Policy Cmdlets
As stated earlier in this book, Windows PowerShell is a Windows command- line shell and scripting language. Windows PowerShell can also help you automate many of the same tasks that you perform using the Group Policy Management Console.
Windows Server 2022 helps you perform many of the Group Policy tasks by providing dozens of cmdlets. Each of these cmdlets is a simple, single- function command- line tool.
The Windows PowerShell Group Policy cmdlets can help you perform some of the following tasks for domain- based Group Policy objects:
■ Maintain, create, remove, back up, and import GPOs
■ Create, update, and remove GPO links to Active Directory containers
■ Set Active Directory OUs and domain permissions and inheritance flags
■ Configure Group Policy Registry settings
■ Create and edit starter GPOs
The requirement for Windows PowerShell Group Policy cmdlets is Windows Server 2022 on either a domain controller or a member server that has the GPMC installed. Windows 7 or above also gives you the ability to use Windows PowerShell Group Policy cmdlets if you have Remote Server Administration Tools (RSAT) installed. RSAT includes the GPMC and its cmdlets. PowerShell is also a requirement.
Item- Level Targeting
You have the ability to apply individual preference items only to selected users or computers using a GPO feature called item- level targeting. Item- level targeting allows you to select specific items that the GPO will look at and then apply that GPO only to the specific users or computers. You have the ability to include multiple preference items, and you can customize each item for specific users or computers to use.
The target item has a value that belongs to it, and the value can be either true or false. You can get even more granular by using the operation command of AND or OR while building this GPO, and this will allow you to combine the targeted items with the preceding one. Once all of the conditions are executed, if the final value is false, then the GPO is not applied. If the final value is true, the GPO is applied to the users or computers that were previously determined. You have the ability to item- target the following items:
■ Battery Present Targeting
■ Computer Name Targeting
■ CPU Speed Targeting
■ Date Match Targeting
■ Disk Space Targeting
■ Domain Targeting
■ Environment Variable Targeting
■ File Match Targeting
■ IP Address Range Targeting
■ Language Targeting
■ LDAP Query Targeting
■ MAC Address Range Targeting
■ MSI Query Targeting
■ Network Connection Targeting
■ Operating System Targeting
■ Organizational Unit Targeting
■ PCMCIA Present Targeting
■ Portable Computer Targeting
■ Processing Mode Targeting
■ RAM Targeting
■ Registry Match Targeting
■ Security Group Targeting
■ Site Targeting
■ Terminal Session Targeting
■ Time Range Targeting
■ User Targeting
■ WMI Query Targeting
You can easily set up item- level targeting by following these steps:
- Open the Group Policy Management Console. Select the GPO that will contain the new preferences by right- clicking the GPO and then choosing Edit.
- In the console tree under Computer Configuration or User Configuration, expand the Preferences folder and then browse to the preference extension.
- Double- click the node for the preference extension, right- click the preference item, and click Properties.
- In the Properties dialog box, select the Common tab.
- Select Item- Level Targeting and then click Targeting.
- Click New Item. If you are configuring multiple targeted items, from the Item Option menu choose the logical operation (AND or OR). Then click OK when finished.
- Click OK in the Properties dialog box, and you are all set.
Back Up, Restore, Import, Copy, and Migration Tables
One of the biggest advantages of using the Group Policy Management Console is that it is a one- stop shopping utility. You can do everything you need to do for GPOs in one location. The GPMC not only allows you to create and link a GPO but also lets you back up, restore, import, copy, and use migration tables.
Backing Up a GPO
Since this book is about Windows Server 2022 and everything you should do to set up the server properly, then you most likely already understand what backups can do for you.
The reason administrators back up data is in the event of a crash or major error that requires us to reload data to the server. Backups should be done daily on all data that is important to your organization. Backups can be done by using Windows Server 2022’s backup utility, or you can purchase third- party software/hardware to back up your data.
I am an IT director, and data recoverability is one of the most critical items that I deal with on a daily basis. I use a third- party hardware device from a company called Unitrends. This is just one of many companies that helps protect an organization’s data.
This hardware device does hourly backups for all of my servers. One of the nice features of the Unitrends box is that it backs up onto the hardware device and then sends my data to the cloud automatically for an offsite backup. This way, if I need to recover just one piece of data, I can grab it off the hardware device. But if I have a major issue, such as a fire that destroys the entire server room, I have an offsite backup from which I can retrieve my data.
It’s the same for GPOs. You need to make sure you back up your GPOs in the event of an issue that requires you to do a reload. To back up your GPOs manually, you can go into the GPMC MMC and, under Group Policy Objects, you can right- click and choose Backup All or right- click the specific GPO and choose Backup.
Restoring a GPO
There may be times when you have to restore a GPO that was previously backed up. There are normally two reasons why you have to restore a GPO— you accidentally deleted the GPO, or you need to restore the GPO to a previous state. (This normally happens if you make changes and they cause an issue.) Restoring a GPO is simple:
- Open the Group Policy Management Console.
- In the console tree, right- click Group Policy Objects and choose Manage Backups.
- Select the backup you want to restore and click the Restore button.
Importing or Copying GPOs
As an administrator, you may you need to import or copy a GPO from one domain to another domain. You do this so that the second domain has the same settings as the first domain.
You can use the import or copy- to- transfer settings from one GPO to another GPO within the same domain, to a GPO in another domain in the same forest, or to a GPO in a domain in a different forest.
Importing or copying a GPO is an easy process. To do this, complete the following steps:
- Open the Group Policy Management Console.
- In the console tree, right- click Group Policy Objects and choose either Import Settings or Copy.