Creating a group policy object
Group policy allows you to define computer and user configuration settings that ensure a system is configured per policy.
With group policy, you first create a group policy object within the Active Directory. You then configure the GPO, for example, enabling computers in the IT organizational unit to be able to use PowerShell scripts on those systems. There are literally thousands of settings you can configure for a user or computer through group policy.
Once you configure your GPO object, you link the policy object to the OU you want to configure. You can also apply a GPO to the domain as a whole, to a specific AD site, or to any OU. A given GPO can be assigned in multiple places which can simplify your OU design.
The configuration of a GPO typically results in some data being generated that a host's group policy agent (the code that applies the GPO objects) can access. This information tells the agent how to work. Settings made through administrative templates use registry settings inside Registry.POL
files. The group policy agent obtains the policy details from the SYSVOL
share on a domain controller and applies them whenever a user logs on or off or when a computer starts up or shuts down.
The group policy module also provides the ability to create nice-looking reports describing the group policy object.
Getting ready
This recipe runs on the DC1
domain controller that has been set up and configured in the three prior recipes in this chapter.
How to do it...
- Create a group policy object:
$Pol = New-GPO -Name ITPolicy -Comment 'IT GPO' -Domain Reskit.Org
- Ensure that only computer settings are enabled:
$Pol.GpoStatus = 'UserSettingsDisabled'
- Configure the policy with two settings:
$EPHT1= @{ Name = 'ITPolicy' Key = 'HKLM\Software\Policies\Microsoft\Windows\PowerShell' ValueName = 'ExecutionPolicy' Value = 'Unrestricted' Type = 'String' } Set-GPRegistryValue @EPHT1 | Out-Null $EPHT2= @{ Name = 'ITPolicy' Key = 'HKLM\Software\Policies\Microsoft\Windows\PowerShell' ValueName = 'EnableScripts' Type = 'DWord' Value = 1 } Set-GPRegistryValue @EPHT2 | Out-Null
- Create another GPO to disable the screen server, set the status, and add a description:
$Pol2 = New-GPO -Name 'Screen Saver Time Out' $Pol2.GpoStatus = 'ComputerSettingsDisabled' $Pol2.Description = '15 minute timeout'
- Set a registry value:
$EPHT3= @{ Name = 'Screen Saver Time Out' Key = 'HKCU\Software\Policies\Microsoft\Windows\'+ 'Control Panel\Desktop' ValueName = 'ScreenSaveTimeOut' Value = 900 Type = 'DWord' } Set-GPRegistryValue @EPHT3 | Out-Null
- Assign the GPOs to the
IT
OU:$GPLHT1 = @{ Name = 'ITPolicy' Target = 'OU=IT,DC=Reskit,DC=org' } New-GPLink @GPLHT1 | Out-Null $GPLHT2 = @{ Name = 'Screen Saver Time Out' Target = 'OU=IT,DC=Reskit,DC=org' } New-GPLink @GPLHT2 | Out-Null
- Display the GPOs in the domain:
Get-GPO -All -Domain Reskit.Org | Sort-Object -Property DisplayName | Format-Table -Property Displayname, Description, GpoStatus
- Create and view a GPO report:
$RPath = 'C:\Foo\GPOReport1.HTML' Get-GPOReport -Name 'ITPolicy' -ReportType Html -Path $RPath Invoke-Item -Path $RPath
How it works…
In step 1, you begin by creating a group policy object. In step 2, you update the GPO to indicate the GPO object has computer settings only. Next, in step 3, you configure the policy with two settings. In step 4 and step 5, you create a user GPO that sets values for the screen saver, which you apply in step 6. These steps produce no output.
In step 7, you display all the GPO objects in the Reskit.Org
domain, which looks like this:
In step 8, you create and view a GPO report. This report shows the details of the GPO object, including the settings configured by the GPO, which looks like this:
There's more...
Group policy is a rich topic—possibly one worthy of a book all of its own. In this recipe, you have seen the basics of creating, assigning, updating, and reporting on GPO objects. There is much more to group policy, including inheritance, backup/restore, export/import, and more.
See also
With the group policy administrative templates, there are literally thousands of settings that are available—each with a registry setting for you to use, as shown in this recipe. Finding the specific settings and their respective registry values can be hard work. To assist you, Microsoft publishes an Excel spreadsheet that lists the settings. You can find this at https://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=25250.