Scripting School: Managing Group Policy with VBScript

You can use scripting to manage Group Policy itself. You can't use scripts to create or assign policies, but you can copy, back up and restore, import, and do Resultant Set of Policy reporting on policies using VBScript.

If you've had anything to do with Group Policy, you know that you can use Group Policy to assign scripts to policies, so that scripts will run at user login or logoff.

What you may not know, however, is that you can use scripting to manage Group Policy itself. That is, you can't use scripts to create or assign policies (although it would be nice) but you can copy, back up and restore, import, and do Resultant Set of Policy reporting on policies using VBScript, using interfaces provided with the Group Policy Management Console (GPMC).

Scripting GPO management is a complicated topic, so we'll begin by looking at the Group Policy management object model and what you can do with it. Subsequent columns will go into more specific tasks such as how to make sure that policies are being applied, backing up group policies, and moving your group policies from a test environment to a production environment.

When you download the GPMC from Microsoft's Web site, this also installs some sample scripts in a separate directory, as well as installing the DLL you need to get access to these objects. If you've got another task you'd like to accomplish using Group Policy Scripting, let's hear it.

Group Policy management object model

Looking at the object model can make it easier to see what you can do. By reviewing the following list of scriptable objects, you should be able to infer quite a lot of capabilities. (A few objects are not included here because they have no scriptable interfaces, meaning that you can't manipulate them using VBScript. However, most are accessible to your scripts.)

The descriptions for these objects don't list of every property and method associated with the objects. . .just enough to give you an idea of what they're for. We'll go into more detail when you're using the objects in a script.

GPM. Root object for group policy management. You'll use this object's methods to get access to subordinate objects such as GPMBackupDir.

PMBackup allows you to manage backed-up GPOs. Through this object, you can perform tasks such as getting the backup's ID, reading its comments, getting its timestamp and deleting it. This object has a related collection object called GPMBackupCollection that you can use to count the backup objects in the collection and retrieve a specific one.

GPMBackupDir allows you to get the backup directory for backed-up GPOs and then search for specific backups.

GPMClientSideExtension lets you check to make sure that the required client-side extensions are available for processing the GPO. (Client-side extensions are the piece that interprets the GPO and applies it to the environment where it's running. If the CSE isn't working, the GPO won't apply.)

GPM Domain. The root object for managing the GPOs within a domain, called from a GPM method. You can use this object to find out which domain controller the GPMC is using, and also to create objects such as the one representing individual GPOs. You can also use it to create WMI filters that allow you to set conditions under which a GPO will be applied.

GPMGPO represents a particular GPO in a domain (this doesn't work for local GPOs). It allows you to perform such tasks as identifying a GPO by its name, finding out its creation time and date, backing it up, importing it and getting security information for the GPO. This object has a related collection used to get all the GPOs and then help you find the particular one you're looking for.

GPMGPOLink allows you to manage the GPO links used for controlling inheritance of group policies. This object has a related collection object you can use to get a specific GPO link.

GPMMapEntry represents an entry in a migration table.

GPMMigrationTable allows you to manage a migration table. Used when you're copying or importing a GPO to update Universal Naming Convention (UNC) paths and security information.

GPMPermission represents the trustee (user, security group or computer) for a single object (GPO, WMI filter or scope of management. You can use this object, which is created by the GPM's CreatePermission method, to view the permissions on the object.

GPMResult has methods that allow you to get the status from management tasks such as backing up or copying a GPO.

GPMRSOP allows you to get the Resultant Set of Policy from a GPO. It is useful for testing and troubleshooting before you apply new GPOs in production.

GPMSearchCriteria lets you define the search criteria. Its Add method allows you to search for GPOs by specific criteria, such as the GPO's GUID or domain.

GPMSecurityInfo Not an object per se but a collection representing the security information for a single object (GPO, WMI filter or SOM). It interacts with the GPMPermission object representing the actual permissions.

GPMSitesContainer represents the forest containing the sites in that forest, corresponding to the highest level of scopes of management. You can use it to get access to the SOMs.

GPMSOM The scope of management corresponds to a site, domain or organizational unit. This object allows you to create and retrieve the GPO links for a site and set the SOM's permissions. This object has a corresponding collection used to return all the SOMs, so you can pick out the one you want.

GPMStatusMessage has as its properties the status messages and error codes available for particular management options. It can also return the path and name of the object that generated the status message or return code.

GPMTrustee represents a user, computer or security group in the domain. You can use this object to get specific information about the trustee, such as SID, object path in Active Directory or type.

GPMWMIFilter. WMI filters are queries used to determine whether a GPO should be applied in a particular set of circumstances, based on the results of the query. This object represents a particular WMI filter (a collection object represents all WMI filter objects) so that you can see its permissions and properties.

Note: Subsequent columns will address specific tasks to show how the object model works.

Editor's note: This is the 20th column in a continuing series on scripting that appears monthly on 

Access all of Christa Anderson's Scripting School columns here.

Christa Anderson, a Terminal Services MVP, is the Strategic Technology Manager for VisionApp. A former Program Manager for the Microsoft Terminal Services team, she is an internationally known authority on server-based computing. She has also written extensively about administrative scripting and has taught technical sessions on the subject at conferences, helping people who had never done any scripting to write their own scripts in half a day. In addition to her interest in scripting Windows management, Christa is the author of Windows Terminal Services, The Definitive Guide to MetaFrame XP, and co-author of the book Mastering Windows 2003 Server.

Dig Deeper on Windows File Management



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: