Updating Group Policy on a Dark and Stormy Night

Updating Group Policy on a Dark and Stormy Night

  • Comments 4
  • Likes

Summary: Guest Blogger Jason Helmick talks about updating an Enterprise GPO on a dark and stormy night using Windows PowerShell.

 

Microsoft Scripting Guy Ed Wilson is here. Guest Blogger Week continues today with Jason Helmick as our guest.

About the author

Jason Helmick is an Instructor at Interface Technical Training and specializes in Windows PowerShell. Jason and Mike Pfeiffer are the founders and hosts of the Arizona PowerShell User Group.

You can find Jason at:

 

An enterprise GPO update on a dark and stormy night 

It was a dark and stormy night in the data center. The rain fell in clumps, pounding the roof. "I hope those roof tiles hold tonight." I spoke out loud as I often do. I received the response I expected: a loud CLAP of thunder and more rain.

"I need to get these web servers deployed before morning!" The day was not a good one, filled with one emergency after another. I normally do not mind. The junior administrator staff normally handles the fires, but today was different.

It started at noon with the boss walking into my office. He sat down heavily in the chair I save for honored guests, the one next to the candy bowl. He is in the wrong chair again. He looked up and spoke: "Jason I need a new deployment of web servers on the middle tier by morning. The junior guys are racking the boxes and getting a base operating system deployed. I need 24 new web boxes or the new product launch fails. The developers tell me they can test and launch the site in the morning, but they don't think your department will be ready."

I was watching his right hand as he spoke. He usually manages to steal some of my candy, the candy I put there for special guests. I raised my eyes and smiled. "No problem." He stood with a start, "Good, then I'll see you at the launch in the morning!" With a gruff turn, he left. The rain was beginning to pound the roof harder.

I rose and closed the door to my office. No need to let my secrets slip out to the other IT admins. This was going to be a job for PowerShell Man. "This is going to be easy!" I again said out loud. "I'll grab the computer names from Active Directory, build a PowerShell remote session to them, and then load and run the ServerManager cmdlets to install the web servers. Easy!"

All I need to do is type—SCREAM! LOUD CRASH! "Help! The roof is leaking all over my Windows 7 PC!" The shrill of her voice made my spine freeze. Alice needed my help quickly, so I had better get this problem solved fast.

All I need to do is start by importing the Active Directory module. I’m running Windows Server 2008 R2, so I just installed the RSAT-ADDS tools with ServerManagerCMD –I RSAT-ADDS, but I keep a great article around in case I need them on a Windows 7 computer.

Import-Module ActiveDirectory

New-PsSession -computername (Get-ADcomputer -filter {name -like Web*} | Select-Object -ExpandProperty name)

 

"Dang!" THUNDER CLAP! "Remoting is not enabled on the new web servers!"

Yes, I like the Don Jones idea of coloring my errors green. It makes the errors seem less repulsive and more inviting. You can add this line to your profile to do the same.

$host.PrivateData.ErrorForegroundColor = "green"

I made a quick phone call to the junior administrators, also known as “the screw driver crew.” No one answered. There was no one to run out to the servers and enable Windows PowerShell remoting.

YELLING: “Someone help me, water is pouring all over my desk!” I needed to rescue Alice, but I also just needed to get this done!

I can create a GPO for the servers that enables Windows PowerShell remoting! Now where is that darn link that describes the GPO settings?

I quickly added the remoting and script execution GPO for the web servers. Using the GPO article, I modified the following keys:

  1. I enable “Allow automatic configuration of listeners,” and set IPv4 and IPv6 to “*”. The key can be found at the following location:

    Computer Configuration\Policies\Administrative templates\Windows Components\Windows Remote Management\WinRM Server

  2. I also wanted to enable script execution in case I need it later. I enabled “Turn on Script Execution” and set the policy setting to “Allow only signed scripts”. I always sign my scripts to be the most secured. The key can be found at the following location:

    Computer Configuration\Policies\Administrative templates\Windows Components\Windows PowerShell\

  3. In addition, I wanted to set the WinRM service to start automatically, so I set the Windows Remote Management service to “Automatic” at this key:

    Computer Configuration\Policies\Windows Settings\Security Settings\System Services\

  4. Last, if I had Windows Firewall running on those computers, I would need an Inbound Rule because WinRM listens on port 5985. Again, I checked this article to get it right. The key can be found at the following location:

    Computer Configuration\Policies\Windows Settings\Windows Firewall with Advanced Security\

 

It took me about a minute to set the GPOs, but it would take time for the servers to update the policy—too much time. Alice was in bad shape. Like a sinking ship, she was up to her wheelhouse.

I knew I could restart all the servers with a Windows PowerShell cmdlet, but that is crazy. I just needed to update the policy! LOUD THUNDER CLAP! Gently, I felt a cool touch and a slight whisper in my left ear. The message wasn’t clear so I responded to the haunting voice: “Go to the Bonsai tree in my forest?”

LOUD THUNDER CLAP!

“No, you fool. Do you have BSonPoSH cmdlets for your Active Directory forest!?” Ah, it was The Scripting Guy, Ed Wilson! “Hey Scripting Guy, I don’t have the BSonPoSH cmdlets!” He responded with a gruff grumble, something about me not checking his blog on a regular basis, and then magically on my screen the URL appeared. “Go there and install them.”

Astonished at his power over my computer screen, I gasped, “But how is that going to help me, Scripting Guy?!” I could tell there was a slight pause of exacerbation before he responded.

Get-Help and Get-Command shall lead you to the solution.” I quickly installed the cmdlets, imported the module (Import-Module BSonPosh) and typed Get-Help GPO.

That’s it! That’s the cmdlet I needed! A quick look at the full help for the cmdlet showed me that –computername expected string input and could be piped to both ByValue and ByPropertyName

SCREAM! “I’m going to drown!” GURGLE!

I started to stand up and race from the office to save Alice, but, just needed to type one more thing. I imported the modules for ActiveDirectory and BSonPosh, and then updated the policies with the Update-GPO cmdlet:

Import-Module ActiveDirectory

Import-Module BSonPosh

Get-ADComputer –filter {name –like ‘web*’} | Select-Object –ExpandProperty name | Update-GPO

Without wasting anymore of Alice’s life than I needed to, I finished with a quick Windows PowerShell remote session installation of a web server. 

$Session=New-PSSession –computername (Get-ADComputer –filter {name –like ‘Web*’} | Select-Object –ExpandProperty name)

Invoke-Command –Session $session {Import-Module ServerManager}

Invoke-Command –Session $session {Add-WindowsFeature Web-Server}

Done!

I ran to Alice’s cube and reached into the murky water. I felt a hand and then a Windows 7 PC. I lifted them both to safety. As I escorted Alice from the building a gentle whisper returned to my left ear. 

“Well done. Remember that the Scripting Community has many resources. Spend your time there.”

I sank back into my office chair closing up for the night. “Hey Scripting Guy? Want some candy before you go?”

And with a squeak of the chair opposite me, I knew my Active Directory management experience was just beginning. So many wonderful cmdlets: those by Microsoft, Quest, and of course BSonPoSH can help me manage a better Active Directory and network. The storms cleared and the rain stopped. In the morning, my boss came into the office again and sat in the wrong chair. 

“I see you deployed the web servers. Must have taken you all night. Good job.” At that moment, he sneaked a candy, the ones I reserve for special guests.

 

I want to thank Jason for writing both an entertaining and informative guest article. Join us tomorrow as Guest Blogger Week continues with Thiyagu and part 1 of a two-part blog post about Exchange message headers.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

 

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • <p>Minor typo:</p> <p>Invoke-Command –Session $ssesion {Add-WindowsFeature Web-Server}</p> <p>should be </p> <p>Invoke-Command –Session $session {Add-WindowsFeature Web-Server}</p> <p>Notice &quot;$session&quot;</p>

  • <p>@Pat Richard</p> <p>Thank you for that catch! Neither Jason, nor myself, nor Craig, nor the Scripting Wife caught that ... but you did!! WOO HOO!! Way to go, great job of close reading.</p>

  • <p>@Pat Richard</p> <p>Oh, yeah, forgot to say: I have corrected the post too :-)</p>

  • <p>Brilliant Jason,</p> <p>I laughed a lot! And you know what!? I really thought ( even from the title ) &quot;this article must be &quot;a typical SEAN&quot; &nbsp;:-) He&#39;s my favorite guest blogger here ( at least up to now :-) </p> <p>Well ... a really good article especially if you add the links to the content and a very good example of how to automate remote tasks!</p> <p>One thing left to say: I won&#39;t take Alices&#39; place when you are the only person to rescue me .... you don#t like Alice, don&#39;t you ???</p> <p>Klaus.</p>