Microsoft Azure

Managing GPOs with Windows PowerShell Group

Policy Cmdlets

As stated earlier in this book, Windows PowerShell is a Windows command- line shell and scripting language. Windows PowerShell can also help you automate many of the same tasks that you perform using the Group Policy Management Console.

Windows Server 2022 helps you perform many of the Group Policy tasks by providing dozens of cmdlets. Each of these cmdlets is a simple, single- function command- line tool.

The Windows PowerShell Group Policy cmdlets can help you perform some of the following tasks for domain- based Group Policy objects:

          Maintain, create, remove, back up, and import GPOs

           Create, update, and remove GPO links to Active Directory containers

          Set Active Directory OUs and domain permissions and inheritance flags

         Configure Group Policy Registry settings

         Create and edit starter GPOs

The requirement for Windows PowerShell Group Policy cmdlets is Windows Server 2022 on either a domain controller or a member server that has the GPMC installed. Windows 7 or above also gives you the ability to use Windows PowerShell Group Policy cmdlets if you have Remote Server Administration Tools (RSAT) installed. RSAT includes the GPMC and its cmdlets. PowerShell is also a requirement.

Item- Level Targeting

You have the ability to apply individual preference items only to selected users or computers using a GPO feature called item- level targeting. Item- level targeting allows you to select specific items that the GPO will look at and then apply that GPO only to the specific users or computers. You have the ability to include multiple preference items, and you can customize each item for specific users or computers to use.

The target item has a value that belongs to it, and the value can be either true or false. You can get even more granular by using the operation command of AND or OR while building this GPO, and this will allow you to combine the targeted items with the preceding one. Once all of the conditions are executed, if the final value is false, then the GPO is not applied. If the final value is true, the GPO is applied to the users or computers that were previously determined. You have the ability to item- target the following items:

    Battery Present Targeting

     Computer Name Targeting

   CPU Speed Targeting

    Date Match Targeting

    Disk Space Targeting

■     Domain Targeting

    Environment Variable Targeting

    File Match Targeting

    IP Address Range Targeting

■     Language Targeting

    LDAP Query Targeting

    MAC Address Range Targeting

    MSI Query Targeting

     Network Connection Targeting

    Operating System Targeting

     Organizational Unit Targeting

    PCMCIA Present Targeting

     Portable Computer Targeting

    Processing Mode Targeting

■     RAM Targeting

    Registry Match Targeting

    Security Group Targeting

■    Site Targeting

    Terminal Session Targeting

    Time Range Targeting

■         User Targeting

         WMI Query Targeting

You can easily set up item- level targeting by following these steps:

  1. Open the Group Policy Management Console. Select the GPO that will contain the new preferences by right- clicking the GPO and then choosing Edit.
  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder and then browse to the preference extension.
  3. Double- click the node for the preference extension, right- click the preference item, and click Properties.
  4. In the Properties dialog box, select the Common tab.
  5. Select Item- Level Targeting and then click Targeting.
  6. Click New Item. If you are configuring multiple targeted items, from the Item Option menu choose the logical operation (AND or OR). Then click OK when finished.
  7. Click OK in the Properties dialog box, and you are all set.
Back Up, Restore, Import, Copy, and Migration Tables

One of the biggest advantages of using the Group Policy Management Console is that it is a one- stop shopping utility. You can do everything you need to do for GPOs in one location. The GPMC not only allows you to create and link a GPO but also lets you back up, restore, import, copy, and use migration tables.

Backing Up a GPO

Since this book is about Windows Server 2022 and everything you should do to set up the server properly, then you most likely already understand what backups can do for you.

The reason administrators back up data is in the event of a crash or major error that requires us to reload data to the server. Backups should be done daily on all data that is important to your organization. Backups can be done by using Windows Server 2022’s backup utility, or you can purchase third- party software/hardware to back up your data.

I am an IT director, and data recoverability is one of the most critical items that I deal with on a daily basis. I use a third- party hardware device from a company called Unitrends. This is just one of many companies that helps protect an organization’s data.

This hardware device does hourly backups for all of my servers. One of the nice features of the Unitrends box is that it backs up onto the hardware device and then sends my data to the cloud automatically for an offsite backup. This way, if I need to recover just one piece of data, I can grab it off the hardware device. But if I have a major issue, such as a fire that destroys the entire server room, I have an offsite backup from which I can retrieve my data.

It’s the same for GPOs. You need to make sure you back up your GPOs in the event of an issue that requires you to do a reload. To back up your GPOs manually, you can go into the GPMC MMC and, under Group Policy Objects, you can right- click and choose Backup All or right- click the specific GPO and choose Backup.

Restoring a GPO

There may be times when you have to restore a GPO that was previously backed up. There are normally two reasons why you have to restore a GPO— you accidentally deleted the GPO, or you need to restore the GPO to a previous state. (This normally happens if you make changes and they cause an issue.) Restoring a GPO is simple:

  1. Open the Group Policy Management Console.
  2. In the console tree, right- click Group Policy Objects and choose Manage Backups.
  3. Select the backup you want to restore and click the Restore button.
Importing or Copying GPOs

As an administrator, you may you need to import or copy a GPO from one domain to another domain. You do this so that the second domain has the same settings as the first domain.

You can use the import or copy- to- transfer settings from one GPO to another GPO within the same domain, to a GPO in another domain in the same forest, or to a GPO in a domain in a different forest.

Importing or copying a GPO is an easy process. To do this, complete the following steps:

  1. Open the Group Policy Management Console.
  2. In the console tree, right- click Group Policy Objects and choose either Import Settings or Copy.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *