GPMC scripts allow you to create objects,
such as a new GPO or a file that will duplicate the entire GPO
environment. These tasks are very powerful and excellent for disaster
recovery of the GPO infrastructure. You can also perform cleanup of the
GPOs by using a script that allows you to delete them.
1. CreateGPO.wsf
This script creates a new GPO with the name you specify.
Syntax
Usage: CreateGPO.wsf GPOName [/Domain:value]
GPOName: Name of the GPO to create.
Domain: DNS name of domain.
Example & Output
This script creates a GPO named Hardened Server GPO.
cscript CreateGPO.wsf "Hardened Server GPO"
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Created GPO 'Hardened Server GPO'
2. CreateXMLFromEnvironment.wsf
This
script reads the live GPO environment (organizational units, GPOs, GPO
links, and so on) and creates an XML file representing that
environment. Administrators often use this script in conjunction with
CreateEnvironmentFromXML.wsf to back up and restore environments for
GPOs.
Note that you must specify the
TemplatePath location as an existing fully qualified path. The script
will not create this location for you.
Syntax
Usage: CreateXMLFromEnvironment.wsf OutputFile /TemplatePath:value [/Domain:value]
[/DC:value] [/StartingOU:value] [/ExcludePermissions] [/IncludeAllGroups] [/IncludeUsers]
OutputFile: Name of the XML file to create.
TemplatePath: Storage location of the GPO templates (backups) containing the policy settings.
Domain: DNS name of domain. If you do not specify a domain, the script assumes it uses the
computer's domain.
DC: Domain controller to use.
StartingOU: Distinguished Name (DN) path to the starting organizational unit (OU), as an
alternative to processing the entire domain.
ExcludePermissions: Excludes policy-related permissions in the XML file.
IncludeAllGroups: Includes groups from the 'Users' container and the domain root, instead of
just OUs.
IncludeUsers: Includes user accounts as well as groups.
Example & Output
This
script creates the FabrikamDomain.xml file, which will contain the
information related to all GPOs located in the gpo-backup share, as
well as the Group Policy information for the domain as listed in the
output.
cscript CreateXMLFromEnvironment.wsf FabrikamDomain.xml /TemplatePath:\\server1\gpo-backup
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
===================================================
Processing Environment
Output XML: FabrikamDomain.xml
Domain: Fabrikam.com
DC: Server1.Fabrikam.com
===================================================
Processing domain Fabrikam
Processing OU Domain Controllers
Done.
Backed up GPO Default Domain Policy with the following properties:
GPO ID: {31B2F340-016D-11D2-945F-00C04FB984F9}
Timestamp: Mon Nov 5 13:33:22 EST 2007
Backup ID: {118C096A-EEDE-47AB-87DB-2572D562DC99}
** Domain Admins has custom permissions. These will be dropped. **
** Enterprise Admins has custom permissions. These will be dropped. **
Warning: Some security permissions for GPO {31B2F340-016D-11D2-945F-00C04FB984F9}
were not recorded.
Processing GPO Default Domain Controllers Policy
Done.
Backed up GPO Default Domain Controllers Policy with the following properties:
GPO ID: {6AC1786C-016F-11D2-945F-00C04fB984F9}
Timestamp: Mon Nov 5 13:33:24 EST 2007
Backup ID: {96761225-7D4C-4171-B311-CCF106B0535B}
** Domain Admins has custom permissions. These will be dropped. **
** Enterprise Admins has custom permissions. These will be dropped. **
Warning: Some security permissions for GPO {6AC1786C-016F-11D2-945F-00C04fB984F9}
were not recorded.
Processing GPO Desktop GPO
Done.
Saved XML to FabrikamDomain.xml.
3. CreateEnvironmentFromXML.wsf
This
script populates objects into Active Directory, OUs, users, security
groups, GPOs, and permissions on GPOs from an XML file. You can create
the XML file manually, or you can create it with the GPMC script
CreateXMLFromEnvironment. In most cases, you will work with an existing
XML file that was created with a script, instead of manually creating
the file.
Syntax
Usage: CreateEnvironmentFromXML.wsf /XML:value [/Undo] [/Domain:value] [/DC:value]
[/ExcludeSettings] [/ExcludePermissions] [/CreateUsersEnabled] [/PasswordForUsers:value]
[/MigrationTable:value] [/ImportDefaultGPOs] [/Q]
XML: XML file to process.
Undo: Deletes the objects specified in the XML instead of creating them.
Domain: DNS name of domain.
DC: Domain controller on which to perform all operations.
ExcludeSettings: Does not import GPO settings from templates specified in the XML.
ExcludePermissions: Ignores any permissions specified for GPOs and SOMs.
CreateUsersEnabled: Creates any user objects as enabled, instead of disabled.
PasswordForUsers: Password to use for any user objects that do not have passwords in the XML.
MigrationTable: Migration table to use when mapping security principals and paths across
domains.
ImportDefaultGPOs: Imports settings into the default domain GPOs if specified in the XML.
Q: Quiet mode - no confirmation warning will be displayed.
Example & Output
The
output for this script is very large. This example has been truncated
to show only the significant parts of the output. You can see that the
example script here creates the entire environment of the Fabrikam.com
domain XML file.
cscript CreateEnvironmentFromXML.wsf /XML:FabrikamDomain.xml
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
===================================================
Processing environment
XML: FabrikamDomain.xml
Forest: fabrikam.com
Domain: fabrikam.com
DC: Server1.fabrikam.com
===================================================
Warning! This script is intended primarily for use in a test environment.
===================================================
Processing WMI Filter nodes...
===================================================
===================================================
Processing GPO nodes...
===================================================
===================================================
Processing OU nodes...
===================================================
===================================================
Processing User nodes...
===================================================
===================================================
Processing SecurityGroup nodes...
===================================================
===================================================
Processing the Domain Root node...
===================================================
===================================================
Processing permissions on OU nodes...
===================================================
===================================================
Processing GPO permissions...
===================================================
Importing settings from \\server1\gpo-backup\{D3B77E91-CA0B-4C34-B99F-40FC14B7ACF7}
to GPO Desktop GPO in domain fabrikam.com.
The import operation completed successfully.
Done processing XML.
4. CreateMigrationTable.wsf
This
script creates a migration table XML file that can be edited and used
for mapping UNC paths and security principals when performing import
and copy operations.
Syntax
Usage: CreateMigrationTable.wsf TableName [/GPO:value] [/BackupLocation:value] [/AllGPOs]
[/Overwrite] [/MapByName] [/Domain:value]
TableName: File name of the migration table the script will create.
GPO: Name of a GPO to process when building the migration table.
BackupLocation: File system location where backups are located.
AllGPOs: If specified, indicates that the script should process all GPOs in the domain.
Overwrite: If specified, overwrites an existing XML file instead of appending to it.
MapByName: If specified, sets the default destination to map by relative name.
Domain: DNS name of domain.
Example & Output
In
this example, the migration table is a file called WGTable.xml, which
was created in the C:\Backup folder. The path to the file was necessary
for successful creation.
cscript CreateMigrationTable.wsf c:\backup\WGTable.xml /AllGPOs /Overwrite /
Domain:Fabrikam.com
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Processing GPO 'Hardened Server GPO'
Processing GPO 'Server GPO'
Processing GPO 'Default Domain Policy'
Processing GPO 'Default Domain Controllers Policy'
Processing GPO 'Desktop GPO'
Processing GPO 'TestServer'
Done. Migration table 'c:\backup\WGTable.xml' was created.