Friday, April 2, 2010

Early preview of Group Policy Backup & Search Module

Alright, it’s taken WAY longer than I thought it would, but I finally have something I think is worth sharing in its very unfinished state.  First, what still sucks: the help is only slightly better than useless, the code itself is a bit jumbled and not well commented, not everything is formatted nicely when written to output, only 3 extensions (Software Installation, Scripts, and Policy/Registry – the big 3 for me) are implemented, and while the backup function works, you’re pretty much on your own for configuration at the moment.  That said, what does work is pretty cool (in my opinion):  You can search inside of your live group policy objects, as well as any archived XML Reports from Get-GPOReport, and get meaningful output!

Let’s go through an example.  First we need to get our new module up and running.  You can download the code for this post here.  (Don’t have 7-zip?  Get it.)  Once you have the code downloaded extract the contents to one of your module directories:
  • %Windir%\System32\WindowsPowershell\v1.0\Modules
  • <My Documents>\WindowsPowerShell\Modules
A little up front configuration is needed.  Inside our module’s folder is a file named cgpo.config.xml.dist.  Create a copy of the file, rename it to cgpo.config.xml, and open it up in your editor of choice.  Find the following lines:

<CGPOXmlCachePath> 
    <!-- If this Element is left blank the module will default to a subdirectory of the user's temp directory. -->
</CGPOXmlCachePath>
<Domain>
    <!-- Help Goes Here -->
</Domain>

The only required information is your domain, entered in the ‘contoso.com’ format.  Type that in after the (admittedly unhelpful) comment.  If you would like to specify a directory to use to cache XML reports, enter that following the comment in the CGPOXmlCachePath element.  Our config file should look something like:

<CGPOXmlCachePath> 
    <!-- If this Element is left blank the module will default to a subdirectory of the user's temp directory. –>
    C:\Temp\GPOXmlCache
</CGPOXmlCachePath>
<Domain>
    <!-- Help Goes Here –>
    sub.domain.com
</Domain>

Save the config file and open up ye’ PowerShell.  First load up the grouppolicy module from Win 7’s RSAT, then our new module.

PS> ipmo grouppolicy
PS> ipmo cgpo

If all is well, you should just get your prompt back.  Next, let’s check two variables to make sure our config file was read properly.  Your output should look like this:

PS> $CGPO_Domain 
my.domain.com
PS> $CGPO_ReportXmlCachePath
C:\Users\CLINT-~1\AppData\Local\Temp\CGPOReportXmlCache

Okay, all looks well.  Let’s jump in!  For kicks we’ll just do a “simple” search of our live GPOs.  Your results will, obviously, vary.

PS> Search-CGPOReports “printer” 
ScriptType Command                                  Parameters
---------- -------                                  ----------
Logon      fix-printers-Shortcut.cmd                phs
Logon      fix-printers-Shortcut.cmd                adm
Logon      fix-printers-Shortcut.cmd                fes
Logon      fix-printers-Shortcut.cmd                lms


Name          : Check published state
Category      : Printers
GPOName       : Default Domain Controller Policy
GPOReportPath : C:\Users\clint-admin\AppData\Local\Temp\CGPOReportXmlCache\1.xml


Name          : Show only specified Control Panel items
Category      : Control Panel
GPOName       : logon-RESTRICTED-autoLogon-phs-libusers
GPOReportPath : C:\Users\clint-admin\AppData\Local\Temp\CGPOReportXmlCache\105.xml

The formatting is ugly due to the default formatters in PowerShell.  If all we want is a textual display of the results we can use the –summarize switch

PS> Search-CGPOReports “printer” –summarize
ScriptType Command                                  Parameters
---------- -------                                  ----------
Logon      fix-printers-Shortcut.cmd                phs
Logon      fix-printers-Shortcut.cmd                adm
Logon      fix-printers-Shortcut.cmd                fes
Logon      fix-printers-Shortcut.cmd                lms


Name                                     Category
----                                     --------
Check published state                    Printers
Show only specified Control Panel items  Control Panel
Browse the network to find printers      Control Panel/Pri...
Show only specified Control Panel items  Control Panel

OK, nifty, but what is we want to dig around inside a specific GPO?

PS> $x = Get-GPOReport –Name <GPONAME> –ReportType XML | Get-CGPOReport 
PS> $x | Get-Member

Or look at/search historical (backup) information?

PS> $y = Get-CGPOReport –ReportPath “C:\GPOBackupLocation” 
PS> Search-CGPOReports –gpoReportPath “C:\CGPOBackupLocation” –pattern “Microsoft Office”

Or find all the current group policy objects that contain logon/logoff/startup/shutdown scripts?

PS> Update-GPOReportCache 
PS> $z = Get-CGPOReport –reportPath $CGPO_ReportXmlCachePath –IncludedExtensionDetails “Scripts”

Explore it, have fun, PLEASE PLEASE give me your feedback if you have any.  You can leave it in the comments here, or feel free to send me an email directly.  You can get the latest build via svn:

svn checkout http://clintgputilities.googlecode.com/svn/trunk/ clintgputilities-read-only
Posted by at
Labels: , ,