Die Scripte der GPMC - das unbekannte Feature
Auf einem Windows Server 2003 oder XP lagen die Scripte direkt im Verzeichnis „%PROGRAMFILES%\GPMC\Scripts“, wenn die GPMC aus dem MSI installiert wurde. Jetzt, seit dem Server 2008 ist die GPMC ein Feature, das hinzugefügt wird. Die Scripte sind nicht länger Bestandteil der Komponenten. Sie müssen und können nachinstalliert werden.
Download: Group Policy Management Console Sample Scripts
(Microsoft hat die Technet Gallery im Juni 2020 vom Netz genommen, deswegen das Zip von meinem Server)
Die Scripte basieren auf Visual Basic- bzw. JavaScript und haben die Dateiendung WSF (Windows Script File). Als Command Interpreter muss cscript.exe verwendet werden.
Zu jedem Script lässt sich eine Hilfe anzeigen, in dem man in der Kommandozeile "cscript Scriptnamen /?" aufruft.
Quelle: Die Liste und Beispiele sind aus der gpmc.chm Datei entnommen, die in der alten GPMC.msi enthalten war.
Group Policy Management Console
Group Policy Management Console Scripting Samples
The following is a description of the Group Policy Management Console (GPMC) scripting samples. You can find the samples in the %programfiles%\gpmc\scripts directory after you install the GPMC. The scripts can be executed from the command line. The scripts echo output to the command window and should be executed using the CScript.exe application.
The following script samples address administrative tasks:
- Backing up an Individual GPO
- Backing up the GPOs in a Domain
- Creating a Copy of a GPO
- Creating a New GPO
- Creating a Policy Environment Using an XML File
- Creating an XML File that Represents a Policy Environment
- Create Migration Table
- Deleting a GPO
- Grant Permissions for all GPOs in a Domain
- Importing a GPO
- Importing Multiple GPOs into a Domain
- Restoring a GPO
- Restoring All GPOs in a Domain
- Setting GPO Permissions
- Setting Permissions for all GPOs Linked to a Scope of Management
- Setting Permissions to Create GPOs
- Setting Policy-related Permissions on a SOM
There are also script samples that perform the following queries:
- Listing All GPOs in a Domain
- Listing Disabled GPOs
- Listing GPO Information
- Listing GPOs at a Backup Location
- Listing GPOs by Policy Extension
- Listing GPOs by Security Group
- Listing GPOs Orphaned in SYSVOL
- Listing GPOs With Duplicate Names
- Listing GPOs Without Security Filtering
- Listing SOM Information
- Listing SOMs With Links to GPOs in External Domains
- Listing Unlinked GPOs in a Domain
- Printing the SOM Policy Tree
- Generate Reports for all GPOs
- Generate Reports for a GPO
Backing Up an Individual GPO
The BackupGPO.wsf sample, given a Group Policy Object (GPO) name or a GPO ID, backs up the GPO to a specified backup directory. The backup directory and GPO must already exist. You can use the Comment parameter to specify an optional comment for the backup.
Usage:
BackupGPO.wsf <GPO Name> <BackupLocation> [/Comment:<Comment>] [/Domain:<DNSDomainName>]
Example:
BackupGPO.wsf TestPolicyGPO \\server\share\GPOBackups /Comment: "Weekly backup" /Domain:example.microsoft.com
Backing Up the GPOs in a Domain
The BackupAllGPOs.wsf sample backs up all GPOs in a domain to the specified backup directory. The backup directory must already exist. You can use the /Comment parameter to specify an optional comment for the backup.
Usage:
BackupAllGPOs.wsf <BackupLocation> [/Comment:<Comment>] [/Domain:<DNSDomain>]
Example:
BackupAllGPOs.wsf \\server\share\GPOBackups /Comment:"Weekly backup" /Domain:example.microsoft.com
Creating a Copy of a GPO
The CopyGPO.wsf sample, given a source GPO name or GPO ID, and a new destination GPO name, creates a GPO and copies the settings from the source GPO into the new destination GPO. Use the MigrationTable switch to map security principals and paths across domains. Use the CopyACL switch to copy the ACL on the source GPO to the destination GPO. To create a migration table, please see the Create Migration Table script sample.
Usage:
CopyGPO.wsf <SourceGPO> <TargetGPO> [/SourceDomain:<DNSDomainName>] [/TargetDomain:<DNSDomainName>] [/SourceDC:<DomainController>] [/TargetDC<DomainController>] [/MigrationTable<MigrationTable>] [/CopyACL]
Example:
CopyGPO.wsf TestPolicyGPO NewProductionGPO /SourceDomain:example.microsoft.com /TargetDomain:example.microsoft.com
Creating a New GPO
The CreateGPO.wsf sample creates a GPO with the specified name, in the specified domain.
Usage:
CreateGPO.wsf <GPOName> [/Domain:<DNSDomainName>]
Example:
CreateGPO.wsf MyGPO /Domain:example.microsoft.com
Creating a Policy Environment Using an XML File
The CreateEnvironmentFromXML.wsf sample reads an XML file that specifies a policy environment; for example, OUs and GPOs. The script can perform operations such as create GPOs and OUs, link GPOs, import settings into GPOs, set security on GPOs, and create security groups and users. Using the Undo switch deletes the environment. Specify the ExcludeSettings switch to ignore GPO templates specified in the XML. Specify the ExcludePermissions switch to ignore permissions on Scopes of Management (SOMs) and GPOs. Default permissions will be used instead. To use a migration table when importing GPOs, specify the MigrationTable switch and the path to the migration table file. Use the MigrationTable switch to map security principals and paths across domains. For more information on how to create a migration table, see the CreateMigrationTable.wsf script sample. Specify the Q switch to enable quiet mode which suppresses all confirmation warnings from being displayed.
Usage:
CreateEnvironmentFromXML.wsf /xml:<XmlFile> [/undo] [/Domain:<DNSDomainName>] [/dc:<DomainControllerName>] [/ExcludeSettings] [/ExcludePermissions] [/MigrationTable:<FilePath>]
Example:
CreateEnvironmentFromXML.wsf /xml:TestDomain.xml /Domain:/example.microsoft.com /dc:testdomaindc-1 /MigrationTable:TestMigrationTable.xml
Creating an XML File that Represents a Policy Environment
The CreateXMLFromEnvironment.wsf sample reads an existing policy environment; for example, OUs, GPOs, and GPO links. The sample creates an XML file representing that environment. You can use this script in conjunction with the CreateEnvironmentFromXML.wsf script. If you do not specify a domain, the domain of the computer is assumed.
Multiple switches are available for this script. Use the ExcludePermissions switch to specify that policy related permissions should not be recorded. Use the StartingOU switch to specify the LDAP path to an OU from which the XML should be built, rather than parsing the entire domain. Specify the IncludeUsers switch to include user accounts. Use the IncludeAllGroups switch to include groups from the Users container and from the domain root. If you do not specify this last switch, the script only adds groups defined in OUs to the XML file. If you specify a template path, the GPOs are exported to the specified location. Use the /TemplatePath switch to specify the location to store backups of the GPO templates containing the policy settings.
Usage:
CreateXMLFromEnvironment.wsf <OutputFile> [/Domain:<DNSDomainName>] [/dc:<DomainControllerName>] [/TemplatePath:<Path>] [/StartingOU:<LDAPPath>] [/ExcludePermissions] [/IncludeAllGroups] [/IncludeUsers]
Example:
CreateXMLFromEnvironment.wsf TestDomain.xml /Domain:example.microsoft.com
Example:
CreateXMLFromEnvironment.wsf TestDomain.xml /StartingOU:OU=marketing,DC=MyDomain,DC=COM
Example:
CreateXMLFromEnvironment.wsf TestDomain.xml /templatepath:\backups
Create Migration Table
The CreateMigrationTable.wsf sample creates a file containing the XML representation of paths and security principals for the specified GPO source. The GPO source can be one of three choices: an individual GPO, a backup location, or all GPOs in a domain. The resulting XML can then be used when performing GPO import and copy operations, which are typically performed across domains. Use the GPO switch to use a single GPO source when building the XML migration table. Use the BackupLocation switch to use GPO backups as a source when building the XML migration table. Use the AllGPOs switch to use all GPOs in the domain as a source to build the XML migration table. Use the Overwrite switch to overwrite an existing XML file instead of appending to it. Use the MapByName switch to specify a corresponding account with the same name as the original in the destination domain
Usage:
CreateMigrationTable.wsf <TableName> [/GPO:<GPO Name>] [/BackupLocation:<FilePath>] [/AllGPOs] [/Overwrite] [/MapByName] [/Domain:<DNSDomainName>]
Example:
CreateMigrationTable.wsf SampleTable.xml /BackupLocation:c:\GPOBackups /OverWrite /MapByName
Example:
CreateMigrationTable.wsf SampleTable.xml /GPO:TestGPO
Example:
CreateMigrationTable.wsf SampleTable.xml /AllGPOs /Overwrite /Domain:example.microsoft.com
Deleting a GPO
The DeleteGPO.wsf sample, given a GPO name or a GPO ID, deletes the GPO. If you do not specify the KeepLinks parameter, all links to the GPO in the specified domain and in any sites are deleted.
Usage:
DeleteGPO.wsf <GPOName> [/KeepLinks] [/Domain:<DNSDomainName>]
Example:
DeleteGPO.wsf MyGPO
Grant Permissions for all GPOs in a Domain
The GrantPermissionOnAllGPOs.wsf sample takes a particular domain and grants a user or group the specified level of permission for all GPOs in that domain regardless if those GPOs are linked to an OU or not. Use the Permission switch to specify a permission level of 'Read', 'Apply', 'Edit', 'FullEdit', or 'None' for the security principal specified in the GroupName parameter. Using the Replace switch removes existing permissions for the group or user before making the change. If a group or user is already granted a permission type higher than the new permission type, and you do not specify Replace, no change is made. For example, if the new permission type is 'Edit' and the user already has 'Full Edit', if you do not use the Replace switch, no change is made to the permissions granted to that group or user.
Usage:
GrantPermissionOnAllGPOs.wsf <Group Name> /Permission: <Permission Level> [/Replace] [/Domain:<DNSDomainName>]
Example:
GrantPermissionOnAllGPOs.wsf "Marketing Group Admins"/Permission:FullEdit /Replace
Example:
GrantPermissionOnAllGPOs.wsf TestUser /Permission:Read
Importing a GPO
The ImportGPO.wsf takes a backup of a GPO and imports the settings from the backup GPO into a specified target GPO. Use the BackupLocation parameter to specify the location of the backup then use the BackupID parameter to specify the GPO name or backup ID (GUID) of the backup to use. If no target is specified, then the name of the GPO that was backed up will be used.
Note that if you specify a GPO name or GPO ID for the BackupID parameter, the script imports the most recent backup. To import an earlier version of a GPO's backup, you must specify the unique backup ID for the specific backup. This is the string that uniquely identifies the backup within its backup directory. To retrieve the unique backup IDs for all GPOs in a specific backup location, run the QueryBackupLocation.wsf script.
Specify the target GPO into which the setting are being imported using the TargetGPO parameter. Use the optional MigrationTable switch when importing a GPO to map security principals and paths across domains. To create a new GPO if the specified target GPO does not exist, use the CreateIfNeeded switch.
Usage:
ImportGPO.wsf <BackupLocation> <BackupID> [TargetGPO] [/MigrationTable:<FilePath>] [/CreateIfNeeded] [/Domain:<DNSDomainName>]
Example:
ImportGPO.wsf f:\backup TestGPO NewGPO /CreateIfNeeded
Example:
ImportGPO.wsf f:\backup {73624CC9-E8F2-4F05-88D2-193FAE8773CE} NewGPO /CreateIfNeeded
Importing Multiple GPOs into a Domain
The ImportAllGPOs.wsf sample, given a backup location, creates new GPOs in the domain specified and imports settings into them. The script creates a new GPO and imports settings for the latest version of each backed-up GPO in the backup location. The names of the GPOs that were backed up are used for the newly created GPOs. Note that because the newly created GPOs are derived from a previous GPO backup, if this previous GPO still exists in the domain, it will be overwritten by the newly created GPO. Any GPO settings that have been changed since the backup will be lost.
Usage:
ImportAllGPOs.wsf <BackupLocation> [/MigrationTable:<FilePath>] [Domain:<DNSDomainName>]
Example:
ImportAllGPOs.wsf f:\backup /MigrationTable:f:\Table1.xml
Restoring a GPO
The RestoreGPO.wsf sample, given a backup location and a backupID, restores a backup GPO to the original domain from which it was saved. If the original domain is not available, RestoreGPO.wsf will fail. Use the BackupLocation parameter to specify the location of the backup, then use the BackupID parameter to specify the GPO name or backup ID (GUID) of the backup to use.
Note that if you specify a GPO name or GPO ID for the Backup parameter, the script restores the most recent backup. To restore an earlier version of a GPO's backup, you must specify the unique backup ID for the specific backup. This is the string that uniquely identifies the backup within its backup directory. To retrieve the unique backup IDs for all GPOs in a specific backup location, run the QueryBackupLocation.wsf script.
Usage:
RestoreGPO.wsf <BackupLocation> <BackupID> [/Domain:<Domain>] [/DC:<DomainController>]
Examples:
RestoreGPO.wsf f:\backup BackUpGPO
Examples:
RestoreGPO.wsf f:\backup {73624CC9-E8F2-4F05-88D2-193FAE8773CE}
Restoring all GPOs in a Domain
The RestoreAllGPOs.wsf sample, given a backup location, restores the most recent backup of each backed-up GPO to the Active Directory.
Usage:
RestoreAllGPOs.wsf <BackupLocation> [/Domain:<DNSDomainName>]
Examples:
RestoreAllGPOs.wsf f:\backup /Domain:testdomain.mycompany.com
Setting GPO Permissions
The SetGPOPermissions.wsf sample takes a GPO name or GPO ID, group or user name, and permission level and grants that level of permission on the GPO. Use the Permission switch to specify a permission level of ‘Read’, ‘Apply’,’Edit’,FullEdit’, or ‘None’ for the security principal specified in the GroupName parameter. Using the Replace switch removes existing permissions for the group or user before making the change. Otherwise, the script ensures that the group or user has at least the permission level specified.
Usage:
SetGPOPermissions.wsf:<GPOName><GroupName> /Permission:<PermissionLevel> [/Replace] [/Domain:<DNSDomainName>]
Example:
SetGPOPermissions.wsf TestGPO TestGroup /Permission:Edit
Example:
SetGPOPermissions.wsf TestGPO TestGroup /Permission:Edit
Example:
SetGPOPermission.wsf {73624CC9-E8F2-4F05-88D2-193FAE8773CE}TestUser /Permission:FullEdit /Replace /Domain:testdomain.mycompany.com
Setting Permissions for All GPOs Linked to a Scope of Management
The SetGPOPermissionsBySOM.wsf sample takes a particular SOM (site, domain, OU) and grants a user or group the specified level of permission for all GPOs that are linked to that SOM. Use the Permission switch to specify a permission level of 'Read', 'Apply', 'Edit', 'FullEdit', or 'None' for the security principal specified in the GroupName parameter. Using the Replace switch removes existing permissions for the group or user before making the change. If a group or user is already granted a permission type higher than the new permission type, and you do not specify Replace, no change is made. For example, if the new permission type is 'Edit' and the user already has 'Full Edit', if you do not use the Replace switch, no change is made to the permissions granted to that group or user. Using the Recursive switch applies the change to all OUs that are children of the given SOM.
Usage:
SetGPOPermissionsBySOM.wsf <SOM Name> <Group Name> /Permission: <PermissionLevel> [/Recursive] [/Replace] [/Domain:<DNSDomainName>]
Example:
SetGPOPermissionsBySOM.wsf "Marketing Group Admins" "Marketing Group" /Permission:FullEdit /Recursive
Example:
SetGPOPermissionsBySOM.wsf MarketingOU TestUser /Permission:Read /Replace
Setting Permissions to Create GPOs
The SetGPOCreationPermissions.wsf sample grants or removes the ability for a user or group to create GPOs in a domain.
Usage:
SetGPOCreationPermissions.wsf <GroupName> [Remove] [/Domain:<DNSDomainName>]
Example:
SetGPOCreationPermissions.wsf "Policy Admins"
Example:
SetGPOCreationPermissions.wsf TestUser /remove
Setting Policy-related Permissions on a SOM
The SetSOMPermissions.wsf sample takes a particular SOM (site, domain, OU) and grants a user or group the specified level of permission for that SOM. Use the Permission switch to specify a permission level of 'LinkGPOs', 'RSoPLogging', 'RSoPPlanning', 'All', or 'None for the SOM. You can specify either the display name or the full LDAP path to the SOM for the SOM Name parameter. Using the Inherit switch causes all child containers to inherit the setting. RSoP planning mode requires a member of the Windows Server 2003 family on the domain controller used to perform the query, and is not applicable to sites.
Usage:
SetSOMPermissions.wsf <SOM Name> <Group Name> /Permission:<PermissionLevel> [/Inherit] [/Domain:<DNSDomainName>]
Example:
SetSOMPermissions.wsf "Test Marketing OU" "Marketing Admin Group" /Permission:All /Inherit
Example:
SetSOMPermission.wsf MarketingOU TestUser /Permission:LinkGPOs
Listing All GPOs in a Domain
The ListAllGPOs.wsf sample prints all GPOs in the specified domain.
Note Using the '/v' switch creates detailed or verbose output for each GPO.
Usage:
ListAllGPOs.wsf [/v] [/Domain:<DNSDomainName>]
Example:
ListAllGPOs.wsf /v /Domain:example.microsoft.com
Listing Disabled GPOs
The FindDisabledGPOs.wsf sample prints all GPOs in the specified domain that are disabled or partially disabled. Running this script enumerates both fully and partially disabled GPOs; the results are grouped accordingly.
Usage:
FindDisabledGPOs.wsf [/Domain:<DNSDomainName>]
Example:
FindDisabledGPOs.wsf /Domain:example.microsoft.com
Listing GPO Information
The DumpGPOInfo.wsf sample given a GPO name or a GPO ID, prints the information for a specific GPO.
Usage:
DumpGPOInfo.wsf GPOName [/Domain:<DNSDomainName>]
Example:
DumpGPOInfo.wsf MyGPO /Domain:example.microsoft.com
Listing GPOs at a Backup Location
The QueryBackupLocation.wsf sample prints a list of the GPOs that have been backed up to a specified file system location. Using the Verbose switch displays detailed information about each backed-up GPO, such as ID, backup time, and comment.
Usage:
QueryBackupLocation.wsf <path> [/Verbose]
Example:
QueryBackupLocation.wsf \\server\share\GPOBackups /Verbose
Listing GPOs by Policy Extension
The FindGPOsByPolicyExtension.wsf sample prints all GPOs in the specified domain for which a specific policy extension is configured; for example, the Software Installation or Folder Redirection policy extensions. You can specify either the GUID or the friendly name of the client-side extension. To find out which client side extensions are registered locally, use the PrintCSE switch.
Usage:
FindGPOsByPolicyExtension.wsf <ExtensionID> [/PrintCSE] [/Domain:<DNSDomainName>]
Example:
FindGPOsByPolicyExtension.wsf "Software Installation"
This example lists all GPOs that define policy settings for the 'Software Installation' policy extension.
Example:
FindGPOsByPolicyExtension.wsf /PrintCSE
This example lists all CSEs that are installed locally.
Listing GPOs by Security Group
The FindGPOsBySecurityGroup.wsf sample prints a list of all GPOs on which a given security principal has the specified permission level. Use the Permission switch to specify which permission level of 'Read', 'Apply', 'Edit' or 'Full Edit' for the security principal you wish to find. If no permission is specified, the script queries for all GPOs with the 'Apply' permission level. Use the Effective switch to display GPOs with a specific set of permissions, whether the permissions are explicitly set or derived as a result of group membership. Use the None switch to display GPOs that do not have the specified permission for the specified group or user.
Usage:
FindGPOsBySecurityGroup.wsf <GroupName> /Permission:<PermissionLevel> [/Effective] [/Domain:<DNSDomainName>] [/None]
Example:
FindGPOsBySecurityGroup.wsf "Domain Admins" /Permission:Edit /Effective
Listing GPOs orphaned in SYSVOL
The FindOrphanGPOsInSYSVOL.wsf sample finds and prints all GPOs in SYSVOL with no corresponding Active Directory (AD) source. These GPOs are usually referred to as orphaned GPOs. A GPO can become orphaned usually in two different ways: 1) if the GPO is deleted directly through ADSI edit. 2) if the GPO was deleted by someone that had permissions to do so in AD, but not in SYSVOL. In this case, the AD portion of the GPO would be deleted but the SYSVOL portion of the GPO would be left behind. Use the Domain switch to specify which domain should be searched for orphaned GPOs.
Usage:
FindOrphanGPOsInSYSVOL.wsf [/Domain:<DNSDomainName>]
Example:
FindOrphanGPOsInSYSVOL.wsf /Domain:example.Microsoft.com
Listing GPOs with Duplicate Names
The FindDuplicateNamedGPOs.wsf sample prints all GPOs in the specified domain that have duplicate names.
Usage:
FindDuplicateNamedGPOs.wsf [/Domain:<DNSDomainName>]
Example:
FindDuplicateNamedGPOs.wsf /domain:example.microsoft.com
Listing GPOs Without Security Filtering
The FindGPOsWithNoSecurityFiltering.wsf sample prints a list of all GPOs that do not have any 'apply' permissions set. These are GPOs that exist but do not apply to anyone.
Usage:
FindGPOsWithNoSecurityFiltering.wsf [/Domain:<DNSDomainName>]
Example:
FindGPOsWithNoSecurityFiltering.wsf /Domain:example.microsoft.com
Listing SOM Information
The DumpSOMInfo.wsf sample, given a SOM, which is either a site, domain or OU, and prints policy information about the SOM. This includes GPOs that are linked to the SOM and policy permission on that SOM. Use the ShowInheritedLinks switch to show inherited GPO links for the SOM.
Usage:
DumpSOMInfo.wsf <SOM Name> [/ShowInherited] [/Domain:<DNSDomainName>]
Example:
DumpSOMInfo.wsf "Test OU" /ShowInherited /Domain:example.microsoft.com
Listing SOMs With Links to GPOs in External Domains
The FindSOMsWithExternalGPOLinks.wsf sample prints all SOMs in the specified domain that link to a GPO in a different domain.
Usage:
FindsSOMsWithExternalGPOLinks.wsf [/Domain:<DNSDomainName>]
Example:
FindsSOMsWithExternalGPOLinks.wsf /Domain:example.microsoft.com
Listing Unlinked GPOs in a Domain
The FindUnlinkedGPOs.wsf sample prints all GPOs in the specified domain that have no links. Links outside the domain, including site links, are not checked.
Usage:
FindUnlinkedGPOs.wsf [/Domain:<DNSDomainName>]
Example:
FindUnlinkedGPOs.wsf /Domain:example.microsoft.com
Printing the SOM Policy Tree
The ListSOMPolicyTree.wsf sample prints all sites, domains, OU (SOM) in the specified domain with the list of GPOs that are linked to each SOM.
Usage:
ListSOMPolicyTree.wsf [/Domain:<DNSDomainName>]
Example:
ListSOMPolicyTree.wsf /Domain:example.microsoft.com
Generate Reports for all GPOs
The GetReportsForAllGPOs.wsf sample generates two files for each GPO in the domain. The first file is an XML file that contains information such as details, links, security filtering, WMI filtering, delegation, computer, and user configurations for the GPO. The second file is an HTML representation of the GPO data. Use the ReportLocation parameter to specify where the files should be generated. Use the Domain switch to specify against which domain the report should be run.
Usage:
GetReportsForAllGPOs.wsf <ReportLocation> [/Domain:<DNSDomainName>]
Example:
GetReportsForAllGPOs.wsf c:\reports
Generate Reports for a GPO
The GetReportsForGPO.wsf sample generates two files for a specified GPO or GPO ID in the domain. The first file is an XML file that contains information such as details, links, security filtering, WMI filtering, delegation, computer and user configurations for the GPO. The second file is an HTML representation of the GPO data. Use the ReportLocation parameter to specify where the files should be generated. Use the Domain switch to specify against which domain the report should be run.
Usage:
GetReportsForGPO.wsf <GPOName> <ReportLocation> [/Domain:<DNSDomainName>]
Example:
GetReportsForGPO.wsf TestGPO c:\reports /Domain:test.microsoft.com
Example:
GetReportsForGPO.wsf {73624CC9-E8F2-4F05-88D2-193FAE8773CE} c:\reports