Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / Managing Group Policies (GPO) in Active Directory with PowerShell

March 29, 2022 Group PoliciesPowerShellWindows Server 2019

Managing Group Policies (GPO) in Active Directory with PowerShell

The primary tool to manage Group Policy Objects (GPOs) in an Active Directory domain is the graphic Group Policy Management Console (GPMC.msc). In order to automate and improve the performance of some GPO management tasks in Active Directory, you can use PowerShell which provides multiple GPO administration features.

Contents:
  • How to Install Group Policy Management PowerShell Module?
  • Creating and Managing GPOs with PowerShell
  • How to Backup and Restore GPOs Using PowerShell?

How to Install Group Policy Management PowerShell Module?

To manage domain GPO, the GroupPolicy module must be installed on your computer. This module is available on Windows Server after installing the Group Policy Management feature. You can this feature using the Server Manager console or with PowerShell:

Install-WindowsFeature GPMC -IncludeManagementTools

install group policy management powershell module on windows server

If you want to manage GPOs from a workstation running a desktop Windows 10 or 11 edition, install the Group Policy module via RSAT:

Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

You can display a full list of PowerShell cmdlets in the GroupPolicy module using the command:

Get-Command –Module GroupPolicy

grouppolicy powershell cmdlets

Using the GroupPolicy PowerShell module, you can:

  • Create and remove GPO;
  • Link/unlink GPO to/from an OU;
  • Backup and restore GPO;
  • Set GPO permissions or configure inheritance.

Creating and Managing GPOs with PowerShell

Let’s take look at some typical administrative tasks where you can use PowerShell to manage Group Policies.

To create a new blank GPO, use this command:

New-GPO -Name munTestGPO -Comment "My First GPO with PowerShell"

If Starter GPOs are created in your domain, you can create a new Group Policy using one of the templates (for example, the certain Security Baseline settings):

New-GPO -Name munTestGPO2 -StarterGPOName "Windows 10 Security Baseline"

Use the New-GPLink cmdlet in order to link a Group Policy object to an OU:

Get-GPO munTestGPO | New-GPLink -Target "ou=test,ou=munich,dc=woshub,dc=com"

create new gpo using powershell

To unlink a GPO from an OU:

Remove-GPLink -Name munTestGPO -Target "ou=test,ou=munich,dc=woshub,dc=com"

If you want to disable GPO without removing a link, use the Set-GPLink cmdlet:

Set-GPLink -name munTestGPO -Target "ou=test,ou=munich,dc=woshub,dc=com" -linkenabled no

The GPO no longer applies to the OU but remains linked.

If you want to force apply a GPO, add the -Enforced Yes option.

link a gpo to an OU using set-gplink powershell cmdlet

The following PowerShell one-liner will create a new GPO to change a registry parameter (disables automatic driver update), restrict the policy to the specific security group, and link it to the Organizational Unit:

$key = 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching'
New-GPO 'munDisableDriverUpdate' | Set-GPRegistryValue -Key $key `
-ValueName 'SearchOrderConfig' -Type DWORD -Value 0 | Set-GPPermissions -Replace `
-PermissionLevel None -TargetName 'Authenticated Users' -TargetType group | `
Set-GPPermissions -PermissionLevel gpoapply -TargetName 'mun_admins' `
-TargetType group | New-GPLink -Target "ou=test,ou=munich,dc=woshub,dc=com" –Order 1

The PowerShell module doesn’t allow you to change the value of the GPO options from the GPO administrative templates (ADMX). You can only edit the registry settings that are deployed through Group Policy Preferences.

You can use the Get-GPO cmdlet to display information about a specific GPO or all policies in your domain. The cmdlet returns a policy GUID (it is often needed to diagnose the application of GPO or resolve GPO replication issues when checking Active Directory health ), GPO creation/modification time, and the applied GPO WMI filters.

Get-GPO -Domain woshub.com -All

get-gpo list in active directory domain

You can display the settings of a WMI filter linked to a GPO (but you won’t be able to change filter settings):

(Get-GPO munWin10Settings).WmiFilter

To update Group Policy settings on remote computers, the Invoke-GPUpdate cmdlet is used. You can update GPO on a specific computer:

Invoke-GPUpdate -Computer "corp\wks-mn0223" -Target "User"

Or on all computers in an OU:

Get-ADComputer –filter * -Searchbase "ou=Computes,OU=MUNICH,dc=woshub,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name -force}

The Get-GPOReport cmdlet is used to get the HTML/XML report with policy settings:

Get-GPOReport -name mun-BitlockerEncryption -ReportType HTML -Path "C:\ps\bitlocker_policy.html"

In this case, we have displayed all the settings of the policy for automatically saving BitLocker keys in AD.

get-gpreport

The Get-GPResultantSetofPolicy cmdlet allows you to create a resulting report (RSoP — Resultant Set of Policy) on the applied Group Policies to the specified user and/or computer. This report looks like an HTML report generated using the gpresult tool (GPResult /h c:\ps\gp-report.html /f). The cmdlet allows to get a resulting GPO report from a remote computer:
Get-GPResultantSetOfPolicy -user m.muller -computer corp\wks-mn0223 -reporttype html -path c:\ps\gp_rsop_report.html

How to Backup and Restore GPOs Using PowerShell?

Using PowerShell, you can backup and restore GPOs in your Active Directory domain.

In order to backup all Group Policy Objects to the specified folder:

Backup-GPO -All -Path C:\Backup\GPOs\

Or one GPO only:
Backup-GPO -Name munWin10Settings -Path C:\Backup\GPOs -Comment "Backup GPO with PowerShell 2022/28/03"

To restore a GPO, the following command is used:

Restore-GPO -Name munWin10Settings -Path C:\Backup\GPOs\

You can keep some GPO backup versions in a single folder. To restore a specific GPO version, you need to specify its backup ID (32-bit identifier):

Restore-GPO -Path ″C:\GPO Backups″ -BackupID 7654321-4321-4321-CCC-1234567890

0 comment
1
Facebook Twitter Google + Pinterest
previous post
Office 365/2019/2016 Error: Another Account from Your Organization Is Already Signed in on Computer
next post
How to Configure NIC Teaming on Windows Server 2019/2016 and Windows 10?

Related Reading

Configure User’s Folder Redirection with Group Policy

February 3, 2023

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Enable Internet Explorer (IE) Compatibility Mode in Microsoft...

January 27, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Updating List of Trusted Root Certificates in Windows
  • Configure Google Chrome Settings with Group Policy
  • How to Delete Old User Profiles in Windows?
  • How to Find the Source of Account Lockouts in Active Directory?
  • How to Hide or Show User Accounts from Login Screen on Windows 10/11?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • How to Disable or Enable USB Drives in Windows using Group Policy?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top