The primary tool to manage Group Policy Objects (GPOs) in an Active Directory domain is the graphic Group Policy Management Console (GPMC.msc). In order to automate and improve the performance of some GPO management tasks in Active Directory, you can use PowerShell which provides multiple GPO administration features.
How to Install Group Policy Management PowerShell Module?
To manage domain GPO, the GroupPolicy module must be installed on your computer. This module is available on Windows Server after installing the Group Policy Management feature. You can this feature using the Server Manager console or with PowerShell:
Install-WindowsFeature GPMC -IncludeManagementTools
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
You can display a full list of PowerShell cmdlets in the GroupPolicy module using the command:
Get-Command –Module GroupPolicy
Using the GroupPolicy PowerShell module, you can:
- Create and remove GPO;
- Link/unlink GPO to/from an OU;
- Backup and restore GPO;
- Set GPO permissions or configure inheritance.
Creating and Managing GPOs with PowerShell
Let’s take look at some typical administrative tasks where you can use PowerShell to manage Group Policies.
To create a new blank GPO, use this command:
New-GPO -Name munTestGPO -Comment "My First GPO with PowerShell"
If Starter GPOs are created in your domain, you can create a new Group Policy using one of the templates (for example, the certain Security Baseline settings):
New-GPO -Name munTestGPO2 -StarterGPOName "Windows 10 Security Baseline"
Use the New-GPLink cmdlet in order to link a Group Policy object to an OU:
Get-GPO munTestGPO | New-GPLink -Target "ou=test,ou=munich,dc=woshub,dc=com"
To unlink a GPO from an OU:
Remove-GPLink -Name munTestGPO -Target "ou=test,ou=munich,dc=woshub,dc=com"
If you want to disable GPO without removing a link, use the Set-GPLink cmdlet:
Set-GPLink -name munTestGPO -Target "ou=test,ou=munich,dc=woshub,dc=com" -linkenabled no
The GPO no longer applies to the OU but remains linked.
If you want to force apply a GPO, add the -Enforced Yes option.
The following PowerShell one-liner will create a new GPO to change a registry parameter (disables automatic driver update), restrict the policy to the specific security group, and link it to the Organizational Unit:
$key = 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching'
New-GPO 'munDisableDriverUpdate' | Set-GPRegistryValue -Key $key `
-ValueName 'SearchOrderConfig' -Type DWORD -Value 0 | Set-GPPermissions -Replace `
-PermissionLevel None -TargetName 'Authenticated Users' -TargetType group | `
Set-GPPermissions -PermissionLevel gpoapply -TargetName 'mun_admins' `
-TargetType group | New-GPLink -Target "ou=test,ou=munich,dc=woshub,dc=com" –Order 1
You can use the Get-GPO cmdlet to display information about a specific GPO or all policies in your domain. The cmdlet returns a policy GUID (it is often needed to diagnose the application of GPO or resolve GPO replication issues when checking Active Directory health ), GPO creation/modification time, and the applied GPO WMI filters.
Get-GPO -Domain woshub.com -All
You can display the settings of a WMI filter linked to a GPO (but you won’t be able to change filter settings):
(Get-GPO munWin10Settings).WmiFilter
To update Group Policy settings on remote computers, the Invoke-GPUpdate cmdlet is used. You can update GPO on a specific computer:
Invoke-GPUpdate -Computer "corp\wks-mn0223" -Target "User"
Or on all computers in an OU:
Get-ADComputer –filter * -Searchbase "ou=Computes,OU=MUNICH,dc=woshub,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name -force}
The Get-GPOReport cmdlet is used to get the HTML/XML report with policy settings:
Get-GPOReport -name mun-BitlockerEncryption -ReportType HTML -Path "C:\ps\bitlocker_policy.html"
In this case, we have displayed all the settings of the policy for automatically saving BitLocker keys in AD.
The Get-GPResultantSetofPolicy cmdlet allows you to create a resulting report (RSoP — Resultant Set of Policy) on the applied Group Policies to the specified user and/or computer. This report looks like an HTML report generated using the gpresult tool (GPResult /h c:\ps\gp-report.html /f). The cmdlet allows to get a resulting GPO report from a remote computer:
Get-GPResultantSetOfPolicy -user m.muller -computer corp\wks-mn0223 -reporttype html -path c:\ps\gp_rsop_report.html
How to Backup and Restore GPOs Using PowerShell?
Using PowerShell, you can backup and restore GPOs in your Active Directory domain.
In order to backup all Group Policy Objects to the specified folder:
Backup-GPO -All -Path C:\Backup\GPOs\
Or one GPO only:
Backup-GPO -Name munWin10Settings -Path C:\Backup\GPOs -Comment "Backup GPO with PowerShell 2022/28/03"
To restore a GPO, the following command is used:
Restore-GPO -Name munWin10Settings -Path C:\Backup\GPOs\
You can keep some GPO backup versions in a single folder. To restore a specific GPO version, you need to specify its backup ID (32-bit identifier):
Restore-GPO -Path ″C:\GPO Backups″ -BackupID 7654321-4321-4321-CCC-1234567890