Learn about Windows PowerShell
Hey, Scripting Guy! I need to work with Group Policy Objects (GPOs) by using a Windows PowerShell script. I understand there are new Group Policy cmdlets in Windows 7, but when I use the Get-Command cmdlet, I do not see any cmdlets. Is this a Release-to-Web (RTW) feature, or did it not make the cut for the final product?
-- CT
Hello CT,
Microsoft Scripting Guy Ed Wilson here. Today is going to be a great day. It began with a flurry of Twitter messages, continued by my updating our departmental calendar with three presentations to various user groups, and followed by a couple of meetings this afternoon. I am sipping a cup of green tea with a cinnamon stick in it, listening to Deep Purple on my Zune HD, and answering email sent to scripter@microsoft.com.
CT, the Windows PowerShell cmdlets for Group Policy do in fact exist, but you probably need to take an extra step to gain access to them. If you are working on a Windows Server 2008 R2 server, you need to add the Group Policy Management Console (GPMC). To do this, use the Add Features Wizard and select Group Policy Management from the list of features to install on the server, as shown in the following image.
You do not have to use the GUI wizard if you do not wish to do so. In addition, you do not have to use Remote Desktop to work remotely. Using Windows PowerShell 2.0, you can easily create a remote session on the remote server from your desktop computer. After the remote session is established, I like to change my working directory to the root of the c:\ drive to free up some of the command line. This is shown here:
PS C:\> Enter-PSSession -ComputerName hyperv-box[hyperv-box]: PS C:\Users\ed\Documents> sl c:\[hyperv-box]: PS C:\>
You will need to load a module to perform server management. If you are not sure of the exact name of the module, you can obtain a listing of all modules by using the Get-Module cmdlet with the –listavailable switch. This is seen here.
[hyperv-box]: PS C:\> Get-Module -ListAvailableModuleType Name ExportedCommands---------- ---- ----------------Manifest ActiveDirectory {}Manifest ADRMS {}Manifest ADRMSAdmin {}Manifest AppLocker {}Manifest BestPractices {}Manifest BitsTransfer {}Manifest FailoverClusters {}Manifest GroupPolicy {}Manifest NetworkLoadBalancingCl... {}Manifest PSDiagnostics {}Manifest ServerManager {}Manifest TroubleshootingPack {}Manifest WebAdministration {}[hyperv-box]: PS C:\>
ServerManager is the module that provides the ability to add and to remove features. To import it into the current session, use the Import-Module cmdlet. The cool thing is that while the ServerManager module exists on the remote Windows Server 2008 R2 server, it does not exist on the Windows 7 computer that I am using to perform the configuration. If ServerManager is too much typing, you can use wildcard characters to shorten the name. The import-manager command is shown here:
[hyperv-box]: PS C:\> Import-Module server*[hyperv-box]: PS C:\>
To see what commands are exported to the Windows PowerShell session by the ServerManager module use the Get-Command cmdlet with the –module switch. This is shown here:
[hyperv-box]: PS C:\> Get-Command -Module server*CommandType Name Definition----------- ---- ----------Cmdlet Add-WindowsFeature Add-WindowsFeature [-Name] <Fe...Cmdlet Get-WindowsFeature Get-WindowsFeature [[-Name] <S...Cmdlet Remove-WindowsFeature Remove-WindowsFeature [-Name] ...[hyperv-box]: PS C:\>
The Add-WindowsFeature cmdlet is used to add features to the Windows Server 2008 R2 machine. The problem now is that there is no telling what the Group Policy Management Console feature is called from the command line. To determine the information need to add the feature, use the Get-Feature cmdlet to create a list. Choose both the name and the displayname of the feature. I also sort the name of features, and format it in a table. The command and the associated output is shown here:
[hyperv-box]: PS C:\> Get-WindowsFeature | Sort-Object -Property displayname | Format-Table displayname, name -AutoSizeDisplayName Name----------- ----.NET Environment WAS-NET-Environment.NET Extensibility Web-Net-Ext.NET Framework 3.5.1 AS-NET-Framework.NET Framework 3.5.1 NET-Framework-Core.NET Framework 3.5.1 Features NET-FrameworkActive Directory Administrative Center RSAT-AD-AdminCenterActive Directory Certificate Services AD-CertificateActive Directory Certificate Services Tools RSAT-ADCSActive Directory Domain Controller ADDS-Domain-ControllerActive Directory Domain Services AD-Domain-ServicesActive Directory Federation Services AD-Federation-ServicesActive Directory Lightweight Directory Services ADLDSActive Directory module for Windows PowerShell RSAT-AD-PowerShellActive Directory Rights Management Server ADRMS-ServerActive Directory Rights Management Services ADRMSActive Directory Rights Management Services Tools RSAT-RMSAD DS and AD LDS Tools RSAT-AD-ToolsAD DS Snap-Ins and Command-Line Tools RSAT-ADDS-ToolsAD DS Tools RSAT-ADDSAD FS Web Agents ADFS-Web-AgentsAD LDS Snap-Ins and Command-Line Tools RSAT-ADLDSAdministration Tools ADDS-IDMU-ToolsApplication Development Web-App-DevApplication Server Application-ServerASP Web-ASPASP.NET Web-Asp-NetBackground Intelligent Transfer Service (BITS) BITSBasic Authentication Web-Basic-AuthBitLocker Drive Encryption BitLockerBitLocker Drive Encryption Administration Utilities RSAT-BitLockerBitLocker Drive Encryption Tools RSAT-Bitlocker-DriveEncBitLocker Recovery Password Viewer RSAT-Bitlocker-RecPwdBITS Server Extensions Tools RSAT-Bits-ServerBranchCache BranchCacheBranchCache for network files FS-BranchCacheCertificate Enrollment Policy Web Service ADCS-Enroll-Web-PolCertificate Enrollment Web Service ADCS-Enroll-Web-SvcCertification Authority ADCS-Cert-AuthorityCertification Authority Tools RSAT-ADCS-MgmtCertification Authority Web Enrollment ADCS-Web-EnrollmentCGI Web-CGIClaims-aware Agent ADFS-ClaimsClient Certificate Mapping Authentication Web-Client-AuthCOM+ Network Access AS-Ent-ServicesCommand-line Tools Backup-ToolsCommon HTTP Features Web-Common-HttpCompact Server BITS-Compact-ServerConfiguration APIs WAS-Config-APIsConnection Manager Administration Kit CMAKCustom Logging Web-Custom-LoggingDefault Document Web-Default-DocDeployment Server WDS-DeploymentDesktop Experience Desktop-ExperienceDFS Namespaces FS-DFS-NamespaceDFS Replication FS-DFS-ReplicationDHCP Server DHCPDHCP Server Tools RSAT-DHCPDigest Authentication Web-Digest-AuthDirectAccess Management Console DAMCDirectory Browsing Web-Dir-BrowsingDirectory Service Integration MSMQ-DirectoryDistributed File System FS-DFSDistributed File System Tools RSAT-DFS-Mgmt-ConDistributed Scan Server Print-Scan-ServerDistributed Transactions AS-Dist-TransactionDNS Server DNSDNS Server Tools RSAT-DNS-ServerDynamic Content Compression Web-Dyn-CompressionFailover Clustering Tools RSAT-ClusteringFax Server FaxFax Server Tools RSAT-FaxFeature Administration Tools RSAT-Feature-ToolsFederation Service ADFS-FederationFederation Service Proxy ADFS-ProxyFile Server FS-FileServerFile Server Resource Manager FS-Resource-ManagerFile Server Resource Manager Tools RSAT-FSRM-MgmtFile Services File-ServicesFile Services Tools RSAT-File-ServicesFTP Extensibility Web-Ftp-ExtFTP Server Web-Ftp-ServerFTP Service Web-Ftp-ServiceGroup Policy Management GPMCàOutput Truncated à[hyperv-box]: PS C:\>
The name of the feature is GPMC. Armed with this information, it is easy to use the Add-WindowsFeature cmdlet to add the GPMC feature. After you have run the command, use the Get-WindowsFeature to reassure yourself that the feature is actually installed:
[hyperv-box]: PS C:\> Add-WindowsFeature -Name gpmcSuccess Restart Needed Exit Code Feature Result------- -------------- --------- --------------True No Success {Group Policy Management}[hyperv-box]: PS C:\> Get-WindowsFeature -Name gpmcDisplay Name Name------------ ----[X] Group Policy Management GPMC[hyperv-box]: PS C:\>
While the feature is being installed, a progress bar is produced across the top of the Windows PowerShell console. This is shown in the following image.
On a Windows 7 computer, you will need to add the Remote Server Administration Tools (RSAT) to gain access to the Group Policy cmdlets. You will first need to download the RSAT tools for your platform, either 64 bit or 32 bit Windows 7. The amd64fre_GRMRSATX_MSU.msu version works on my Intel 64-bit computer.
Once you have downloaded and installed the proper RSAT package, you have to go into Control Panel/Programs and Features and choose Turn Windows Features on or off. This step requires admin rights. The RSAT package adds the Remote Server Administration Tools item in the dialog box. The dialog is shown in the following image.
Because we are talking about using Windows PowerShell to manage Group Policy make sure you select the Group Policy Management Tools. Go ahead and add other tools that you feel you would like to have as well. Unfortunately, there does not seem to be an “Add all tools” button, and therefore you are forced to navigate through dozens and dozens of nested little check boxes to add all the tools. This is seen in the following image.
After you have added the Group Policy Management Tools you can import the grouppolicy module and begin using the cmdlets. We will look at that tomorrow.
CT that is all there is to installing and accessing the Group Policy Management Windows PowerShell cmdlets. Group Policy Week will continue tomorrow when we will talk about importing the GroupPolicy module into the current Windows PowerShell session and exploring the available cmdlets.
If you would like to follow us on Twitter or Facebook we would love to interact with you. Some of the ideas for this week’s Group Policy articles came from suggestions I received on Twitter. If you have any questions, send e-mail to us at scripter@microsoft.com or post them on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson and Craig Liebendorfer, Scripting Guys
Hello Ed, Thanks for the article. You forgot to include instructions on how to load Import-Module server* on Windows 7 box. Would you be able to add the missing info?