6 using windows powershell to manage group policy

16/11/2014 6 Using Windows PowerShell to Manage Group Policy

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=7&FontSize= 1/16

6 Using Windows PowerShell to Manage Group Policy

Section Topics

Introducing Windows PowerShell

Windows PowerShell Library for Group Policy

Windows PowerShell-Based Logon Scripts

Section Objectives

After completing this section, you will be able to:

Describe the Windows PowerShell features

Explain how to perform the basic Windows PowerShell operations

Explain how to access the Windows PowerShell library for Group Policy

List the third-party Windows PowerShell-based logon script tools

Section Overview

Windows PowerShell allows for automation in a more powerful form than previous scripting

methods such as VBScript or batch files. This section explains how to navigate and use basic

Windows PowerShell commands and how to use Windows PowerShell to manage Group

Policy.

It also explains how you can use PowerShell logon scripts with Group Policy.



Introducing Windows PowerShell

Figure 134: Introducing Windows PowerShell

Windows PowerShell is a new Windows command-line shell designed to perform system

administration tasks. Windows PowerShell is both an interactive prompt and a scripting

environment that you can use separately or in conjunction with each other.

Windows PowerShell is built on the .NET CLR and the .NET Framework, and interacts with

.NET objects. This change in the environment brings entirely new capabilities to the

management and configuration of Windows.

Windows PowerShell includes more than a hundred basic core cmdlets, and you can write

customized cmdlets and share them with other users.

Important Terms

Cmdlets are single-function tools built into the shell.

As with the command-prompt, Windows PowerShell gives you access to the file system on



the computer. Additional Windows PowerShell providers enable you to access the registry and

the digital signature certificate stores as easily as you access the file system.

Windows PowerShell also allows the management of roles in Windows Server 2008 and later,

such as IIS 7.0, Terminal Server, Microsoft Exchange Server 2007 and Microsoft Operations

Manager 2007. Third-party vendors have also provided Windows PowerShell commands that

improve manageability.

This topic describes the features of Windows PowerShell. It explains the different ways that

you can use Windows PowerShell, and finally, how to use the tool.

Windows PowerShell Features

Figure 135: Windows PowerShell Features

Windows PowerShell goes far beyond the standard command-prompt interface in terms of

capabilities. Some of the Windows PowerShell features are:

Thousands of command-line tools (called cmdlets) for performing administrative tasks, such

as managing the registry, services, processes, event logs, certificates, WMI, and much more

Scripting language that accelerates automation of repetitive tasks due to its integration with

the command-line shell

Support for existing scripts, existing command-line tools, and multiple operating systems,

including Windows XP and later versions



Commands that follow standard naming conventions and work with a small set of intuitive

utilities (where, select, sort, format, measure, compare, group) in order to provide

consistency and improve efficiency

Standardized tools for accessing many of the Windows data structures, including Active

Directory (ADSI) data, WMI, COM objects, ADO, HTML, and XML data

Simplified, command-based navigation of the operating system that lets users navigate the

registry, certificate store, and other data by using the same commands they use to navigate

the file system

New logging and error-handling capabilities for script execution tracking and error handling

Simple access to objects and system administration data, and the ability to pipe objects

between command-line tools

Extensible interface that allows third-party vendors to quickly build custom tools and

utilities to administer Windows

Windows PowerShell Scenarios

Figure 136: Windows PowerShell Scenarios

You can use Windows PowerShell to perform a variety of administrative tasks. Some

common scenarios in which Windows PowerShell can be used are:



Managing services, processes, registry, and WMI data: Common administration tasks,

such as enumerating running services or processes, viewing the registry, and modifying data

stored in WMI, are simplified with the built-in command-line tools.

Terminal Server management: Through data stored in WMI, Windows PowerShell scripts

can automate Terminal Server configuration changes. With Windows PowerShell you can

easily automate the management of Terminal Server farms.

Managing IIS 7.0: Windows PowerShell is a powerful tool for managing IIS 7.0 (Internet

Information Services 7.0) and you can use it to manage any aspect of IIS 7.0, including

deploying and configuring IIS 7 across a Web farm.

Managing Group Policy: You can now use Windows PowerShell to create and manage

group policy with a new library of cmdlets.

Logon Scripts: Since Windows PowerShell is installed by default on Windows 7 and later,

you can now use it for logon scripts in those operating systems.

And much more! There are so many new capabilities of PowerShell 3.0 that it is

impossible to cover them all in the one section. PowerShell ultimately has the ability to

perform most of the activities available in the graphical interface and more.

Using Windows PowerShell

Figure 137: Using Windows PowerShell

Using Windows PowerShell is not very different from using the command prompt. However,



Windows PowerShell supports thousands of additional commands.

Opening Windows PowerShell

Figure 138: Opening Windows PowerShell

You can open Windows PowerShell in any of the three ways shown in Figure 138.

Chaining Commands

Figure 139: Chaining Commands

One of the more powerful features of the Windows PowerShell interface is the ability to chain

several commands together on the same line. Try typing the command as shown in Figure 139



in Windows PowerShell.

This lists all available cmdlets to an HTML conversion cmdlet and outputs the results to a

Web page called cmdlets.htm. It then launches the Web page using the registered handler of

.htm files.

The pipe symbol | tells PowerShell to send the object output of one cmdlet to the next

cmdlet in line. The semicolon ; tells PowerShell to execute the next command as a separate

command, as if it were typed on a separate line.

Writing Scripts

Figure 140: Writing Scripts

You can compose scripts directly at the command-line within Windows PowerShell. For

simple scripts, you do not need to type them into a text file first and execute them later.

Try typing the code as shown in Figure 140.

Running Scripts



Figure 141: Running Scripts

For complex scripts, you can save them to a text file with a .ps1 extension. You must run

scripts by typing the full path to the file, or, if the current directory is where the scripts are

located, by typing .\ before the file name.

However, Windows PowerShell scripts cannot be run by default due to security constraints in

the operating system. To permit the .ps1 file to run, open a Windows PowerShell prompt and

type:

Set-ExecutionPolicy RemoteSigned

Core Cmdlets

The following cmdlets are some of the Core cmdlets used on a routine basis in Windows

PowerShell:

Add-History Appends entries to the session history.

Add-PSSnapin Adds one or more Windows PowerShell snap-ins to the

current

session.

Clear-History Deletes entries from the command history.

Clear-Host Deletes entries from the command history.

Connect-PSSession Reconnects to disconnected sessions.

Disable-PSRemoting Prevents the computer from receiving remote Windows



PowerShell

commands.

Disable-

PSSessionConfiguration

Denies access to the session configurations on the local

computer.

Disconnect-PSSession Disconnects from a session.

Enable-PSRemoting Configures the computer to receive remote commands.

Enable-


Configures the computer to receive remote commands.

Enter-PSSession Starts an interactive session with a remote computer.

Exit-PSSession Ends an interactive session with a remote computer.

Export-Console Exports the names of snap-ins in the current session to a

console file.

Export-ModuleMember Specifies the module members that are exported.

ForEach-Object Performs an operation against each of a set of input objects.

Get-Command Gets all commands.

Get-Help Displays information about Windows PowerShell cmdlets and

concepts.

Get-History Gets a list of the commands entered during the current session.

Get-Job Gets Windows PowerShell background jobs (PsJobs) that are

running

in the current console.

Get-Module Gets the modules that have been imported, or can be imported,

into

the current session.

Get-PSSession Gets the Windows PowerShell sessions (PSSessions) in the

current

session.

Get-PSSessionConfiguration Gets the session configurations registered on the computer.

Get-PSSnapin Gets the Windows PowerShell snap-ins on the computer.

Get-Verb Gets approved Windows PowerShell verbs.

Import-Module Adds modules to the current session.

Invoke-Command Runs commands on local and remote computers.

Invoke-History Runs commands from the session history.

New-Module Creates a new dynamic module that exists only in memory.


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=7&FontSize 10/16

New-ModuleManifest Creates a new module manifest.

New-PSSession Creates a persistent connection to a local or remote computer.

New-

PSSessionConfigurationFile

Creates a file that defines a session configuration.

New-PSSessionOption Creates an object that contains advanced options for a session.

New-PSTransportOption Creates an object that contains advanced options for a session

configuration.

Out-Default Sends the output to the default formatter and the default output

cmdlet. It is a placeholder that lets you write your own Out-Default function or cmdlet.

Out-Host Sends output to the console.

Out-Null Deletes output instead of sending it to the console.

Receive-Job Gets the results of the Windows PowerShell background jobs

in the

current session.

Register-


Creates and registers a new session configuration.

Remove-Job Deletes a Windows PowerShell background job.

Remove-Module Removes modules from the current session.

Remove-PSSession Closes one or more Windows PowerShell sessions

(PSSessions).

Remove-PSSnapin Removes Windows PowerShell snap-ins from the current

session.

Resume-Job Restarts a suspended job.

Save-Help Downloads and saves the newest help files to a file system

directory.

Set-PSDebug Turns script debugging features on and off, sets the trace level

and

toggles strict mode.

Set-PSSessionConfiguration Changes the properties of a registered session configuration.

Set-StrictMode Establishes and enforces coding rules in expressions, scripts,

and

script blocks.

Start-Job Starts a Windows PowerShell background job.

Stop-Job Stops a Windows PowerShell background job.

Suspend-Job Temporarily stops workflow jobs.



Test-ModuleManifest Verifies that a module manifest accurately describes the

contents of a

module.

Test-

PSSessionConfigurationFile

Verifies the keys and values in a session configuration file.

Unregister-


Deletes a registered session configurations from the computer.

Update-Help Downloads and installs the newest help files on your

computer.

Wait-Job Suppresses the command prompt until one or all of the

Windows

PowerShell background jobs are complete.

Where-Object Creates a filter that controls which objects will be passed

along a

command pipeline.

Figure 142: Available Cmdlets

Windows PowerShell Library for Group Policy

Figure 143: Windows PowerShell Library for Group Policy

Windows PowerShell now includes a library of routines for specifically managing group

policies.

The Group Policy module for Windows PowerShell is not loaded by default. To load this

module, open Windows PowerShell and type: import-module grouppolicy.



To see this list of Group Policy related commands, open Windows PowerShell and type get-

command -module grouppolicy. This will display a list of all the cmdlets (Figure 144) that

are available in the Group Policy module.

Windows PowerShell Cmdlets for Group Policy

Figure 144: Windows PowerShell Commands for Group Policy

Windows PowerShell-Based Logon Scripts

Figure 145: Windows PowerShell Logon Scripts

Since Windows PowerShell is now installed by default on Windows 7 and later, it is possible

to use Windows PowerShell-based logon scripts to affect those computers.



Windows PowerShell logon scripts can be far more powerful than their batch file and

VBScript counterparts. With PowerShell, you can map drives, create shortcuts, change

registry values, create activity logs, copy files, map printers and much more! The code for

performing these operations is often simpler than VBscript.

The built-in PowerShell ISE is invaluable in assisting you when creating any kind of

PowerShell script. It supports colorized code, intellisense and code completion.

There are also third-party tools can help you to create and manage Windows PowerShell

logon scripts:

Specops Command (http://www.specopssoft.com)

Admin Script Editor (ASE) (http://adminscripteditor.com)

PowerGUI (http://www.powergui.org)

Acronyms

The following acronyms are used in this section:

ACL access control list

ADO ActiveX Data Objects

ADSI Active Directory Service Interfaces

ASE Admin Script Editor

CLR Common Language Runtime

COM Component Object Model

GPO Group Policy object

HTML Hypertext Markup Language

IIS Internet Information Services

WMI Windows Management

Instrumentation

XML Extensible Markup Language



Section Review

Summary

Some of the Windows PowerShell features are:

Cmdlets for performing administrative tasks

Scripting language that accelerates automation of repetitive tasks due to its integration

with the command-line shell

Support for existing scripts, existing command-line tools, and multiple operating systems

Commands that follow standard naming conventions and work with a small set of

intuitive utilities

Simple access to objects and system administration data, and the ability to pipe objects

between command-line tools

Extensible interface that allows third-party vendors to quickly build custom tools and

utilities to administer applications running Windows

You should know how to perform some of the following basic Windows PowerShell tasks:

Open Windows PowerShell: Three different methods: 1) Click Start, All Programs,

Windows PowerShell, and Windows PowerShell shortcut. 2) Type powershell at the

command prompt. 3) Click Start, select Run, and type powershell.

Chain commands: Chain several commands together on the same line.

Write scripts: Compose scripts at the command-line within Windows PowerShell.

Run scripts: Type the full path to the file, or, if the current directory is where the scripts

are located, type .\ before the file name.

To access the Windows PowerShell library for Group Policy, first load the Group Policy

module (open Windows PowerShell and type import-module grouppolicy). To display

the list of Group Policy commands, open Windows PowerShell and type get-command -



module grouppolicy.

Some of the third-party Windows PowerShell-based logon script tools are:

Specops command

Admin Scipt Editor

PowerGUI

Knowledge Check

1. What must you do in Windows PowerShell before you can display the list of Group

Policy commands?

2. Which of the following is a feature of Windows PowerShell? (Choose all that apply.)

a. Simple access to objects and system administration data, and provides the ability to

pipe objects between command-line tools

b. Cmdlets for performing administrative tasks

c. Run PowerShell commands against Windows 2000 operating systems

d. Logging and error-handling capabilities for script execution tracking and error

handling

3. Which extension is used to save a Windows PowerShell script file?

4. List some of the third-party Windows PowerShell-based logon script tools.

Knowledge Check Answer Key

The correct answers to the Knowledge Check questions are bolded.

1. What must you do in Windows PowerShell before you can display the list of Group

Policy commands?



Load the Group Policy module

2. Which of the following is a feature of Windows PowerShell? (Choose all that apply.)

a. Simple access to objects and system administration data, and provides the

ability to pipe objects between command-line tools

b. Cmdlets for performing administrative tasks

c. Run PowerShell commands against Windows 2000 operating systems

d. Logging and error-handling capabilities for script execution tracking and

error handling

3. Which extension is used to save a Windows PowerShell script file?

.ps1

4. List some of the third-party Windows PowerShell-based logon script tools.

Specops command

Admin Script Editor

PowerGUI

6 using windows powershell to manage group policy

Documents