使用PowerShell来编辑/修改GPO [英] Using Powershell to edit/modify a GPO

问题描述

目标：我试图修改一个GPO（2008R2 AD）通过Powershell的（V3）。具体的用户配置的价值 - >策略 - > Windows设置 - > FileRedirection - >文件UNC路径。

Objective: I'm attempting to modify a GPO (2008R2 AD) via Powershell (v3). Specifically the value of the User Configuration -> Policies -> Windows Settings -> FileRedirection -> Documents UNC path.

中的新尝试：

import-module grouppolicy;
$StringToFind = "\\this\is\a\template\path";
$StringToRepalce="\\server123\%CustomerID%\%username%\Documents\";
$GPOBackupFolder = "C:\src\psh\gpoBackupEditRestore\backups";
$GPO = copy-gpo -SourceName "Customer GPO Template v1.4" -targetName "Customer $CustomerID" -CopyACL;
$GPOBackup = $Backup-GPO -guid $gpo.id -path $GPOBackupFolder;
$GPOBackupXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\Backup.xml";
$GPOGPReportXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\GPReport.xml";
$NewBackupXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\nBackup.xml";
$NewGPReportXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\nGPReport.xml";

$GPOBackup=gc $GPOBackupXMLPath;
$GPOGPReport= gc $GPOGPReportXMLPath;
foreach($line in $GPOBackup){ac $NewBackupXMLPath $line.Replace($StringToFind,$StringToReplace);}
foreach($line in $GPOGPReport){ac $NewGPReportXMLPath $line.Replace($StringToFind,$StringToReplace);}

remove-item -force $GPOBackupXMLPath;
remove-item -force $GPOGPReportXMLPath;
move-item -force $NewBackupXMLPath $GPOBackupXMLPath
move-item -force $NewGPReportXMLPath $GPOGPReportXMLPath

Remove-GPO -ID $GPO.ID   #remove GPO before restore. deleting/commenting this line does not change outcome.
Restore-GPO -BackupID $GPOBackup.ID -Path $GPOBackupFolder

假设我正确读取信息时 http://technet.microsoft .COM / EN-US /库/ ee461027.aspx ，上面的Powershell的这段应该恢复XML在本地文件夹的位置GPO中的广告。 [我已经证实，模板值（$ StringToFind）没有在在GPOBackupFolder目录中的任何其他文件中出现。]]

Assuming I'm reading the information correctly at http://technet.microsoft.com/en-us/library/ee461027.aspx, the above Powershell snippit should restore the XML at the local folder location to the GPO in AD. [[I've confirmed that the template values ($StringToFind) do not occur within any other file in the GPOBackupFolder directory.]]

不过，从本地XML文件，更改后的值不会被恢复到AD。我做了GPO的额外的备份恢复它，比较初始（修改）的备份文件（已恢复）到后恢复备份的价值后，已经证实了这一点（现在包含/原厂/值！）。

However, the changed values from the local XML files are NOT being restored to AD. I have confirmed this by doing an additional backup of the GPO after restoring it and comparing the initial (modified) backup files (which have been restored) to the post-restore backup value (now containing the /Original/ values!).

有没有其他人尝试这和/或可以解释这种现象，为什么还原，GPO不会还原备份文件的内容？

Has anyone else attempted this and/or can explain this behaviour as to why Restore-GPO would not be restoring the content of the backup files?

推荐答案

更​​新：我找到了一种方法来直接修改DC上的GPO的ini文件。

UPDATE: I found a way to directly modify the GPO's ini file on the DC.

由于此解决方案不使用任何API，我认为这是一个黑客;然而，迄今为止，这是我遇到的唯一解决方案。

As this solution does NOT use any API, I consider this a HACK; however, thus far it's the only solution I've encountered.

从我已经能够收集到（从我在这个世界中有限的运作）约在公元建筑放大器; DC复制的DC的SYSVOL部分将被复制到其他DC的在福雷斯特，一样的，如果进行的更改通过MMC进行。任何人都可以证实这一点？

From what I've been able to glean (from my limited workings in that world) about AD Architecture & DC Replication, The SYSVOL section of the DC will be replicated to other DC's in the Forrest, same as if the changes were made via MMC. Can anyone confirm this?

注：据我所知，这个脚本必须从本机的DC在同一个组织的GPO受到影响运行。

Note: As far as I can tell, this script must be run locally from a DC in the same org as the GPO being affected.

$GPO = copy-gpo -SourceName "$GPOTemplateName" -TargetName "$NewGPOName" -CopyACL
#Found post referencing how to Manually Edit GPO's: http://blogg.husbanken.no/it/2013/04/13/manually-edit-gpo-settings/
$adGPO=[ADSI]"LDAP://$($GPO.path)";
$GPOFilePath = $adGPO.psbase.properties.gPCFileSysPath;

#Specifically the path to the GPO section affecting Folder Redirection
$GPOFolderRedirectionINIPath = "$GPOFilePath\User\Documents & Settings\fdeploy.ini";

#Functions for importing/exporting an INI file with Powershell in a very standard way:  http://blogs.technet.com/b/heyscriptingguy/archive/2011/08/20/use-powershell-to-work-with-any-ini-file.aspx
. ".\get-inicontent.ps1"; # From:  http://gallery.technet.microsoft.com/scriptcenter/ea40c1ef-c856-434b-b8fb-ebd7a76e8d91
. ".\out-inifile.ps1";   # From: http://gallery.technet.microsoft.com/scriptcenter/7d7c867f-026e-4620-bf32-eca99b4e42f4

$GPOFolderRedirectionINI = get-iniContent $GPOFolderRedirectionINIPath;
$GPOFolderRedirectionINI["My Documents"]["s-1-1-0"]="\\New\Path\To\CustomerFolder\%USERNAME%\"
$GPOFolderRedirectionINI | out-iniFile $GPOFolderRedirectionINIPath -Force

我POC'd这一点，它的功能正常和放大器;如果幸运的话别人会觉得这个方法有帮助的;但我希望有人找到更好的方法来做到这一点。

I've POC'd this, and it functions properly & With any luck someone else will find this method helpful; however I'm hopeful someone finds a better way to do this.

干杯！

这篇关于使用PowerShell来编辑/修改GPO的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！