We are in the process of migrating to a brand spankin new Active Directory … and since it’s new there are no GPOs yet.
To automate and keep a strict naming convention we will use a self service portal to create GPOs.
This portal will have a few dropdown-boxes with options to minimize the risk of an user not creating the GPO as we want…
Anyway. This portal will fire a Powershell script that actualy creates the GPO and sets a bunch of things on it.
This script will:
- Creates an AD-group
- Creates an GPO
- Remove Authenticated Users from GPO Security Filtering
- Add a Administrator-group to the GPO
- Adds a group with editing access to the GPO
- Add the AD-Group created in the first step to Security Filtering on GPO
- Disable Policy Computer/User Settings depending on the GPO scope
- Add GPO-link to a Computer- or User-OU
Actually our script will give a few other groups and services (Advanced Group Policy Management – AGPM – to give one example) access to the GPOs and we create a Test-GPO as well… but I guess this is a good start for many of you.
PARAM (
[string] $gpoScope = "U",
[string] $gpoDescription = "PowershellTesting01",
[string] $groupPrefix = "MyPrefix_L_",
[string] $groupPath = "OU=All Groups,DC=snowland,DC=se",
[string] $gpoLinkPathC = "OU=All Computers,DC=snowland,DC=se",
[string] $gpoLinkPathU = "OU=All Users,DC=snowland,DC=se",
[string] $gpoAdminsitrators = "MyPrefix_L_Role-GPO-Administrators",
[string] $gpoEditors = "MyPrefix_L_Role-GPO-Editors"
)
Import-Module GroupPolicy
Import-Module ActiveDirectory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$gpoName = "GPO-$($gpoScope)-$($gpoDescription)"
$adGroupName = "$($groupPrefix)$($gpoName)"
$domainName = (Get-ADDomain).NetBIOSName
$dcServer = (Get-ADDomaincontroller).HostName
Write-Host "Settings:" -ForegroundColor Cyan
Write-Host " AD GroupName : $($adGroupName)" -ForegroundColor Cyan
Write-Host " GPO Name : $($gpoName)" -ForegroundColor Cyan
Write-Host " GPO Prod : $($gpoNameProd)" -ForegroundColor Cyan
Write-Host " GPO Scope : $($gpoScope)" -ForegroundColor Cyan
Write-Host " Domain Controller : $($dcServer)" -ForegroundColor Cyan
Write-Host " Domain Name : $($domainName)" -ForegroundColor Cyan
Write-Host "" -ForegroundColor Cyan
Write-Host "AD: Create AD group -" -ForegroundColor Cyan
New-ADGroup -Name $adGroupName -Description "GPO $($gpoScope) $($gpoDescription)" -GroupScope DomainLocal -Path $groupPath -Server $dcServer
Write-Host "Policy: Create policy" -ForegroundColor Cyan
New-GPO -Name $gpoName -Comment "$($gpoScope) $($gpoDescription)" -Server $dcServer
Write-Host "10 second pause to give AD a chanse to catch up" -ForegroundColor Cyan
Start-Sleep -Seconds 10
Write-Host "Remove Authenticated Users from GPO Security Filtering" -ForegroundColor Cyan
Set-GPPermissions -Name $gpoName -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group -Server $dcServer
Write-Host "Add Administrators to GPO" -ForegroundColor Cyan
Set-GPPermissions -Name $gpoName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $gpoAdminsitrators -TargetType group -Server $dcServer
Write-Host "Add Editors to GPO" -ForegroundColor Cyan
Set-GPPermissions -Name $gpoName -PermissionLevel GpoEdit -TargetName $gpoEditors -TargetType group -Server $dcServer
Write-Host "Add AD-Group to Security Filtering on GPO" -ForegroundColor Cyan
Set-GPPermissions -Name $gpoName -PermissionLevel GpoApply -TargetName "$($adGroupName)" -TargetType Group -Server $dcServer
If ($gpoScope -eq "C") {
Write-Host "Disable Policy User Settings" -ForegroundColor Cyan
(Get-GPO -Name $gpoName -Server $dcServer).GpoStatus = "UserSettingsDisabled"
Write-Host "Add GPO-link to Computer OU" -ForegroundColor Cyan
New-GPLink -Name $gpoName -Target $gpoLinkPathC -LinkEnabled Yes -Server $dcServer
} else {
Write-Host "Disable Policy Computer Settings" -ForegroundColor Cyan
(Get-GPO -Name $gpoName -Server $dcServer).GpoStatus = "ComputerSettingsDisabled"
Write-Host "Add GPO-link to User OU" -ForegroundColor Cyan
New-GPLink -Name $gpoName -Target $gpoLinkPathU -LinkEnabled Yes -Server $dcServer
}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Write-Host "" -ForegroundColor Cyan
Write-Host "Done!" -ForegroundColor Cyan
Now I only need to figure out how to get AGPM to take control of the GPO …