This article was written by Bill Kindle. He is a frequent contributor to the Adam the Automator (ATA) blog. If you'd like to read more from this author, check out his ATA author page. Be sure to also check out more how-to posts on cloud computing, system administration, IT, and DevOps on adamtheautomator.com!
GPOs (Starter GPOs, actually) are a feature in Active Directory that allows you to build templates for common GPOs. In this blog, you're going to get a glimpse into how starter GPOs can help you speed up GPO-creation.
If you are lucky to build a complete Active Directory infrastructure from scratch, then you know how much planning and consideration goes into the whole process. And it doesn't just stop with delivering the environment. You have to also consider ongoing management of the environment. That's why you should consider using starter group policy objects.
What are Starter GPOs?
A starter group policy object is a blank, or clean slate group policy object. The purpose of these objects is to allow an administrator to create and have a pre-configured group of settings that represent a baseline for any future policy that is to be created.
These settings can then be copied into a more "formal" group policy object to then be applied to single or multiple organizational units. Copying these starter objects preserves your baseline strategy and allows you to dynamically add or remove settings that shouldn't be applied to future objects.
These objects are great for settings that will not be changing, such as specific security related protocol configurations, Windows Update settings, particular software settings or registry entries to name a few. The choice is yours as a sysadmin and can reflect whatever strategy you are employing.
Using Starter GPOs with PowerShell: A Story
You walk into your work area and just as you start sipping that already cold cup of coffee because you've been stopped 15 times on your way to your area, you open your email to discover you are being asked by the boss to aid in deploying group policy in an environment. You are also given a list of baselines required for this new deployment from your security team or boss.
You could begin assigning these baselines to ordinary policy objects using the Group Policy Management Console or because you are a long-term thinker, you decide to step back and see if you can maybe automate some of this task and memorialize these baselines better.
You open up your trusty PowerShell console and start looking for cmdlets. You then search for the module GroupPolicy and import it. You would have this module installed if you have already downloaded and installed RSAT.
Looking at the available cmdlets, you find two that look like they are exactly what you need, New-GPStarterGPO and Get-GPStarterGPO.
After looking at the help you see that creating this one by one or even as a loop is pretty straightforward and there are only but a couple of necessary parameters called Name and Comment.
Armed with this new info, you create a small foreach loop through an array of names & comments and pass them off to the New-GPStarterGPO cmdlet, creating 5 new baseline policies to be edited later by your intern. Time for a beverage refill.
Summary
GPOs (Starter GPOs) are GPO templates that allow you to save time as a sysadmin. Using PowerShell cmdlets like New-GPStarterGPO and Get-SPStarterGPO allow you to save even more time by quickly creating these starter GPOs directly from the command line!
If you'd like to learn more about GPOs, check out all of the other GPO posts we have available here on the blog.
Top comments (0)