group Policy objects. I know that I can open the Group Policy Management Console, right-click, and go through the wizard, but I would prefer to have a script that […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[152,3,45],"class_list":["post-54413","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-group-policy","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! Good morning. We are in the process of modifying our Group Policy implementation, and I anticipate having to create 15 or so new Group Policy objects. I know that I can open the Group Policy Management Console, right-click, and go through the wizard, but I would prefer to have a script that […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/54413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=54413"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/54413\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=54413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=54413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=54413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}