Back in the ‘80s, I remember doing everything on a PC inside a black
walled window, typing commands into a DOS prompt. Then came Windows and the
advent of the GUI. The days of the command prompt appeared to be over, especially
for the Windows user. Until now—because a small group at Microsoft has
decided to go back to the basics. They created a tool called PowerShell that
combines the ease of use of a command prompt, the power of object manipulation,
simple but flexible cmdlets, and the ability to easily access Microsoft .NET
classes.
Installing and running PowerShell isn't all that exciting on its own, because
most people's first commands are the familiar Dir or Cls commands from the DOS
days. However, like a Swiss Army knife, the beauty of PowerShell is its ability
to solve difficult problems with unbelievable ease. To illustrate these capabilities,
we'll tackle a difficult Group Policy management challenge: managing and archiving
Group Policy Objects (GPOs) listed in a Microsoft Excel spreadsheet.
I'll use PowerShell to demonstrate how easily you can accomplish this task
with just a few lines of code. I chose this scenario because in almost every
company I've visited, regardless of whether they use a third-party GPO management
tool or the native Group Policy Management Console (GPMC) tool, everyone seems
to maintain a list of GPOs (along with their status, change information, owner,
etc.) in an Excel spreadsheet.
Step 1: Download and Install GpMC and powerShell
GPMC is the de facto management console for viewing, archiving, and analyzing
GPOs in Active Directory (AD). Although we aren't going use the GPMC Microsoft
Management Console (MMC) UI, we do need GPMC's COM automation DLL for our PowerShell
script to call its APIs.
GPMC ships only with Windows Vista. If you're running an OS other than Vista,
you need to download GPMC from http://www.microsoft.com/windowsserver2003/gpmc.
Just install the file GPMC.msi; all the COM registrations are handled automatically
and will then be easily accessible from PowerShell.
Next, download the appropriate version of PowerShell for your OS. You can download
PowerShell from http://www.microsoft.com/windowsserver2003/technologies/management/powershell/download.mspx.
Notice that PowerShell is supported on Windows XP SP2, Windows Server 2003,
and Vista on both x32 and x64 platforms. Before installing PowerShell, make
sure you have Microsoft .NET Framework
2.0 installed. The x86 platform version is available at http://www.microsoft.com/downloads/details.aspx?familyid=0856eacb-4362-4b0d-8edd-aab15c5e
04f5&displaylang=en (with links on the page to other platforms).
Step 2: Create a Sample GpO Spreadsheet
Most administrators document their GPOs in some form, whether in an Excel spreadsheet,
a database, or even a Notepad file. If you haven't documented your GPOs, now
is a good time to start.
As Figure 1 shows, I used four GPOs. My sample
Excel spreadsheet describes specific attributes of each GPO, such as GPOName,
GPOGUID, Domain, Owner, Department, Change Control status, and Description.
You'll need to list the GPOs that exist in your AD, or create test GPOs in your
AD for this exercise and update the GPOName, GPOGUID, and Domain columns with
your own GPOs that you want to back up. After completing the Excel spreadsheet,
save it as a comma-separated value (CSV) file called GPOList.csv.
PowerShell has built-in cmdlets that let you import the contents of a .csv
file, then navigate to individual items inside the spreadsheet as objects. This
is one of the key differences between PowerShell and typical UNIX shells or
other scripting languages such as Perl. Whereas UNIX shells and Perl operate
on data as pipes of text to pass forward, PowerShell allows the infinitely more
flexible feature of storing and passing object references that can be queried,
manipulated, searched, and operated on as collections. PowerShell was originally
designed as a .NET scripting language—this underlying infrastructure
is obvious in PowerShell's ability to inherit .NET's capabilities for data manipulation,
while keeing the technology accessible.
In your sample spreadsheet, you can create any
number of columns with any amount of information
for each GPO. For consistency, we'll designate the
first column as GPOName because that's what we'll
use as our unique identifier.
Step 3: Create the powerShell Script
We'll start with a PowerShell script that calls GPMC's COM APIs for initiating
a GPO backup.
Listing 1 contains this code,
called BackupGPO.ps1. First, the script creates a reference to the GPMC COM Automation
object. In VBScript, you'd call the function CreateObject—for example,
Set GPM = CreateObject("GPMgmt.GPM"). PowerShell has an equivalent function called
New-Object; passing in the -comobject GPMgmt.GPM parameter, as callout A in
Listing
1 shows, initializes the GPMC COM object.
A useful PowerShell feature is that for any cmdlet, parameter, or object, if
you enter the first few characters of the cmdlet or parameter and press Tab,
PowerShell fills in the closest match. If you continue to press Tab, you'll
cycle through all the possible cmdlets, parameters, or object attributes. For
example, after you set the $GPM variable at callout A in Listing
1, if you enter $GPM. and press Tab, you'll see all the COM functions that
GPMC has exposed.