We are in the process of migrating to a brand spankin new Active Directory … and since it’s new there are no GPOs yet.

To automate and keep a strict naming convention we will use a self service portal to create GPOs.
This portal will have a few dropdown-boxes with options to minimize the risk of an user not creating the GPO as we want…

Anyway. This portal will fire a Powershell script that actualy creates the GPO and sets a bunch of things on it.

This script will:

• Creates an AD-group
• Creates an GPO
• Remove Authenticated Users from GPO Security Filtering
• Add a Administrator-group to the GPO
• Adds a group with editing access to the GPO
• Add the AD-Group created in the first step to Security Filtering on GPO
• Disable Policy Computer/User Settings depending on the GPO scope
• Add GPO-link to a Computer- or User-OU

Actually our script will give a few other groups and services (Advanced Group Policy Management – AGPM – to give one example) access to the GPOs and we create a Test-GPO as well… but I guess this is a good start for many of you.

PARAM (
        [string] $gpoScope = "U",
        [string] $gpoDescription = "PowershellTesting01",
        [string] $groupPrefix = "MyPrefix_L_",

        [string] $groupPath = "OU=All Groups,DC=snowland,DC=se",
        [string] $gpoLinkPathC = "OU=All Computers,DC=snowland,DC=se",
        [string] $gpoLinkPathU = "OU=All Users,DC=snowland,DC=se",

        [string] $gpoAdminsitrators = "MyPrefix_L_Role-GPO-Administrators",
        [string] $gpoEditors = "MyPrefix_L_Role-GPO-Editors"
)

Import-Module GroupPolicy
Import-Module ActiveDirectory

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$gpoName = "GPO-$($gpoScope)-$($gpoDescription)"
$adGroupName = "$($groupPrefix)$($gpoName)"
$domainName = (Get-ADDomain).NetBIOSName
$dcServer = (Get-ADDomaincontroller).HostName

Write-Host "Settings:" -ForegroundColor Cyan
Write-Host "   AD GroupName       : $($adGroupName)" -ForegroundColor Cyan
Write-Host "   GPO Name           : $($gpoName)" -ForegroundColor Cyan
Write-Host "   GPO Prod           : $($gpoNameProd)" -ForegroundColor Cyan
Write-Host "   GPO Scope          : $($gpoScope)" -ForegroundColor Cyan
Write-Host "   Domain Controller  : $($dcServer)" -ForegroundColor Cyan
Write-Host "   Domain Name        : $($domainName)" -ForegroundColor Cyan
Write-Host "" -ForegroundColor Cyan

Write-Host "AD: Create AD group -" -ForegroundColor Cyan
New-ADGroup -Name $adGroupName -Description "GPO $($gpoScope) $($gpoDescription)" -GroupScope DomainLocal -Path $groupPath -Server $dcServer

Write-Host "Policy: Create policy" -ForegroundColor Cyan
New-GPO -Name $gpoName -Comment "$($gpoScope) $($gpoDescription)" -Server $dcServer

Write-Host "10 second pause to give AD a chanse to catch up" -ForegroundColor Cyan
Start-Sleep -Seconds 10

Write-Host "Remove Authenticated Users from GPO Security Filtering" -ForegroundColor Cyan
Set-GPPermissions -Name $gpoName -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group -Server $dcServer

Write-Host "Add Administrators to GPO" -ForegroundColor Cyan
Set-GPPermissions -Name $gpoName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $gpoAdminsitrators -TargetType group -Server $dcServer

Write-Host "Add Editors to GPO" -ForegroundColor Cyan
Set-GPPermissions -Name $gpoName -PermissionLevel GpoEdit -TargetName $gpoEditors -TargetType group -Server $dcServer

Write-Host "Add AD-Group to Security Filtering on GPO" -ForegroundColor Cyan
Set-GPPermissions -Name $gpoName -PermissionLevel GpoApply -TargetName "$($adGroupName)" -TargetType Group -Server $dcServer

If ($gpoScope -eq "C") {
        Write-Host "Disable Policy User Settings" -ForegroundColor Cyan
        (Get-GPO -Name $gpoName -Server $dcServer).GpoStatus = "UserSettingsDisabled"

        Write-Host "Add GPO-link to Computer OU" -ForegroundColor Cyan
        New-GPLink -Name $gpoName -Target $gpoLinkPathC -LinkEnabled Yes -Server $dcServer
} else {
        Write-Host "Disable Policy Computer Settings" -ForegroundColor Cyan
        (Get-GPO -Name $gpoName -Server $dcServer).GpoStatus = "ComputerSettingsDisabled"

        Write-Host "Add GPO-link to User OU" -ForegroundColor Cyan
        New-GPLink -Name $gpoName -Target $gpoLinkPathU -LinkEnabled Yes -Server $dcServer
}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Write-Host "" -ForegroundColor Cyan
Write-Host "Done!" -ForegroundColor Cyan

Now I only need to figure out how to get AGPM to take control of the GPO …

Looks like a cool tool… haven’t had the time to test it… yet.

The Microsoft Active Directory Topology Diagrammer reads an Active Directory configuration using ActiveX Data Objects (ADO), and then automatically generates a Visio diagram of your Active Directory and /or your Exchange 200x Server topology. The diagramms include domains, sites, servers, administrative groups, routing groups and connectors and can be changed manually in Visio if needed.

Microsoft Active Directory Topology Diagrammer

Stötte precis på ett litet bekymmer med AD MP’t. Om man inte vill övervaka samtliga AD-servrar i ett AD (alltså inte ha agenter på alla servrar) så får man lite felmeddelanden om att replikeringen inte fungerar.

Varför? Jo, efter “lite” script-läsande så komm jag fram till att:
Repl-scriptet går lokalt på samtliga DCs och:
- Skapar/uppdaterar ett servernamn’s-record under MOMLatencyMonitors i ADt
- Söker genom ADt efter vilka DCs som finns och kollar att deras servernamn’s-record inte är skapade för förlänge sedan

Vad betyder då det? Har man inte en agent på DC02 och DC01 kör scriptet så kommer den att se att DC02 finns i ADt men att servernamns-recordet inte finns och då skickar den ut ett felmeddelande.

Måttligt bra, men så är det. Jag skulle gärna se att den larmar på ett annorlunda sätt (ex. information-alert) när det inte finns något servernamns-record.

Nåja, det är ett script… script är till för att hackas

I scriptet “AD Replication Monitoring” kan man förändra sub’en ReplCheck så att den inte tar med ett antal servrar i replikerings-övervakningen.