The following sections provide the scriptable operations that can be carried out on the GPO scripting object.
Approve a GPO to be exported to Active Directory or unapprove a GPO. If you set the value of the parameter to True, the method approves the GPO. Else, if the value of the parameter is False, the method unapproves the GPO.
GPOObject.Approve True|False
The following sample approves all GPOs in a category.
Dim oGPRroot, oCategory, oGPO, sCategory
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
For Each oGPO in oCategory
oGPO.Approve True
Next
wscript.echo "All GPOs have been approved."
GPOObject.Approve(True|False)
The following sample approves all GPOs in a category.
public static void ApproveGPO()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
foreach(IfaGPRGpo oGPO in oCategory)
{
oGPO.Approve (true);
}
Console.WriteLine("All GPOs have been approved.");
Console.ReadKey();
}
Set-GPRApproveGpo [-FAGPRPath] <String> [-Approve] <Boolean>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
|
Approve |
Specifies whether or not the GPO can be exported. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample approves a repository GPO to be exported to AD from NetIQLabs.LAB.
PS C:\>Set-GPRApproveGpo -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=NetIQLabs,DC=LAB" -Approve $true
Approve a GPO to be exported to Active Directory, or unapprove a GPO, and include comments in the history view. If you set the value of the parameter to True, the method approves the GPO. Else, if the value of the parameter is False, the method unapproves the GPO.
GPOObject.ApproveWithComment True|False , "Comment"
The following sample approves all GPOs in a category and adds a comment.
Dim oGPRroot, oCategory, oGPO, sCategory, sComment
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
For Each oGPO in oCategory
oGPO.ApproveWithComment True , "This GPO is approved for export."
Next
wscript.echo "All GPOs have been approved."
GPOObject.ApproveWithComment(True|False, "Comment")
The following sample approves all GPOs in a category and adds a comment.
public static void ApproveGPOwithComments()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
foreach(IfaGPRGpo5 oGPO in oCategory)
{
oGPO.ApproveWithComment(true, "Approved by .Net application");
}
Console.WriteLine("All GPOs have been approved.");
Console.ReadKey();
}
Set-GPRApproveGpo [-FAGPRPath] <String> [-Approve] <Boolean> [-Comment] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
|
Approve |
Specifies whether or not the GPO can be exported. |
|
Comment |
Allows you to make a statement regarding the approval of the GPO. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample approves a repository GPO to be exported to AD from NetIQLabs.LAB and adds a comment.
PS C:\>Set-GPRApproveGpo -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=NetIQLabs,DC=LAB" -Approve $true -Comment "Approved by PowerShell script"
Check in a GPO.
GPOObject.CheckIn "Comment"
The following sample allows you to check in all checked‑out GPOs in a category.
REM Check in all checked out GPOs in a category
Dim oGPRroot, oCategory, oGPO, sCategory
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
For Each oGPO in oCategory
If oGPO.StatusCheckedOut = True then
oGPO.CheckIn "Checked in from script"
end if
Next
GPOObject.CheckIn("Comment")
The following sample allows you to check in all checked‑out GPOs in a category.
public static void CheckinGPOs()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
foreach (IfaGPRGpo oGPO in oCategory)
{
if (oGPO.StatusCheckedOut == true)
{
oGPO.CheckIn("Checked in from .Net application");
}
}
Console.WriteLine("All GPOs have been checked in.");
Console.ReadKey();
}
Close-GPRCheckInGpo [-FAGPRPath] <String> [-Comment] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
|
Comment |
Allows you to make a statement regarding the check-in porcess. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample checks in a repository GPO from GPDOM.LAB and adds an optional comment.
PS C:\>CheckInGpo -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=GPDOM,DC=LAB" -Comment "Mycomment"
Check out a GPO.
GPOObject.CheckOut "Comment"
The following sample allows you to check out all checked‑in GPOs in a category.
REM Check out all GPOs in a category
Dim oGPRroot, oCategory, oGPO, sCategory
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
For Each oGPO in oCategory
If oGPO.StatusCheckedOut = False then
oGPO.CheckOut "Checked out from script"
end if
Next
GPOObject.CheckOut("Comment")
The following sample allows you to check out all checked‑in GPOs in a category.
public static void CheckOutGPOs()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
foreach (IfaGPRGpo oGPO in oCategory)
{
if (oGPO.StatusCheckedOut == false)
{
oGPO.CheckOut("Checked out from .Net application");
Console.WriteLine("GPO: " + oGPO.Name + " was checked out.");
}
}
Console.WriteLine("All GPOs have been checked out.");
Console.ReadKey();
}
Open-GPRCheckOutGpo [-FAGPRPath] <String> [-Comment] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
|
Comment |
Allows you to make a statement regarding the check-out porcess. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample checks out a repository GPO from GPDOM.LAB and adds an optional comment.
PS C:\>Open-GPRCheckOutGpo -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=GPDOM,DC=LAB" -Comment "Mycomment"
Links the GPO to a Scope of Management (SOM) object.
GPOObject.CreateLink “SOM LDAP path"
The following code links a GPO to a SOM object.
Dim oGPRroot, oGPO, sGPOPath
Set oGPRroot = Wscript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=MYREPOSITORYDB;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=MYWORKSTATION;Use Encryption for Data=False;Tag with column collation when possible=False")
sGPOPath = "FAGPR://CN={3D6843CF-FB04-4AC6-9B47-1E6CE974D2F4}, CN=cat1, DC=MYDOMAIN,DC=COM"
Set oGPO = oGPRroot.GetObject(sGPOPath)
' First check out the GPO
oGPO.CheckOut "Checkout comment"
' Call the CreateLink API with the LDAP path of the SOM object as input
oGPO.CreateLink "LDAP://OU=MyOU,DC=MYDOMAIN,DC=COM"
' Finally check in the GPO
oGPO.CheckIn "Checkin comment"
wscript.echo "Operation Completed"
GPOObject.CreateLink("SOM LDAP path")
The following code links a GPO to a SOM object.
public static void CreateLinkToSOM()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sGPOPath = "FAGPR://CN={C104C9C7-9355-4FEC-8824-22D7BF4797A9}, CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sContainer = "LDAP://OU=MyOU,DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRGpo5 oGpo = oGPRroot.GetObject(sGPOPath);
oGpo.CheckOut("Checkout comment");
oGpo.CreateLink(sContainer);
oGpo.CheckIn("Checkin comment");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
Console.WriteLine("GPO was linked successfully");
Console.ReadKey();
}
Set-GPRGpoLink [-FAGPRPath] <String> [-SomLdapPath] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
|
SomLdapPath |
The LDAP path of the SOM object from AD. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample links the GPO to an SOM object named “TestOU”.
PS C:\>Set-GPRGpoLink -FAGPRPath "FAGPR://CN={8BBF2488-6BED-410A-8B9B-174B0D6F63AA}, CN=TEST, DC=NetIQLabs,DC=com" -SomLdapPath "LDAP://OU=TestOU,DC=NetIQLabs,DC=lab"
Deletes a GPO link from a Scope of Management (SOM) object.
GPOObject.DeleteLink “SOM LDAP path"
The following sample removes a GPO link from a SOM object.
Dim oGPRroot, oGPO, sGPOPath
Set oGPRroot = Wscript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;IntegratedSecurity=SSPI;Initial Catalog=GPO_REPOSITORY;DataSource=MYREPOSITORYDB;Use Procedure for Prepare=1;AutoTranslate=True;Packet Size=4096;Workstation ID=MYWORKSTATION;UseEncryption for Data=False;Tag with column collation whenpossible=False")
sGPOPath = "FAGPR://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Cat1, DC=MYDOMAIN,DC=COM"
Set oGPO = oGPRroot.GetObject(sGPOPath)
' First check out the GPO
oGPO.CheckOut "Checkout comment"
' Call the DeleteLink API with the LDAP path of the SOM object as input
oGPO.DeleteLink "LDAP://OU=MyOU,DC=MYDOMAIN,DC=COM"
' Finally check in the GPO
oGPO.CheckIn "Checkin comment"
wscript.echo "Operation Completed"
GPOObject.DeleteLink("SOM LDAP path")
The following sample removes a GPO link from a SOM object.
public static void DeleteLinkToSOM()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sGPOPath = "FAGPR://CN={C104C9C7-9355-4FEC-8824-22D7BF4797A9}, CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sContainer = "LDAP://OU=Bolivia,DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRGpo5 oGpo = oGPRroot.GetObject(sGPOPath);
oGpo.CheckOut("Checkout comment");
oGpo.DeleteLink(sContainer);
oGpo.CheckIn("Checkin comment");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
Console.WriteLine("GPO was unlinked successfully");
Console.ReadKey();
}
Remove-GPRGpoLink [-FAGPRPath] <String> [-SomLdapPath] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
|
SomLdapPath |
The LDAP path of the SOM object from AD. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample deletes a link from a GPO to an SOM object named “TestOU”.
PS C:\>Remove-GPRGpoLink -FAGPRPath "FAGPR://CN={8BBF2488-6BED-410A-8B9B-174B0D6F63AA}, CN=TEST, DC=NetIQLabs,DC=com" -SomLdapPath DAP://OU=TestOU,DC=NetIQLabs,DC=lab"
Delete a GPO.
GPOObject.Delete
The following sample allows you to delete a GPO.
Dim oGPRroot, oCategory, oGPO, sGPO
sGPO = "FAGPR://CN={6E936ED3-00C8-4FE7-95A1-803874AB7EA0},
CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oGPO = oGPRroot.GetObject(sGPO)
oGPO.Delete
GPOObject.Delete()
The following sample allows you to delete a GPO.
public static void DeleteGPO()
{
string sGPOPath = "FAGPR://CN={C104C9C7-9355-4FEC-8824-22D7BF4797A9}, CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRGpo5 oGPO = oGPRroot.GetObject(sGPOPath);
oGPO.Delete();
Console.WriteLine("GPO deleted successfully");
Console.ReadKey();
}
Remove-GPRGpo [-FAGPRPath] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample deletes a repository GPO from GPDOM.LAB.
PS C:\>Remove-GPRGpo -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=GPDOM,DC=LAB"
Export approved GPO to live Active Directory domain.
GPOObject.Export "ExportParameter"
Export all GPOs in a category. This sample works for all GPOs with an approved status.
Dim oGPRroot, oCategory, oGPO, sCategory, sExportOpt
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
sExportOpt = "NoBackUpOverwrite"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
For Each oGPO in oCategory
oGPO.Export sExportOpt
Next
wscript.echo "All GPOs have been exported."
GPOObject.Export("ExportParameter")
Export all GPOs in a category. This sample works for all GPOs with an approved status.
public static void ExportGPOs()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sExportOpt = "NoBackUpOverwrite";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
foreach (IfaGPRGpo gprGpo in oCategory)
{
if (gprGpo.StatusApproved == true)
gprGpo.Export(sExportOpt);
}
Console.WriteLine("All GPOs have been exported.");
Console.ReadKey();
}
You can specify one of the following export parameters:
If the GPO already exists in Active Directory, overwrite it and back up the live Active Directory GPO into the GP Repository prior to overwriting it. You can also use an integer value of 14 instead of BackUpOverwrite.
If the GPO already exists in Active Directory, overwrite it. The live GPO is not backed up prior to import. You can also use an integer value of 13 instead of NoBackUpOverwrite.
Export fails if the GPO already exists in Active Directory. You can also use an integer value of 12 instead of DoNotOverwrite.
Export-GPRGpo [-FAGPRPath] <String> [-Overwrite] <SwitchParameter>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
|
Overwrite |
If the GPO already exists in the AD, it will be overwritten. You don't have to specify a value with this parameter. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample exports a repository GPO to an Active Directory domain named “GPDOM.LAB”.
PS C:\>Export-GPRGpo -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=GPDOM,DC=LAB" -Overwrite
Export approved GPO to live Active Directory domain and include comments in the history view.
NOTE:This script can take several seconds or longer to complete when you run it for the first time.
GPOObject.ExportWithComment "ExportParameter" , “Comment”
Export all GPOs in a category and include a comment. This sample works for all GPOs with an approved status.
Dim oGPRroot, oCategory, oGPO, sCategory, sExportOpt, sComment
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
sExportOpt = "NoBackUpOverwrite"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
For Each oGPO in oCategory
oGPO.ExportWithComment sExportOpt , “This GPO has been exported to Active Directory."
Next
wscript.echo "All GPOs have been exported."
GPOObject.ExportWithComment("ExportParameter", "Comment")
Export all GPOs in a category and include a comment. This sample works for all GPOs with an approved status.
public static void ExportGPOsWithComments()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
string sExportOpt = "NoBackUpOverwrite";
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
foreach (IfaGPRGpo5 gprGpo in oCategory)
{
if (gprGpo.StatusApproved == true)
gprGpo.ExportWithComment(sExportOpt, "This GPO has been exported to Active Directory.");
}
Console.WriteLine("All GPOs have been exported.");
Console.ReadKey();
}
You can specify one of the following export parameters:
If the GPO already exists in Active Directory, Overwrite it and backup the live Active Directory GPO into the GP Repository prior to overwriting it. You can also use an integer value of 14 instead of BackUpOverwrite.
If the GPO already exists in the Active Directory overwrite it. The live GPO is not backed up prior to Import. You can also use an integer value of 13 instead of NoBackUpOverwrite.
Export fails if the GPO already exists in Active Directory. You can also use an integer value of 12 instead of DoNotOverwrite.
Export-GPRGpo [-FAGPRPath] <String> [-Overwrite] <SwitchParameter> [-Comment] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
|
Overwrite |
If the GPO already exists in the AD, it will be overwritten. You don't have to specify a value with this parameter. |
|
Comment |
You can make a statement regarding the export process. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample exports a repository GPO to an Active Directory domain named “GPDOM.LAB” and adds a comment.
PS C:\>Export-GPRGpo -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=GPDOM,DC=LAB" -Comment "This GPO has been exported to Active Directory." -Overwrite
This batch file uses the GPAExportUtil.exe tool to create an entry for each approved GPO you have selected to export. If you want to export all approved GPOs in the selected domains, the batch file uses the GPAExportUtil.exe tool to create an entry for each selected domain.
"<product installation path>\GPAExportUtil.exe" {{/g:<guid of GPO> |
/d:<DNS name of AD domain> | /a}
{/C:"<SQL Connection string>" | {/SQLS:<repository_server>
/SQLD:<rep_database_name> [/U:<SQL username> /P:<SQL password>]}} |
[/?|/H]
The following table describes the command‑line parameters and variables.
|
Variable name |
Replace with |
|---|---|
|
/g:<guid of GPO> |
The GUID of the approved GPO you want to export using GPAExportUtil.exe. Use along with the /d option when you want to export two or more GPOs with the same GUID, but from different domains (required when exporting individual GPOs) |
|
/d:<DNS name of AD domain> |
The DNS name of the domain where approved GPOs will be exported. When this parameter is not specified, approved GPOs will be exported to the domain of the user performing the export. You can use this parameter when exporting any built‑in domain policy GPOs or GPOs with same GUID. |
|
/a |
All approved GPOs in all domains of the specified GP Repository will be exported (optional). |
|
/C:"<SQL Connection string>" |
Full SQL Server connection string to the GP Repository database, in double quotes. Use instead of the other SQL Server parameters (required). |
|
/SQLS:<repository_server> |
Name of the GP Repository SQL Server (optional). |
|
/SQLD:<rep_database_name> |
Name of the GP Repository SQL Server database (optional). |
|
/U:<SQL username> |
SQL Server account name to use for SQL Authentication (optional). |
|
/P:<SQL password> |
SQL Server account password to use for SQL Server Authentication. Use caution when specifying this parameter in batch files (optional). |
To export two selected GPOs from the domain, the export batch file contains the following entries:
"C:\Program Files\NetIQ\Group Policy Administrator\tools\GPAExportUtil.exe" /g:{1FEB5933-DA75-49BC-A63F-FA86C7CA9E20} /d:usregion.com /Connect:"Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=TREK02;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=TREK02;Use Encryption for Data=False;Tag with column collation when possible=False"
"C:\Program Files\NetIQ\Group Policy Administrator\tools\GPAExportUtil.exe" /g:{F94F2CF6-0264-4DA6-B76C-7C920360894D} /d:usregion.com /Connect:"Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=TREK02;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=TREK02;Use Encryption for Data=False;Tag with column collation when possible=False"
To export all GPOs in a domain, the export batch file contains the following entry:
"C:\Program Files\NetIQ\Group Policy Administrator\tools\GPAExportUtil.exe" /d:usregion.com /Connect:"Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=TREK02;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=TREK02;Use Encryption for Data=False;Tag with column collation when possible=False"
To export two GPOs (in this case, the default domain policy) with the same GUID, but from different domains, the export batch file contains the following entries:
"C:\Program Files\NetIQ\Group Policy Administrator\tools\GPAExportUtil.exe" /g:{31B2F340-016D-11D2-945F-00C04FB984F9} /d:usregion.com /Connect:"Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=TREK02;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=TREK02;Use Encryption for Data=False;Tag with column collation when possible=False"
"C:\Program Files\NetIQ\Group Policy Administrator\tools\GPAExportUtil.exe" /g:{31B2F340-016D-11D2-945F-00C04FB984F9} /d:nordicregion.com /Connect:"Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=TREK02;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=TREK02;Use Encryption for Data=False;Tag with column collation when possible=False"
Allows you to view whether a GPO is checked out. This operation returns a True or False value. True indicates a GPO is checked out and False indicates that the GPO is checked in.
GPOObject.StatusCheckedOut
The following sample displays whether a GPO is checked out.
Dim oGPRroot, oCategory, oGPO, sCategory
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
For Each oGPO in oCategory
If oGPO.StatusCheckedOut = True then
Wscript.Echo oGPO.Name + "is checked out"
else
Wscript.Echo oGPO.Name + "is checked in"
end if
Next
GPOObject.StatusCheckedOut
The following sample displays whether a GPO is checked out.
public static void GetGPOCheckoutStatus()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
foreach (IfaGPRGpo gprGpo in oCategory)
{
if (gprGpo.StatusCheckedOut == false)
{
Console.WriteLine(gprGpo.Name + "is checked in");
}
else
{
Console.WriteLine(gprGpo.Name + "is checked out");
}
}
Console.ReadKey();
}
Get-GPRCheckOutStatus [-FAGPRPath] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample checks the check out status of a repository GPO from GPDOM.LAB.
PS C:\>CheckOutStatus -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=GPDOM,DC=LAB"
Allows you to read the approval status of a GPO. This operation returns a True or False value. A True value denotes Approved status and a False value denotes Unapproved status.
GPOObject.StatusApproved
The following sample displays the approval status of a GPO.
Dim oGPRroot, oCategory, oGPO, sCategory, sExportOpt
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
sExportOpt = "NoBackUpOverwrite"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
For Each oGPO in oCategory
If oGPO.StatusApproved = True then
Wscript.Echo oGPO.Name + " is approved"
else
Wscript.Echo oGPO.Name + " is not approved"
end if
Next
GPOObject.StatusApproved
The following sample displays the approval status of a GPO.
public static void GetGPOApprovalStatus()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
foreach (IfaGPRGpo gprGpo in oCategory)
{
if (gprGpo.StatusApproved == true)
{
Console.WriteLine(gprGpo.Name + " is approved");
}
else
{
Console.WriteLine(gprGpo.Name + " is not approved");
}
}
Console.ReadKey();
}
Get-GPRGpoApproveStatus [-FAGPRPath] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample checks the approval status of a repository GPO from GPDOM.LAB.
PS C:\>Get-GPRGpoApproveStatus -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=GPDOM,DC=LAB"
Sets or gets status of locking or masking of a GPO for a user or group.
Sets locking or masking of a GPO for a user or group.
Int Result = GPOObject.SetGPOSecurityFilterInfo(string AccountName, Int OpType, Int Overwrite)
Gets status of locking or masking of a GPO for a user or group.
Int Result = GPOObject.GetGPOSecurityFilterInfo(string AccountName, Int OpType)
|
Parameter |
Value |
|---|---|
|
AccountName |
User or Group |
|
OpType |
|
|
Overwrite |
|
|
Result |
|
The following code locks a GPO for a user or group object.
Dim oGPRroot, oCategory, oGPO, sGPOPath, result
sGPOPath = "FAGPR://CN={7DEE509A-2817-416F-B969-DDCEA57FE6A3}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oGPO = oGPRroot.GetObject(sGPOPath)
result = oGPO.SetGPOSecurityFilterInfo("MYDOMAIN\<UserorGroup>", 0, 1)
Wscript.Echo result
The following code checks to see if a GPO is unmasked for a user or group object.
Dim oGPRroot, oCategory, oGPO, sGPOPath, result
sGPOPath = "FAGPR://CN={7DEE509A-2817-416F-B969-DDCEA57FE6A3}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oGPO = oGPRroot.GetObject(sGPOPath)
result = oGPO.GetGPOSecurityFilterInfo("MYDOMAIN\<UserorGroup>", 3)
Wscript.Echo result
Sets locking or masking of a GPO for a user or group.
Int Result = GPOObject.SetGPOSecurityFilterInfo(string AccountName, Int OpType, Int OverWrite);
Gets status of locking or masking of a GPO for a user or group.
Int Result = GPOObject.GetGPOSecurityFilterInfo(string AccountName, Int OpType);
|
Parameter |
Value |
|---|---|
|
AccountName |
User or Group |
|
OpType |
|
|
Overwrite |
|
|
Result |
|
The following code locks a GPO for a user or group object.
public static void LockGPO()
{
string sGPOPath = "FAGPR://CN={7DEE509A-2817-416F-B969-DDCEA57FE6A3}, CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial
Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for
Data=False;Tag with column collation when possible=False");
IfaGPRGpo8 oGPO = (IfaGPRGpo8)oGPRroot.GetObject(sGPOPath);
int result = oGPO.SetGPOSecurityFilterInfo("MYDOMAIN\\<UserorGroup>", 0, 1);
Console.WriteLine(result.ToString());
Console.ReadKey();
}
The following code checks to see if a GPO is unmasked for a user or group object.
public static void UnLockGPO()
{
string sGPOPath = "FAGPR://CN={7DEE509A-2817-416F-B969-DDCEA57FE6A3}, CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial
Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for
Data=False;Tag with column collation when possible=False");
IfaGPRGpo8 oGPO = (IfaGPRGpo8)oGPRroot.GetObject(sGPOPath);
int result = oGPO.GetGPOSecurityFilterInfo("MYDOMAIN\\<UserorGroup>", 3);
Console.WriteLine(result.ToString());
Console.ReadKey();
}
Get-GPRGpoSecurityFilter [-FAGPRPath] <String> [-AccountName] <String> [-OpType] <String>
Set-GPRGpoSecurityFilter [-FAGPRPath] <String> [-AccountName] <String> [-OpType] <String> [-Force] <SwitchParameter>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
|
AccountName |
User or Group |
|
OpType |
|
|
Force (optional) |
Allows or prevents the deletion of the security filter options. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample locks a GPO for a user object.
PS C:\>Set-GPRGpoSecurityFilter -FAGPRPath "FAGPR://CN={8BBF2488-6BED-410A-8B9B-174B0D6F63AA}, CN=TEST, DC=NetIQLabs,DC=com" -AccountName "MYDOMAIN\MyUser" -OpType "Lock"
The following sample checks if the GPO is masked for the user 'MyUser' from the domain 'MYDOMAIN' and returns the result.
PS C:\>Get-GPRGpoSecurityFilter -FAGPRPath "FAGPR://CN={8BBF2488-6BED-410A-8B9B-174B0D6F63AA}, CN=TEST, DC=NetIQLabs,DC=com" -AccountName "MYDOMAIN\MyUser" -OpType "Mask"
Retrieves the CN name (GUID) of a GPO.
StrName = GPOObject.CNName
The following sample lists the CN names of all GPOs in a category.
REM List names of GPOs in a Category
Dim oGPRroot, oCategory, oGPO, sCategory
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
For Each oGPO in oCategory
Wscript.Echo oGPO.Name & ", " & oGPO.CNName
Next
StrName = GPOObject.CNName
The following sample lists the CN names of all GPOs in a category.
public static void ReadGPOCNName()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
foreach (IfaGPRGpo2 oGPO in oCategory)
{
Console.WriteLine(oGPO.Name + ", " + oGPO.CNName);
}
Console.ReadKey();
}
Generate an HTML report for a specific version of a GPO. Specify the version number of the GPO that you want to generate a report for. If you want to generate a Report for the latest version of the GPO then pass the value as 0.
GPOObject.ReportHtml VersionNumber, HTMLFile
The following sample generates reports for all GPOs in a category.
Dim oGPRroot, oCategory, oGPO, sCategory, sPath, i, sCurrentFile
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
sPath = "C:\Diffreport_User\"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
i= 1
for each oGPO in oCategory
sCurrentFile = sPath + oGPO.Name + cstr(i) + ".htm"
oGPO.ReportHtml 0, sCurrentFile
i = i +1
Next
GPOObject.ReportHtml(VersionNumber, HTMLFile)
The following sample generates reports for all GPOs in a category.
public static void GenerateGPOReport()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sPath = "C://Folder/";
string sCurrentFile = "";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
int i = 1;
foreach (IfaGPRGpo gprGpo in oCategory)
{
sCurrentFile = sPath + gprGpo.Name + Convert.ToString(i) + ".htm";
gprGpo.ReportHtml(0, sCurrentFile);
i++;
}
Console.WriteLine("GPOs reports were generated successfully");
Console.ReadKey();
}
Get-GPRGpoSettingsReport [-FAGPRPath] <String> [-Version] <Int32> [-HtmlFileName] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
|
Version |
Specifies the version number of the GPO for which you want to run a report. |
|
HtmlFileName |
|
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample generates a settings report for a repository GPO from NetIQLabs.com.
PS C:\>Get-GPRGpoSettingsReport -FAGPRPath "FAGPR://CN={8BBF2488-6BED-410A-8B9B-174B0D6F63AA}, CN=TEST, DC=NetIQLabs,DC=com" -Version 0 -HtmlFileName "c:\test.html"
Compare two GPOs and generate an HTML report of the comparison including the similarities and differences. The two GPOs must exist before running this operation. The DiffParameter indicates the type of comparison report. A True value includes only the differences in the report. A False value includes both the similarities and differences in the report.
GPOObject1.Compare2GPOsReportHTML GPOObject2, HTMLfile, DiffParameter
The following sample generates an HTML report that compares two GPOs.
Dim oGPRroot, oGPO1, sGPO1, oGPO2, sGPO2
sGPO1 = "FAGPR://CN={B64E5669-C0BB-4549-BEF0-
E9E3554AA70A},CN=cat1,DC=rootdev2,DC=com"
sGPO2 = "FAGPR://CN={B6F9BDBA-BF2B-4973-83C3-
FA07236B6BF8},CN=cat1,DC=rootdev2,DC=com"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oGPO1 = oGPRroot.GetObject(sGPO1)
Set oGPO2 = oGPRroot. GetObject(sGPO2)
oGPO1.Compare2GPOsReportHtml oGPO2, "c:\\report\diff.htm", FALSE
GPOObject1.Compare2GPOsReportHTML(GPOObject2, HTMLfile, DiffParameter)
The following sample generates an HTML report that compares two GPOs.
public static void ComparisionReportOfTwoGPOs()
{
string sGPO1 = "FAGPR://CN={E9DAE4E3-1D76-46EA-8B06-37B30D80E764}, CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sGPO2 = "FAGPR://CN={4F246D45-332E-45AC-B728-B7A0A612C61E}, CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sPath = "C://Folder/comparisionTwoGPOs.htm";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRGpo oGPO1 = oGPRroot.GetObject(sGPO1);
IfaGPRGpo oGPO2 = oGPRroot.GetObject(sGPO2);
oGPO1.Compare2GPOsReportHtml(oGPO2, sPath, false);
Console.WriteLine("GPO comparision Report was generated successfully");
Console.ReadKey();
}
Compare-GPRGpoSettingsReport [-FAGPRPath] <String> [-GPOtoCompare] <String> [-HTMLFileName] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the first GPO in the comparison. |
|
GPOtoCompare |
Specifies the second GPO in the comparison. |
|
HtmlFileName |
|
|
DiffOnly (optional) |
Specifies the type of comparison report. If you include this parameter, the report includes only the differences. Otherwise, the report includes both the similarities and differences. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample compares two GPOs and stores the report at "C:\ComparisonReport.html".
PS C:\>Compare-GPRGpoSettingsReport -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=GPDOM,DC=LAB" -GPOToCompare "FAGPR://CN={8BBF2488-6BED-410A-8B9B-174B0D6F63AA}, CN=TEST, DC=GPDOM,DC=LAB" -HTMLFileName "C:\ComparisonReport.html"
Generate a comparison HTML report with two different GP Repository versions of the GPO. The DiffParameter indicates the type of comparison report. A True value includes only the differences in the report. A False value includes both the similarities and differences in the report.
GPOObject.CompareVersionReportHtml Version1, Version2, "HTML Report name", DiffParameter
The following sample generates an HTML report that compares two GP Repository versions of a GPO.
Dim oGPRroot, oCategory, oGPO, sGPO
sGPO = "FAGPR://CN={6E936ED3-00C8-4FE7-95A1-
803874AB7EA0},CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oGPO = oGPRroot.GetObject(sGPO)
oGPO.CompareVersionReportHtml 1,2, "c:\report.htm", True
GPOObject1.CompareVersionReportHTML(Version1, Version2, HTMLfile, DiffParameter)
The following sample generates an HTML report that compares two GP Repository versions of a GPO.
public static void ComparisionReportOfGPORepositoryVersions()
{
string sGPO1 = "FAGPR://CN={E9DAE4E3-1D76-46EA-8B06-37B30D80E764}, CN=MyCategory, DC=MYDomain,DC=COM";
string sPath = "C://Folder/ComparisionRepGPOVersions.htm";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRGpo oGPO1 = oGPRroot.GetObject(sGPO1);
oGPO1.CompareVersionReportHtml(1, 2, sPath, false);
Console.WriteLine("Comparision report was generated successfully");
Console.ReadKey();
}
Compare-GPRGpoSettingsReportVersion [-FAGPRPath] <String> [-RepVersion1] <Int32> [-RepVersion2] <Int32> [-HTMLFileName] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository GPO. |
|
RepVersion1 |
Specifies the first version of the GPO that you want to compare. |
|
RepVersion2 |
Specifies the second version of the GPO that you want to compare. |
|
HtmlFileName |
|
|
DiffOnly (optional) |
Specifies the type of comparison report. If you include this parameter, the report includes only the differences. Otherwise, the report includes both the similarities and differences. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample compares two versions of a repository GPO and stores the resulting report at "C:\ComparisonReport.html".
PS C:\>Compare-GPRGpoSettingsReportVersion -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=GPDOM,DC=LAB" -RepVersion1 1 -RepVersion2 2 -HtmlFileName "C:\ComparisonReport.html"
Generate a comparison HTML report with GPOs from Active Directory. The DiffParameter indicates the type of comparison report. A True value includes only the differences in the report. A False value includes both the similarities and differences in the report.
GPOObject1.CompareADReportHTML VersionNumber, HTMLfile, DiffParameter
Generate a report that compares all GPOs in a category with the Active Directory versions of the GPOs.
Dim oGPRroot, oCategory, oGPO, sConnect, sCategory, sPath
Dim i, sCurrentFile
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
sPath = "C:\Diffreport_User\"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=RPSQL01;Use
Procedure for Prepare=1;Auto Translate=True;Packet
Size=4096;Workstation ID=SECONDDOMAIN;Use Encryption for
Data=False;Tag with column collation when possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
i = 1
For Each oGPO in oCategory
sCurrentFile = sPath + oGPO.Name + cstr(i) + ".htm"
oGPO.CompareADReportHtml 0, sCurrentFile, FALSE
i = i + 1
Next
wscript.echo "Operation Completed"
GPOObject1.CompareADReportHTML(VersionNumber, HTMLfile, DiffParameter)
Generate a report that compares all GPOs in a category with the Active Directory versions of the GPOs.
public static void ComparisionReportOfGPOActiveDirectoryVersions()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sPath = "C://Folder/";
string sCurrentFile;
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
int i = 1;
foreach (IfaGPRGpo oGPO in oCategory)
{
sCurrentFile = sPath + oGPO.Name + Convert.ToString(i) + ".htm";
oGPO.CompareADReportHtml(0, sCurrentFile, true);
}
Console.WriteLine("Comparison report of GPOs in a category with the AD versions generated successfully");
Console.ReadKey();
}
Compare-GPRGpoSettingsReportAD [-FAGPRPath] <String> [-RepVersion] <Int32> [-HTMLFileName] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository GPO. |
|
RepVersion |
Specifies the version of the GPO that you want to compare. |
|
HtmlFileName |
|
|
DiffOnly (optional) |
Specifies the type of comparison report. If you include this parameter, the report includes only the differences. Otherwise, the report includes both the similarities and differences. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample compares the repository version of a GPO with its Active Directory version and stores the resulting report at "C:\ComparisonReport.html".
PS C:\>Compare-GPRGpoSettingsReportAD -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=GPDOM,DC=LAB" -RepVersion 1 -HTMLFileName "C:\ComparisonReport.html"
Creates a copy of a GPO in the target category in the GP Repository.
GPOObject.CopyTo TargetContainerObject
or
Set NewGPOObject = OriginalGPOObject.CopyTo(TargetContainerObject)
The following code creates a copy of the GPO in the target category.
Dim oGPRroot, sCategory, sGPO, oCategory, oGPO
sCategory = "FAGPR://CN=ExampleOU,CN=RELEASE,DC=Repository,DC=Net"
sGPO = "FAGPR://CN={6E936ED3-00C8-4FE7-95A1-803874AB7EA0},
CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
Set oGPO = oGPRroot.GetObject(sGPO)
oGPO.CopyTo oCategory
GPOObject.CopyTo(TargetContainerObject) or MyGPOObject = OriginalGPOObject.CopyTo(TargetContainerObject)
The following code creates a copy of the GPO in the target category.
public static void CopyGPO()
{
string sCategoryTarget = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sGPO = "FAGPR://CN={C1AF6C94-7738-4E7A-83CB-4EA154B2F2D5}, CN=NewCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
IfaGPRGpo oGPO1 = oGPRroot.GetObject(sGPO1);
oGPO1.CopyTo(oCategoryTarget);
Console.WriteLine("GPO copied successfully");
Console.ReadKey();
}
Enumerate a list of GPO links within a GPO and generates a list of Link Status and Link Order properties for each GPO link.
oGPO.EnumerateLinks p_pvarLinks, p_pvarLinkStatus, p_pvarLinkOrder
The following code enumerates the GPO links for a GPO.
Dim oGPRroot, oGPO, sGPOPath
Dim p_pvarLinks, p_pvarLinkStatus, p_pvarLinkOrder, linkldap
Set oGPRroot = Wscript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=MYREPOSITORYDB;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=MYWORKSTATION;Use Encryption for Data=False;Tag with column collation when possible=False")
sGPOPath = "FAGPR://CN={6A63640A-09E5-4833-B43F-BEB96DE47AC8}, CN=cat2, DC=MYDOMAIN,DC=COM"
Set oGPO = oGPRroot.GetObject(sGPOPath)
oGPO.EnumerateLinks p_pvarLinks, p_pvarLinkStatus, p_pvarLinkOrder
For Each linkLdap in p_pvarLinks
WScript.Echo linkLdap
Next
oGPO.EnumerateLinks(p_pvarLinks, p_pvarLinkStatus, p_pvarLinkOrder)
The following code enumerates the GPO links for a GPO.
public static void Enumerate_GPOLinks()
{
string sGPOPath = "FAGPR://CN={4F246D45-332E-45AC-B728-B7A0A612C61E}, CN=MyCategory, DC=MYDOMAIN,DC=LAB";
dynamic p_pvarLinks;
dynamic p_pvarLinkStatus;
dynamic p_pvarLinkOrder;
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRGpo3 oGPO = oGPRroot.GetObject(sGPOPath);
oGPO.EnumerateLinks(out p_pvarLinks, out p_pvarLinkStatus, out p_pvarLinkOrder);
foreach (object linkLdap in p_pvarLinks)
{
Console.WriteLine(linkLdap.ToString());
}
Console.ReadKey();
}
Returns a collection of GPO Links.
Returns a collection of Link Status.
Returns a collection of Link Order.
Links a GPO to a category.
GPOObject.LinkGPO "GPOGUID"
The following code links a GPO to a category.
Dim oGPRroot, oCategory
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject("FAGPR://CN=Desktop,DC=NetIQLabs,DC=com")
oCategory.LinkGPO “{31B2F340-016D-11D2-945F-00C04FB984F9}”
GPOObject.LinkGPO("GPOGUID")
The following code links a GPO to a category.
public static void LinkGPOtoCategory()
{
string sCategory = "FAGPR://CN=NewCategory, DC=MYDOMAIN,DC=LAB";
string sGPO = "{4F246D45-332E-45AC-B728-B7A0A612C61E}, CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.LinkGPO(sGPO);
Console.WriteLine("GPO was linked to category successfully");
Console.ReadKey();
}
Migrate a GPO across different domains or to a different category within the same domain. You can specify either a category or a GPO as the target. In either case, specify the GP Repository path of the target object.
GPOObject.MigrateTo TargetCategory
GPOObject.MigrateToEx TargetGPO, True|False
The following sample migrates all GPOs in a category to another category across domains in the same database.
Dim oGPRroot, oSourceCat, oGPO, sSourceCat, oTargetCat, sTargetCat
sSourceCat = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
sTargetCat = "FAGPR://CN=UserOU,CN=RELEASE,DC=USA,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oSourceCat = oGPRroot.GetObject(sSourceCat)
Set oTargetCat = oGPRroot.GetObject(sTargetCat)
oSourceCat.EnumType = "GPO"
For Each oGPO in oSourceCat
oGPO.MigrateTo(oTargetCat)
Next
wscript.echo "Operation completed."
The following sample migrates all GPOs in a category to another category across domains in the same database.
public static void MigrateGPO_CattoCatAcrossDomainsSameDB()
{
string sCategorysource = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sCategorytarget = "FAGPR://CN=MyCategory, DC=MYTARGETDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategorysource = oGPRroot.GetObject(sCategorysource);
IfaGPRCategory oCategorytarget = oGPRroot.GetObject(sCategorytarget);
oCategorysource.EnumType = "GPO";
foreach (IfaGPRGpo oGPO in oCategorysource)
{
oGPO.MigrateTo(oCategorytarget);
}
Console.WriteLine("GPOs were migrated successfully.");
Console.ReadKey();
}
The following sample migrates all GPOs in a category to another category across domains in a different database.
Dim oSourceGPRroot, oTargetGPRroot
Dim sSourceConnect, sTargetConnect
Dim oSourceCat, oGPO, sSourceCat, oTargetCat, sTargetCat
sSourceConnect = "PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=.;Use
Procedure for Prepare=1;Auto Translate=True;Packet
Size=4096;Workstation ID=ROOT2-AD-01;Use Encryption for
Data=False;Tag with column collation when possible=False"
sTargetConnect = "PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation
when possible=False"
sSourceCat = "FAGPR://CN=cat1,CN=ImportedGPOs,DC=rootdev2,DC=com"
sTargetCat = "FAGPR://CN=cat2,CN=ImportedGPOs,DC=rootdev22,DC=com2"
Set oSourceGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oSourceGPRroot.ConnectTo(sSourceConnect)
Set oTargetGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oTargetGPRroot.ConnectTo(sTargetConnect)
Set oSourceCat = oSourceGPRroot.GetObject(sSourceCat)
Set oTargetCat = oTargetGPRroot.GetObject(sTargetCat)
oSourceCat.EnumType = "GPO"
For Each oGPO in oSourceCat
oGPO.MigrateTo oTargetCat
Next
wscript.echo "Operation completed."
The following sample migrates all GPOs in a category to another category across domains in a different database.
public static void MigrateGPO_CattoCatAcrossDomainsDiffDB()
{
string sCategorysource = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sCategorytarget = "FAGPR://CN=MyCategory, DC=MYTARGETDOMAIN,DC=LAB";
IfaGPRRoot oGPRrootSource = new faGPRRoot();
IfaGPRRoot oGPRrootTarget = new faGPRRoot();
oGPRrootSource.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
oGPRrootTarget.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=JALQEGP611\test_instance;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=JALQEGP611;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategorySource = oGPRrootSource.GetObject(sCategorysource);
IfaGPRCategory oCategoryTarget = oGPRrootTarget.GetObject(sCategorytarget);
oCategorySource.EnumType = "GPO";
foreach (IfaGPRGpo oGPO in oCategorySource)
{
oGPO.MigrateTo(oCategoryTarget);
}
Console.WriteLine("GPOs were migrated successfully.");
Console.ReadKey();
}
The following sample migrates a GPO in a category to another category that already contains the same GPO. If the value is set to True, the target GPO will be renamed to match the source GPO. If the value is set to False, the target GPO name will be retained.
Dim oGPRroot, oGPO, zGPO, sGPOTarget, sGPOSource
sGPOSource="FAGPR://CN={251C91F3-F547-415F-BCA9-3B349B916E8D},
CN=Target, DC=GPDOM700,DC=LAB"
sGPOTarget="FAGPR://CN={251C91F3-F547-415F-BCA9-3B349B916E8D},
CN=Target2, DC=GPDOM7002,DC=LAB2"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=.;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=ROOT2-AD-01;Use Encryption for Data=False;Tag with column collation when possible=False")
Set oGPO = oGPRroot.GetObject(sGPOSource)
Set zGPO = oGPRroot.GetObject(sGPOTarget)
oGPO.MigrateToEx zGPO, false
wscript.echo "Operation completed."
The following sample migrates a GPO in a category to another category that already contains the same GPO. If the value is set to True, the target GPO will be renamed to match the source GPO. If the value is set to False, the target GPO name will be retained.
public static void MigrateGPO_CattoCatwhichAlreadyContainsaGPO()
{
string sGPOsource = "FAGPR://CN={4F246D45-332E-45AC-B728-B7A0A612C61E}, CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sGPOtarget = "FAGPR://CN={C1AF6C94-7738-4E7A-83CB-4EA154B2F2D5}, CN=NewCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRGpo3 oGPOSource = oGPRroot.GetObject(sGPOsource);
IfaGPRGpo3 oGPOtarget = oGPRroot.GetObject(sGPOtarget);
oGPOSource.MigrateToEx(oGPOtarget, false);
Console.WriteLine("GPOs were migrated successfully.");
Console.ReadKey();
}
Move-GPRMigrateGpo [-TargetFAGPRPath] <String> [-FAGPRPath] <String> [-RenameGpo] <SwitchParameter>
|
Parameter |
Value |
|---|---|
|
TargetFAGPRPath |
The GPR path of the target category or the target GPO. |
|
FAGPRPath |
The FAGPRPath of the Repository GPO. |
|
RenameGpo (optional) |
Renames the target GPO. You don't have to specify a value with this parameter. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample moves a GPO to a different category.
PS C:\>Move-GPRMigrateGpo –TargetFAGPRPath "FAGPR://CN=CATTEST,DC=NetIQLabs,DC=COM" -FAGPRPath "FAGPR://CN={5EEBEF0F-5304-4FCC-83C7-835EFBB72CCC},CN=CATTEST,DC=NetIQLabs,DC=COM"
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample moves a GPO to another GPO and renames the target GPO to match the source GPO.
PS C:\>Move-GPRMigrateGpo -TargetFAGPRPath "FAGPR://CN={7A1741A8-ECF7-42D8-9A02-C96B15F1FAF5},CN=CATTEST, DC=NetIQLabs,DC=Com" -FAGPRPath "FAGPR://CN={BFD3C60B-D2F9-49F9-A80E-5B1C17D5AD25},CN=CAT_TEST, DC=NetIQLabs,DC=com" -RenameGPO
Copies information from a GPO to a different GPO. The PasteOptions parameter allows you to specify which information should be copied. PasteOptions can contain any combination of the following values: DATA, Links, Name, Security, WMI. To specify multiple values, separate them with the pipe symbol ( | ), such as "DATA|Links|Name|Security|WMI". When you specify the Name value, PasteOptions adds the prefix, “Copy of” to the GPO name. For example, PasteOptions copies MyGPO as Copy of MyGPO. You can also specify ALL to copy all information.
GPOObject.PasteToGpo TargetGPOObject, PasteOptions
The following sample allows you to copy the name and links from the source GPO to the target GPO.
Dim oGPRroot, sGPO, sGPOTarget, oGPO, oGPOTarget
sGPO = "FAGPR://CN={6E936ED3-00C8-4FE7-95A1-803874AB7EA0},
CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
sGPOTarget = "FAGPR:// CN={B0DF1662-1F2A-4A4A-8073-357E138AB148},
CN=ExampleOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oGPO = oGPRroot.GetObject(sGPO)
Set oGPOTarget = oGPRroot.GetObject(sGPOTarget)
oGPO.PasteToGpo oGPOTarget, "Name|Links"
GPOObject.PasteToGpo(TargetGPOObject, PasteOptions)
The following sample allows you to copy the name and links from the source GPO to the target GPO.
public static void PastetoanExistingGPO()
{
string sGPO = "FAGPR://CN={4F246D45-332E-45AC-B728-B7A0A612C61E}, CN=MyCategory, DC=MYDOMAIN,DC=LAB";
string sGPOTarget = "FAGPR://CN={1E28B502-B8B2-4957-9C94-D39B1BD8F18A}, CN=NewCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRGpo oGPO = oGPRroot.GetObject(sGPO);
IfaGPRGpo oGPOTarget = oGPRroot.GetObject(sGPOTarget);
oGPO.PasteToGpo(oGPOTarget, "ALL");
Console.WriteLine("GPO pasted successful");
Console.ReadKey();
}
Retrieves the name of a GPO.
StrName = GPOObject.Name
The following sample allows you to list GPO names in a category.
REM List names of GPOs in a Category
Dim oGPRroot, oCategory, oGPO, sCategory
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
For Each oGPO in oCategory
Wscript.Echo oGpo.Name
Next
StrName = GPOObject.Name
The following sample allows you to list GPO names in a category.
public static void ReadGPOName()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYTARGETDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
foreach (IfaGPRGpo2 oGPO in oCategory)
{
Console.WriteLine(oGPO.Name);
}
Console.ReadKey();
}
Get-GPRGpo [-FAGPRPath] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the category. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample displays the list of GPOs in the category name desktop in the domain NetIQLabs.com.
PS C:\>Get-GPRGpo -FAGPRPath "FAGPR://CN=Desktop,DC=NetIQLabs,DC=com"
The Synchronize GPO Link Order tool (NqGPASyncLinkOrder.exe) allows you to synchronize the GPO link order in the GP Repository to match the GPO link order in Active Directory. GPA automatically runs this tool when you indicate for it to run from the Offline Mirror wizard, when you create an offline mirror from the command line, or when you execute this tool from the command line. Using the Offline Mirror wizard simplifies synchronizing GPO link order. For more information on synchronizing link order using the Offline Mirror wizard, see Section 5.9.3, Synchronizing GPO Link Order Using the Offline Mirror Wizard. For general information about synchronizing GPO link orders, see Section 5.8.4, Synchronizing GPOs with AD Before Export.
NOTE:
To synchronize all GPOs under all the GP Repository domains, do not specify a domain (/D) or Active Directory (AD) container (/ADContainer).
The Synchronize GPO Link Order tool also synchronizes the block inheritance settings in the GP Repository to match the block inheritance settings in Active Directory during the upgrade process.
To synchronize GPO link order between the GP Repository and AD using the command-line tool:
Log on to a GPA Console computer with an account that has permissions to modify GPOs in the GP Repository and to read Active Directory in the domain where you want to synchronize GPO link order.
Open a command prompt window.
Navigate to the \Tools folder under the product installation path. If you used the default installation path, navigate to C:\Program Files\NetIQ\Group Policy Administrator\Tools.
Run the Synchronize GPO Link Order tool, NqGPASyncLinkOrder.exe. For general information about the synchronizing link order, see Section 5.8.4, Synchronizing GPOs with AD Before Export.
Your command may be similar to one of the following examples:
NqGPASyncLinkOrder /ADContainer:OU=DV - Link Order, DC=GPDOM800, DC=Lab" /S:. /DB:GPO_REPOSITORY NqGPASyncLinkOrder /D:OU=DV - LO - LEVEL 2, OU=DV - LO - LEVEL 1, OU=DV - LO - LINK ORDER, DC=GPDOM800, DC=Lab" /S:. /DB:GP_REPOSITORY
The Synchronize GPO Link Order tool displays a completion status in the command prompt window.
NOTE:For more information about using the Offline Mirror wizard to synchronize link order from the GPA console, see Section 5.9.3, Synchronizing GPO Link Order Using the Offline Mirror Wizard.
The Synchronize GPO Link Order tool creates a log file in the %Temp% folder for the current user. Refer to this file for before and after details about link order changes.
NqGPASyncLinkOrder [/D:MyDomain.com | /ADContainer:LDAPPath][/S:MyDBServer /DB:MyDataBase /U:MyUser /P:MyPassword]
The following table describes the command-line parameters and variables.
|
Variable name |
Replace with |
|---|---|
|
/D: Domain_DNS_Name |
DNS name of the source domain, such as domainname.local, which synchronizes all GPOs in the domain. If you do not specify this parameter, the tool synchronizes the GPO link order of all GPOs in all domains. (optional) |
|
/ADContainer:LDAPPath |
LDAP path of the AD Container (Domain, Site, or OU) for the sync operation, which links the GPOs directly under the specified domain.(optional). For example: LDAP://OU=OUname, DC=DomainName, D=local (optional). |
|
/S: Repository_Server |
Name of the Microsoft SQL Server where you installed the GP Repository. The default value, period (.), indicates you installed the GP Repository on the local Microsoft SQL Server. (mandatory) |
|
/DB: DatabaseName |
Name of the GP Repository database (mandatory). |
|
/U: SQLUserName |
Microsoft SQL Server logon user name used by SQL Authentication to access the GP Repository (optional). |
|
/P: SQLUserPassword |
Microsoft SQL Server logon password used by SQL Authentication to access the GP Repository (optional). |
NqGPASyncLinkOrder /S:GPDOM800 /DB:MyDataBase /U:MyUser /P:MyPassword or NqGPASyncLinkOrder /D:MyDomain.com /S:GPDOM800 /DB:MyDataBase /U:MyUser /P:MyPassword or NqGPASyncLinkOrder /ADContainer:LDAPPath /S:GPDOM800 /DB:MyDataBase /U:MyUser /P:MyPassword
Undo a checkout without saving any changes to the GP Repository.
GPOObject.UndoCheckOut
The following sample allows you to undo the checkout of all GPOs checked out in a category. When you undo a checkout, GPA discards any changes you have made to the GPOs.
REM Undo Checkout for all checked out GPOs in a category
Dim oGPRroot, oCategory, oGPO, sCategory
sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net"
Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot")
oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated
Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data
Source=MABOSLPT03;Use Procedure for Prepare=1;Auto
Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use
Encryption for Data=False;Tag with column collation when
possible=False")
Set oCategory = oGPRroot.GetObject(sCategory)
oCategory.EnumType = "GPO"
For Each oGPO in oCategory
If oGPO.StatusCheckedOut = True then
oGPO.UndoCheckOut
end if
Next
GPOObject.UndoCheckOut()
The following sample allows you to undo the checkout of all GPOs checked out in a category. When you undo a checkout, GPA discards any changes you have made to the GPOs.
public static void UndoGPO()
{
string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB";
IfaGPRRoot oGPRroot = new faGPRRoot();
oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False");
IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory);
oCategory.EnumType = "GPO";
foreach (IfaGPRGpo oGPO in oCategory)
{
oGPO.UndoCheckOut();
}
Console.WriteLine("Undo GPO checkout successful");
Console.ReadKey();
}
Undo-GPRCheckOutGpo [-FAGPRPath] <String>
|
Parameter |
Value |
|---|---|
|
FAGPRPath |
The FAGPRPath of the Repository object. |
NOTE:Before executing this cmdlet, run Set-GPRConnection to establish a connection to the GPA Repository database. See the PowerShell cmdlet sample for more information.
The following sample cancels the check out of a repository GPO from the GPDOM.LAB domain.
PS C:\>Undo-GPRCheckOutGpo -FAGPRPath "FAGPR://CN={36553F1C-6D5D-48E0-A471-F42EB87E25C2}, CN=Meger Scripts, DC=GPDOM,DC=LAB"