Active Directory Cookbook for windows server 2003- P27 docx

9.1.4 See Also MS KB 216359 HOW TO: Identify Group Policy Objects in the Active Directory and SYSVOL and MSDN: GPMDomain.SearchGPOs Recipe 9.2 Creating a GPO 9.2.1 Problem You want to c

Trang 1

restore, and model GPOs from a single interface Perhaps what is even better is the scriptable API that comes with the GPMC Pretty much every function you can accomplish with the GPMC tool, you can do via a script

The only major feature that is still lacking is the ability to directly modify the settings of a GPO That can be done only with the GPOE However, the GPMC provides numerous options for migrating GPOs, which addresses the majority of the problems people face today

You can download the GPMC from the following site:

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx It requires the NET

Framework on Windows Server 2003 or Windows XP SP 1 with hotfix Q326469, and cannot be run on Windows 2000 You can manage Windows 2000-based Active Directory GPOs with the GPMC as long as you run it from one of the previously mentioned platforms

The majority of solutions presented in this chapter use GPMC In fact, most of these recipes would not have had workable solutions were it not for the GPMC It is for this reason that I highly recommend downloading it and becoming familiar with it Most of the command-line solutions I provide, use one of the scripts provided in the GPMC install A whole host of pre-canned scripts have already been written, in a mix of VBScript and JavaScript, that serve as great command-line tools and good examples to start scripting GPOs These scripts are available, by

default, in the %ProgramFiles%\GPMC\scripts directory You can execute them one of two

ways You can call it using cscript:

> cscript listallgpos.wsf

or, if you make cscript your default WSH interpreter, you can execute the file directly To make cscript your default interpreter, run this command:

> cscript //H:cscript

The complete documentation for the GPM API is available in the gpmc.chm file in the

%ProgramFiles%\GPMC\scripts directory or from MSDN (http://msdn.microsoft.com/)

Recipe 9.1 Finding the GPOs in a Domain

9.1.1 Problem

You want to find all of the GPOs that have been created in a domain

9.1.2 Solution

Trang 2

2 In the left pane, expand the Forest container

3 Expand the Domains container

4 Browse to the domain of the target GPO

5 Expand the Group Policy Objects container All of the GPOs in the domain will be listed under that container

9.1.2.2 Using a command-line interface

> listallgpos.wsf [/domain:<DomainDNSName>] [/v]

You can also use the gpotool to display the GPOs:

> gpotool [/domain:<DomainDNSName>] [/verbose]

9.1.2.3 Using VBScript

' This code displays all of the GPOs for a domain

' - SCRIPT CONFIGURATION -

strDomain = "<DomainDNSName>" ' e.g rallencorp.com

' - END CONFIGURATION -

set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants( )

' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)

' Create an empty search criteria

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria)

' Print the GPOs

WScript.Echo "Found " & objGPOList.Count & " GPOs in " & strDomain & ":" for each objGPO in objGPOList

WScript.Echo " " & objGPO.DisplayName

See the Introduction in Chapter 9 for more on how GPOs are stored in Active Directory

You can find the GPOs in a domain by using the GPMDomain.SearchGPOs method The only parameter you need to pass to SearchGPOs is a GPMSearchCriteria object, which can be used

to define criteria for your search In this case, I created a GPMSearchCriteria object without additional criteria so that all GPOs are returned The SearchGPOs method returns a

GPMGPOCollection object, which is a collection of GPMGPO objects

Trang 3

9.1.4 See Also

MS KB 216359 (HOW TO: Identify Group Policy Objects in the Active Directory and SYSVOL) and MSDN: GPMDomain.SearchGPOs

Recipe 9.2 Creating a GPO

9.2.1 Problem

You want to create a GPO to force users to have a particular desktop configuration or provision configuration settings on workstations or servers

9.2.2 Solution

9.2.2.1 Using a graphical user interface

1 Open the GPMC snap-in

2 In the left pane, expand the Forest container, expand the Domains container, and browse

to the domain of the target GPO

3 Right-click on the Group Policy Objects container and select New

4 Enter the name of the GPO and click OK

> creategpo.wsf <GPOName> [/domain:<DomainDNSName>]

' This code creates an empty GPO

strGPO = "<GPOName>" ' e.g Sales GPO

' Create the GPO and print the results

set objGPO = objGPMDomain.CreateGPO( )

WScript.Echo "Successfully created GPO"

objGPO.DisplayName = strGPO

WScript.Echo "Set GPO name to " & strGPO

Trang 4

To create a GPO, I first instantiate a GPMDomain object for the domain to add the GPO to This is accomplished with the GPM.GetDomain method Then it is just a matter of calling the

GPMDomain.CreateGPO method (with no parameters) to create an empty GPO A GPM.GPO object

is returned from this method, which I then use to set the display name of the GPO

9.2.4 See Also

MS KB 216359 (HOW TO: Identify Group Policy Objects in the Active Directory and SYSVOL) and MSDN: GPMDomain.CreateGPO

Recipe 9.3 Copying a GPO

9.3.1 Problem

You want to copy the properties and settings of a GPO to another GPO

9.3.2 Solution

2 In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the source GPO, and expand the Group Policy Objects container

3 Right-click on the source GPO and select Copy

4 Right-click on the Group Policy Objects container and select Paste

5 Select whether you want to use the default permissions or preserve the existing

permissions, and click OK

6 A status window will pop up that will indicate whether the copy was successful Click

OK to close

7 Rename the new GPO by right-clicking it in the left pane and selecting Rename

> copygpo.wsf <SourceGPOName> <TargetGPOName>

' This code copies a source GPO to a new GPO

strSourceGPO = "<SourceGPOName>" ' e.g SalesGPO

strNewGPO = "<NewGPOName>" ' e.g Marketing GPO

Trang 5

' Find the source GPO

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, cstr(strSourceGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

WScript.Echo "Did not find GPO: " & strGPO

WScript.Echo "Exiting."

WScript.Quit

elseif objGPOList.Count > 1 then

WScript.Echo "Found more than one matching GPO Count: " & _

objGPOList.Count

WScript.Quit

else

WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

End if

' Copy from source GPO to target GPO

set objGPMResult = objGPOList.Item(1).CopyTo(0, objGPMDomain, strNewGPO)

' This will throw an exception if there were any errors

' during the actual operation

on error resume next

objGPMResult.OverallStatus( )

if objGPMResult.Status.Count > 0 then

WScript.Echo "Status message(s): " & objGPMResult.Status.Count

for i = 1 to objGPMResult.Status.Count

WScript.Echo objGPMResult.Status.Item(i).Message

end if

' Display the results

if Err.Number <> 0 then

WScript.Echo "Error copying GPO."

WScript.Echo "Error: " & Err.Description

else

WScript.Echo "Copy successful to " & strNewGPO & "."

end if

Prior to the GPMC tool, one of the big problems with managing GPOs in large environments is migrating them from one forest to another It is common to have a test forest where GPOs are initially created, configured, and tested before moving them into production The problem is that once you have the GPO the way you want it in the test forest, there is no easy way to move it to the production forest

Trang 6

between the two forests) If this is not possible, you can import GPOs, which is similar to a copy except that a trust is not needed A GPO import uses a back up of the source GPO in order to create the new GPO See Recipe 9.7 for more information on importing a GPO

Some properties of GPOs, such as security group filters or UNC paths, may vary slightly from domain to domain In that case, you can use a GPMC migration table to help facilitate the

transfer of those types of references to the target domain For more information on migration tables, see the GPMC help file

To copy a GPO, I have to first find the source GPO To do this, I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section I use an if elseif else conditional statement to ensure that only one GPO is returned

If zero was returned or more than one are returned, I have to abort the script

Now that I have a GPMGPO object, I'm ready to copy the GPO using the GPMGPO.CopyTo method The first parameter to CopyTo is a flag that indicates how permissions in the source GPO should

be handled when copying them to the new GPO I specified 0 to use the default setting (see the GPMC help file for the other values) The second parameter is a GPMDomain object of the domain the GPO should be copied to The last parameter is the display name of the new GPO

9.3.4 See Also

Recipe 9.7 for importing a GPO and MSDN: GPMGPO.CopyTo

Recipe 9.4 Deleting a GPO

9.4.1 Problem

You want to delete a GPO

9.4.2 Solution

2 In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container

3 Right-click on the target GPO and select Delete

4 Click OK to confirm

> deletegpo.wsf <GPOName> [/domain:<DomainDNSName>]

Trang 7

' This code deletes the specified GPO

strGPO = "<GPOName>" ' e.g My New GPO

' Find the GPO

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, cstr(strGPO)

WScript.Quit

objGPOList.Count

WScript.Quit

else

end if

' Delete the GPO

objGPOList.Item(1).Delete

WScript.Echo "Successfully deleted GPO: " & strGPO

When you delete a GPO through the GPMC, it attempts to find all links to the GPO in the

domain and will delete them if the user has permissions to delete the links If the user does not have the necessary permissions to remove the links, the GPO will still get deleted, but the links will remain intact Any links external to the domain the GPO is in are not automatically deleted

It is for this reason that it is a good practice to view the links to the GPO before you delete it Links to deleted GPOs show up as "Not Found" in GPMC

I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section I use an if elseif else conditional statement to ensure that only one GPO is returned If zero or more than one are returned, I abort the script If only one is returned, I used the GPMGPO.Delete method to delete the GPO

Trang 8

9.4.4 See Also

Recipe 9.11 for viewing the links for a GPO and MSDN: GPMGPO.Delete

Recipe 9.5 Viewing the Settings of a GPO

9.5.1 Problem

You want to view the settings that have been defined on a GPO

9.5.2 Solution

3 Click on the target GPO

4 In the right pane, click on the Settings tab

5 Click the Show All link to display all configured settings

> getreportsforgpo.wsf "<GPOName>" <ReportLocation> [/domain:<DomainDNSName>]

' This code generates a HTML report of all the properties

' and settings for a GPO

strGPO = "<GPOName>" ' e.g Sales GPO

strReportFile = "<FileNameAndPath>" ' e.g c:\gpo_report.html

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, cstr(strGPO)

WScript.Quit

Trang 9

objGPOList.Count

WScript.Quit

else

end if

set objGPMResult = objGPOList.Item(1).GenerateReportToFile( _

objGPMConstants.ReportHTML, _

strReportFile)

' This will throw an exception if there were any errors

' during the actual operation

on error resume next

objGPMResult.OverallStatus( )

if objGPMResult.Status.Count > 0 then

WScript.Echo "Status message(s): " & objGPMResult.Status.Count

for i = 1 to objGPMResult.Status.Count

WScript.Echo objGPMResult.Status.Item(i).Message

end if

' Display the result

if Err.Number <> 0 then

WScript.Echo "Error generating report."

WScript.Echo "Error: " & Err.Description

else

WScript.Echo "Reported saved to " & strReportFile

end if

The GPMC can generate an XML or HTML report that contains all of the settings in a GPO See

Recipe 9.6 for more on how to modify GPO settings

I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section I use an if elseif else conditional statement to ensure that only one GPO is returned If zero or more than one are returned, I abort the script If only one is returned, I used the GPMGPO.GenerateReportToFile method to generate a report of all the settings in the GPO The first parameter for GenerateReportToFile is a constant that

determines the type of report to generate (i.e., HTML or XML) The second parameter is the path

of the file to store the report

9.5.4 See Also

Trang 10

Recipe 9.6 Modifying the Settings of a GPO

9.6.1 Problem

You want to modify the settings associated with a GPO

9.6.2 Solution

3 Right-click on the target GPO and select Edit This will bring up the Group Policy Object Editor

4 Browse through the Computer Configuration or User Configuration settings and modify them as necessary

9.6.2.2 Using a command-line interface or VBScript

You cannot modify the settings of a GPO with any of the command-line tools or APIs, but you can copy and import settings as described in Recipe 9.3 and Recipe 9.7

The one function that the GPMC tool and API cannot do is modify GPO settings This still must

be done from within the GPOE You can, however, launch GPOE from within GPMC as

described in the GUI solution Not having a scriptable way to modify GPO settings has been a big roadblock with managing GPOs, especially across multiple forests Copying or importing GPOs can help with migrating settings across forests

9.6.4 See Also

Recipe 9.3 for copying a GPO, Recipe 9.5 for viewing the settings of a GPO, and Recipe 9.7 for importing a GPO

Recipe 9.7 Importing Settings into a GPO

9.7.1 Problem

You want to import settings from one GPO to another

9.7.2 Solution

Định dạng
Số trang	10
Dung lượng	32,63 KB