The following sections provide the scriptable operations that can be carried out on the GPO scripting object.
Approve a GPO to be exported to Active Directory or unapprove a GPO. If you set the value of the parameter to True, the method approves the GPO. Else, if the value of the parameter is False, the method unapproves the GPO.
GPOObject.Approve True|False
The following sample approves all GPOs in a category.
Dim oGPRroot, oCategory, oGPO, sCategory sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" For Each oGPO in oCategory oGPO.Approve True Next wscript.echo "All GPOs have been approved."
GPOObject.Approve(True|False)
The following sample approves all GPOs in a category.
public static void ApproveGPO() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; foreach(IfaGPRGpo oGPO in oCategory) { oGPO.Approve (true); } Console.WriteLine("All GPOs have been approved."); Console.ReadKey(); }
Approve a GPO to be exported to Active Directory, or unapprove a GPO, and include comments in the history view. If you set the value of the parameter to True, the method approves the GPO. Else, if the value of the parameter is False, the method unapproves the GPO.
GPOObject.ApproveWithComment True|False , "Comment"
The following sample approves all GPOs in a category and adds a comment.
Dim oGPRroot, oCategory, oGPO, sCategory, sComment sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" For Each oGPO in oCategory oGPO.ApproveWithComment True , "This GPO is approved for export." Next wscript.echo "All GPOs have been approved."
GPOObject.ApproveWithComment(True|False, "Comment")
The following sample approves all GPOs in a category and adds a comment.
public static void ApproveGPOwithComments() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; foreach(IfaGPRGpo5 oGPO in oCategory) { oGPO.ApproveWithComment(true, "Approved by .Net application"); } Console.WriteLine("All GPOs have been approved."); Console.ReadKey(); }
Check in a GPO.
GPOObject.CheckIn "Comment"
The following sample allows you to check in all checked‑out GPOs in a category.
REM Check in all checked out GPOs in a category Dim oGPRroot, oCategory, oGPO, sCategory sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" For Each oGPO in oCategory If oGPO.StatusCheckedOut = True then oGPO.CheckIn "Checked in from script" end if Next
GPOObject.CheckIn("Comment")
The following sample allows you to check in all checked‑out GPOs in a category.
public static void CheckinGPOs() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; foreach (IfaGPRGpo oGPO in oCategory) { if (oGPO.StatusCheckedOut == true) { oGPO.CheckIn("Checked in from .Net application"); } } Console.WriteLine("All GPOs have been checked in."); Console.ReadKey(); }
Check out a GPO.
GPOObject.CheckOut "Comment"
The following sample allows you to check out all checked‑in GPOs in a category.
REM Check out all GPOs in a category Dim oGPRroot, oCategory, oGPO, sCategory sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" For Each oGPO in oCategory If oGPO.StatusCheckedOut = False then oGPO.CheckOut "Checked out from script" end if Next
GPOObject.CheckOut("Comment")
The following sample allows you to check out all checked‑in GPOs in a category.
public static void CheckOutGPOs() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; foreach (IfaGPRGpo oGPO in oCategory) { if (oGPO.StatusCheckedOut == false) { oGPO.CheckOut("Checked out from .Net application"); Console.WriteLine("GPO: " + oGPO.Name + " was checked out."); } } Console.WriteLine("All GPOs have been checked out."); Console.ReadKey(); }
Links the GPO to a Scope of Management (SOM) object.
GPOObject.CreateLink "SOM LDAP path"
The following code links a GPO to a SOM object.
Dim oGPRroot, oGPO, sGPOPath Set oGPRroot = Wscript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=MYREPOSITORYDB;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=MYWORKSTATION;Use Encryption for Data=False;Tag with column collation when possible=False") sGPOPath = "FAGPR://CN={3D6843CF-FB04-4AC6-9B47-1E6CE974D2F4}, CN=cat1, DC=MYDOMAIN,DC=COM" Set oGPO = oGPRroot.GetObject(sGPOPath) ' First check out the GPO oGPO.CheckOut "Checkout comment" ' Call the CreateLink API with the LDAP path of the SOM object as input oGPO.CreateLink "LDAP://OU=MyOU,DC=MYDOMAIN,DC=COM" ' Finally check in the GPO oGPO.CheckIn "Checkin comment" wscript.echo "Operation Completed"
GPOObject.CreateLink("SOM LDAP path")
The following code links a GPO to a SOM object.
public static void CreateLinkToSOM() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sGPOPath = "FAGPR://CN={C104C9C7-9355-4FEC-8824-22D7BF4797A9}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sContainer = "LDAP://OU=MyOU,DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRGpo5 oGpo = oGPRroot.GetObject(sGPOPath); oGpo.CheckOut("Checkout comment"); oGpo.CreateLink(sContainer); oGpo.CheckIn("Checkin comment"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); Console.WriteLine("GPO was linked successfully"); Console.ReadKey(); }
Deletes a GPO link from a Scope of Management (SOM) object.
GPOObject.DeleteLink "SOM LDAP path"
The following sample removes a GPO link from a SOM object.
Dim oGPRroot, oGPO, sGPOPath Set oGPRroot = Wscript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("Provider=SQLOLEDB.1;IntegratedSecurity=SSPI;Initial Catalog=GPO_REPOSITORY;DataSource=MYREPOSITORYDB;Use Procedure for Prepare=1;AutoTranslate=True;Packet Size=4096;Workstation ID=MYWORKSTATION;UseEncryption for Data=False;Tag with column collation whenpossible=False") sGPOPath = "FAGPR://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Cat1, DC=MYDOMAIN,DC=COM" Set oGPO = oGPRroot.GetObject(sGPOPath) ' First check out the GPO oGPO.CheckOut "Checkout comment" ' Call the DeleteLink API with the LDAP path of the SOM object as input oGPO.DeleteLink "LDAP://OU=MyOU,DC=MYDOMAIN,DC=COM" ' Finally check in the GPO oGPO.CheckIn "Checkin comment" wscript.echo "Operation Completed"
GPOObject.DeleteLink("SOM LDAP path")
The following sample removes a GPO link from a SOM object.
public static void DeleteLinkToSOM() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sGPOPath = "FAGPR://CN={C104C9C7-9355-4FEC-8824-22D7BF4797A9}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sContainer = "LDAP://OU=Bolivia,DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRGpo5 oGpo = oGPRroot.GetObject(sGPOPath); oGpo.CheckOut("Checkout comment"); oGpo.DeleteLink(sContainer); oGpo.CheckIn("Checkin comment"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); Console.WriteLine("GPO was unlinked successfully"); Console.ReadKey(); }
Delete a GPO.
GPOObject.Delete
The following sample allows you to delete a GPO.
Dim oGPRroot, oCategory, oGPO, sGPO sGPO = "FAGPR://CN={6E936ED3-00C8-4FE7-95A1-803874AB7EA0}, CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;s") Set oGPO = oGPRroot.GetObject(sGPO) oGPO.Delete
GPOObject.Delete()
The following sample allows you to delete a GPO.
public static void DeleteGPO() { string sGPOPath = "FAGPR://CN={C104C9C7-9355-4FEC-8824-22D7BF4797A9}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRGpo5 oGPO = oGPRroot.GetObject(sGPOPath); oGPO.Delete(); Console.WriteLine("GPO deleted successfully"); Console.ReadKey(); }
Export approved GPO to live Active Directory domain.
GPOObject.Export "ExportParameter"
Export all GPOs in a category. This sample works for all GPOs with an approved status.
Dim oGPRroot, oCategory, oGPO, sCategory, sExportOpt sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" sExportOpt = "NoBackUpOverwrite" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" For Each oGPO in oCategory oGPO.Export sExportOpt Next wscript.echo "All GPOs have been exported."
GPOObject.Export("ExportParameter")
Export all GPOs in a category. This sample works for all GPOs with an approved status.
public static void ExportGPOs() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sExportOpt = "NoBackUpOverwrite"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; foreach (IfaGPRGpo gprGpo in oCategory) { if (gprGpo.StatusApproved == true) gprGpo.Export(sExportOpt); } Console.WriteLine("All GPOs have been exported."); Console.ReadKey(); }
You can specify one of the following export parameters:
If the GPO already exists in Active Directory, overwrite it and back up the live Active Directory GPO into the GP Repository prior to overwriting it. You can also use an integer value of 14 instead of BackUpOverwrite.
If the GPO already exists in Active Directory, overwrite it. The live GPO is not backed up prior to import. You can also use an integer value of 13 instead of NoBackUpOverwrite.
Export fails if the GPO already exists in Active Directory. You can also use an integer value of 12 instead of DoNotOverwrite.
Export approved GPO to live Active Directory domain and include comments in the history view.
NOTE:This script can take several seconds or longer to complete when you run it for the first time.
GPOObject.ExportWithComment "ExportParameter" , "Comment"
Export all GPOs in a category and include a comment. This sample works for all GPOs with an approved status.
Dim oGPRroot, oCategory, oGPO, sCategory, sExportOpt, sComment sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" sExportOpt = "NoBackUpOverwrite" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" For Each oGPO in oCategory oGPO.ExportWithComment sExportOpt , "This GPO has been exported to Active Directory." Next wscript.echo "All GPOs have been exported."
GPOObject.ExportWithComment("ExportParameter", "Comment")
Export all GPOs in a category and include a comment. This sample works for all GPOs with an approved status.
public static void ExportGPOsWithComments() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); string sExportOpt = "NoBackUpOverwrite"; oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; foreach (IfaGPRGpo5 gprGpo in oCategory) { if (gprGpo.StatusApproved == true) gprGpo.ExportWithComment(sExportOpt, "This GPO has been exported to Active Directory."); } Console.WriteLine("All GPOs have been exported."); Console.ReadKey(); }
You can specify one of the following export parameters:
If the GPO already exists in Active Directory, Overwrite it and backup the live Active Directory GPO into the GP Repository prior to overwriting it. You can also use an integer value of 14 instead of BackUpOverwrite.
If the GPO already exists in the Active Directory overwrite it. The live GPO is not backed up prior to Import. You can also use an integer value of 13 instead of NoBackUpOverwrite.
Export fails if the GPO already exists in Active Directory. You can also use an integer value of 12 instead of DoNotOverwrite.
This batch file uses the GPAExportUtil.exe tool to create an entry for each approved GPO you have selected to export. If you want to export all approved GPOs in the selected domains, the batch file uses the GPAExportUtil.exe tool to create an entry for each selected domain.
"<product installation path>\GPAExportUtil.exe" {{/g:<guid of GPO> |
/d:<DNS name of AD domain> | /a}
{/C:"<SQL Connection string>" | {/SQLS:<repository_server>
/SQLD:<rep_database_name> [/U:<SQL username> /P:<SQL password>]}} |
[/?|/H]
The following table describes the command‑line parameters and variables.
Variable name |
Replace with |
---|---|
/g:<guid of GPO> |
The GUID of the approved GPO you want to export using GPAExportUtil.exe. Use along with the /d option when you want to export two or more GPOs with the same GUID, but from different domains (required when exporting individual GPOs) |
/d:<DNS name of AD domain> |
The DNS name of the domain where approved GPOs will be exported. When this parameter is not specified, approved GPOs will be exported to the domain of the user performing the export. You can use this parameter when exporting any built‑in domain policy GPOs or GPOs with same GUID. |
/a |
All approved GPOs in all domains of the specified GP Repository will be exported (optional). |
/C:"<SQL Connection string>" |
Full SQL Server connection string to the GP Repository database, in double quotes. Use instead of the other SQL Server parameters (required). |
/SQLS:<repository_server> |
Name of the GP Repository SQL Server (optional). |
/SQLD:<rep_database_name> |
Name of the GP Repository SQL Server database (optional). |
/U:<SQL username> |
SQL Server account name to use for SQL Authentication (optional). |
/P:<SQL password> |
SQL Server account password to use for SQL Server Authentication. Use caution when specifying this parameter in batch files (optional). |
To export two selected GPOs from the domain, the export batch file contains the following entries:
"C:\Program Files\NetIQ\Group Policy Administrator\tools\GPAExportUtil.exe" /g:{1FEB5933-DA75-49BC-A63F-FA86C7CA9E20} /d:usregion.com /Connect:"Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=TREK02;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=TREK02;Use Encryption for Data=False;Tag with column collation when possible=False"
"C:\Program Files\NetIQ\Group Policy Administrator\tools\GPAExportUtil.exe" /g:{F94F2CF6-0264-4DA6-B76C-7C920360894D} /d:usregion.com /Connect:"Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=TREK02;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=TREK02;Use Encryption for Data=False;Tag with column collation when possible=False"
To export all GPOs in a domain, the export batch file contains the following entry:
"C:\Program Files\NetIQ\Group Policy Administrator\tools\GPAExportUtil.exe" /d:usregion.com /Connect:"Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=TREK02;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=TREK02;Use Encryption for Data=False;Tag with column collation when possible=False"
To export two GPOs (in this case, the default domain policy) with the same GUID, but from different domains, the export batch file contains the following entries:
"C:\Program Files\NetIQ\Group Policy Administrator\tools\GPAExportUtil.exe" /g:{31B2F340-016D-11D2-945F-00C04FB984F9} /d:usregion.com /Connect:"Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=TREK02;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=TREK02;Use Encryption for Data=False;Tag with column collation when possible=False"
"C:\Program Files\NetIQ\Group Policy Administrator\tools\GPAExportUtil.exe" /g:{31B2F340-016D-11D2-945F-00C04FB984F9} /d:nordicregion.com /Connect:"Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=TREK02;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=TREK02;Use Encryption for Data=False;Tag with column collation when possible=False"
Allows you to view whether a GPO is checked out. This operation returns a True or False value. True indicates a GPO is checked out and False indicates that the GPO is checked in.
GPOObject.StatusCheckedOut
The following sample displays whether a GPO is checked out.
Dim oGPRroot, oCategory, oGPO, sCategory sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" For Each oGPO in oCategory If oGPO.StatusCheckedOut = True then Wscript.Echo oGPO.Name + "is checked out" else Wscript.Echo oGPO.Name + "is checked in" end if Next
GPOObject.StatusCheckedOut
The following sample displays whether a GPO is checked out.
public static void GetGPOCheckoutStatus() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; foreach (IfaGPRGpo gprGpo in oCategory) { if (gprGpo.StatusCheckedOut == false) { Console.WriteLine(gprGpo.Name + "is checked in"); } else { Console.WriteLine(gprGpo.Name + "is checked out"); } } Console.ReadKey(); }
Allows you to read the approval status of a GPO. This operation returns a True or False value. A True value denotes Approved status and a False value denotes Unapproved status.
GPOObject.StatusApproved
The following sample displays the approval status of a GPO.
Dim oGPRroot, oCategory, oGPO, sCategory, sExportOpt sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" sExportOpt = "NoBackUpOverwrite" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" For Each oGPO in oCategory If oGPO.StatusApproved = True then Wscript.Echo oGPO.Name + " is approved" else Wscript.Echo oGPO.Name + " is not approved" end if Next
GPOObject.StatusApproved
The following sample displays the approval status of a GPO.
public static void GetGPOApprovalStatus() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; foreach (IfaGPRGpo gprGpo in oCategory) { if (gprGpo.StatusApproved == true) { Console.WriteLine(gprGpo.Name + " is approved"); } else { Console.WriteLine(gprGpo.Name + " is not approved"); } } Console.ReadKey(); }
Sets or gets status of locking or masking of a GPO for a user or group.
Sets locking or masking of a GPO for a user or group.
Int Result = GPOObject.SetGPOSecurityFilterInfo(string AccountName, Int OpType, Int Overwrite)
Gets status of locking or masking of a GPO for a user or group.
Int Result = GPOObject.GetGPOSecurityFilterInfo(string AccountName, Int OpType)
Parameter |
Value |
---|---|
AccountName |
User or Group |
OpType |
|
Overwrite |
|
Result |
|
The following code locks a GPO for a user or group object.
Dim oGPRroot, oCategory, oGPO, sGPOPath, result sGPOPath = "FAGPR://CN={7DEE509A-2817-416F-B969-DDCEA57FE6A3}, CN=MyCategory, DC=MYDOMAIN,DC=LAB" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=MABOSLPT03;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use Encryption for Data=False;Tag with column collation when possible=False") Set oGPO = oGPRroot.GetObject(sGPOPath) result = oGPO.SetGPOSecurityFilterInfo("MYDOMAIN\<UserorGroup>", 0, 1) Wscript.Echo result
The following code checks to see if a GPO is unmasked for a user or group object.
Dim oGPRroot, oCategory, oGPO, sGPOPath, result sGPOPath = "FAGPR://CN={7DEE509A-2817-416F-B969-DDCEA57FE6A3}, CN=MyCategory, DC=MYDOMAIN,DC=LAB" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("PROVIDER = SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=MABOSLPT03;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=MABOSLPT03;Use Encryption for Data=False;Tag with column collation when possible=False") Set oGPO = oGPRroot.GetObject(sGPOPath) result = oGPO.GetGPOSecurityFilterInfo("MYDOMAIN\<UserorGroup>", 3) Wscript.Echo result
Sets locking or masking of a GPO for a user or group.
Int Result = GPOObject.SetGPOSecurityFilterInfo(string AccountName, Int OpType, Int OverWrite);
Gets status of locking or masking of a GPO for a user or group.
Int Result = GPOObject.GetGPOSecurityFilterInfo(string AccountName, Int OpType);
Parameter |
Value |
---|---|
AccountName |
User or Group |
OpType |
|
Overwrite |
|
Result |
|
The following code locks a GPO for a user or group object.
public static void LockGPO() { string sGPOPath = "FAGPR://CN={7DEE509A-2817-416F-B969-DDCEA57FE6A3}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRGpo8 oGPO = (IfaGPRGpo8)oGPRroot.GetObject(sGPOPath); int result = oGPO.SetGPOSecurityFilterInfo("MYDOMAIN\\<UserorGroup>", 0, 1); Console.WriteLine(result.ToString()); Console.ReadKey(); }
The following code checks to see if a GPO is unmasked for a user or group object.
public static void UnLockGPO() { string sGPOPath = "FAGPR://CN={7DEE509A-2817-416F-B969-DDCEA57FE6A3}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRGpo8 oGPO = (IfaGPRGpo8)oGPRroot.GetObject(sGPOPath); int result = oGPO.GetGPOSecurityFilterInfo("MYDOMAIN\\<UserorGroup>", 3); Console.WriteLine(result.ToString()); Console.ReadKey(); }
Retrieves the CN name (GUID) of a GPO.
StrName = GPOObject.CNName
The following sample lists the CN names of all GPOs in a category.
REM List names of GPOs in a Category Dim oGPRroot, oCategory, oGPO, sCategory sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" For Each oGPO in oCategory Wscript.Echo oGPO.Name & ", " & oGPO.CNName Next
StrName = GPOObject.CNName
The following sample lists the CN names of all GPOs in a category.
public static void ReadGPOCNName() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; foreach (IfaGPRGpo2 oGPO in oCategory) { Console.WriteLine(oGPO.Name + ", " + oGPO.CNName); } Console.ReadKey(); }
Generate an HTML report for a specific version of a GPO. Specify the version number of the GPO that you want to generate a report for. If you want to generate a Report for the latest version of the GPO then pass the value as 0.
GPOObject.ReportHtml VersionNumber, HTMLFile
The following sample generates reports for all GPOs in a category.
Dim oGPRroot, oCategory, oGPO, sCategory, sPath, i, sCurrentFile sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" sPath = "C:\Diffreport_User\" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" i= 1 for each oGPO in oCategory sCurrentFile = sPath + oGPO.Name + cstr(i) + ".htm" oGPO.ReportHtml 0, sCurrentFile i = i +1 Next
GPOObject.ReportHtml(VersionNumber, HTMLFile)
The following sample generates reports for all GPOs in a category.
public static void GenerateGPOReport() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sPath = "C://Folder/"; string sCurrentFile = ""; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; int i = 1; foreach (IfaGPRGpo gprGpo in oCategory) { sCurrentFile = sPath + gprGpo.Name + Convert.ToString(i) + ".htm"; gprGpo.ReportHtml(0, sCurrentFile); i++; } Console.WriteLine("GPOs reports were generated successfully"); Console.ReadKey(); }
Compare two GPOs and generate an HTML report of the comparison including the similarities and differences. The two GPOs must exist before running this operation. The DiffParameter indicates the type of comparison report. A True value includes only the differences in the report. A False value includes both the similarities and differences in the report.
GPOObject1.Compare2GPOsReportHTML GPOObject2, HTMLfile, DiffParameter
The following sample generates an HTML report that compares two GPOs.
Dim oGPRroot, oGPO1, sGPO1, oGPO2, sGPO2 sGPO1 = "FAGPR://CN={B64E5669-C0BB-4549-BEF0- E9E3554AA70A},CN=cat1,DC=rootdev2,DC=com" sGPO2 = "FAGPR://CN={B6F9BDBA-BF2B-4973-83C3- FA07236B6BF8},CN=cat1,DC=rootdev2,DC=com" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oGPO1 = oGPRroot.GetObject(sGPO1) Set oGPO2 = oGPRroot. GetObject(sGPO2) oGPO1.Compare2GPOsReportHtml oGPO2, "c:\\report\diff.htm", FALSE
GPOObject1.Compare2GPOsReportHTML(GPOObject2, HTMLfile, DiffParameter)
The following sample generates an HTML report that compares two GPOs.
public static void ComparisionReportOfTwoGPOs() { string sGPO1 = "FAGPR://CN={E9DAE4E3-1D76-46EA-8B06-37B30D80E764}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sGPO2 = "FAGPR://CN={4F246D45-332E-45AC-B728-B7A0A612C61E}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sPath = "C://Folder/comparisionTwoGPOs.htm"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRGpo oGPO1 = oGPRroot.GetObject(sGPO1); IfaGPRGpo oGPO2 = oGPRroot.GetObject(sGPO2); oGPO1.Compare2GPOsReportHtml(oGPO2, sPath, false); Console.WriteLine("GPO comparision Report was generated successfully"); Console.ReadKey(); }
Generate a comparison HTML report with two different GP Repository versions of the GPO. The DiffParameter indicates the type of comparison report. A True value includes only the differences in the report. A False value includes both the similarities and differences in the report.
GPOObject.CompareVersionReportHtml Version1, Version2, "HTML Report name", DiffParameter
The following sample generates an HTML report that compares two GP Repository versions of a GPO.
Dim oGPRroot, oCategory, oGPO, sGPO sGPO = "FAGPR://CN={6E936ED3-00C8-4FE7-95A1- 803874AB7EA0},CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oGPO = oGPRroot.GetObject(sGPO) oGPO.CompareVersionReportHtml 1,2, "c:\report.htm", True
GPOObject1.CompareVersionReportHTML(Version1, Version2, HTMLfile, DiffParameter)
The following sample generates an HTML report that compares two GP Repository versions of a GPO.
public static void ComparisionReportOfGPORepositoryVersions() { string sGPO1 = "FAGPR://CN={E9DAE4E3-1D76-46EA-8B06-37B30D80E764}, CN=MyCategory, DC=MYDomain,DC=COM"; string sPath = "C://Folder/ComparisionRepGPOVersions.htm"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRGpo oGPO1 = oGPRroot.GetObject(sGPO1); oGPO1.CompareVersionReportHtml(1, 2, sPath, false); Console.WriteLine("Comparision report was generated successfully"); Console.ReadKey(); }
Generate a comparison HTML report with GPOs from Active Directory. The DiffParameter indicates the type of comparison report. A True value includes only the differences in the report. A False value includes both the similarities and differences in the report.
GPOObject1.CompareADReportHTML VersionNumber, HTMLfile, DiffParameter
Generate a report that compares all GPOs in a category with the Active Directory versions of the GPOs.
Dim oGPRroot, oCategory, oGPO, sConnect, sCategory, sPath Dim i, sCurrentFile sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" sPath = "C:\Diffreport_User\" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" i = 1 For Each oGPO in oCategory sCurrentFile = sPath + oGPO.Name + cstr(i) + ".htm" oGPO.CompareADReportHtml 0, sCurrentFile, FALSE i = i + 1 Next wscript.echo "Operation Completed"
GPOObject1.CompareADReportHTML(VersionNumber, HTMLfile, DiffParameter)
Generate a report that compares all GPOs in a category with the Active Directory versions of the GPOs.
public static void ComparisionReportOfGPOActiveDirectoryVersions() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sPath = "C://Folder/"; string sCurrentFile; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; int i = 1; foreach (IfaGPRGpo oGPO in oCategory) { sCurrentFile = sPath + oGPO.Name + Convert.ToString(i) + ".htm"; oGPO.CompareADReportHtml(0, sCurrentFile, true); } Console.WriteLine("Comparison report of GPOs in a category with the AD versions generated successfully"); Console.ReadKey(); }
Creates a copy of a GPO in the target category in the GP Repository.
GPOObject.CopyTo TargetContainerObject
or
Set NewGPOObject = OriginalGPOObject.CopyTo(TargetContainerObject)
The following code creates a copy of the GPO in the target category.
Dim oGPRroot, sCategory, sGPO, oCategory, oGPO sCategory = "FAGPR://CN=ExampleOU,CN=RELEASE,DC=Repository,DC=Net" sGPO = "FAGPR://CN={6E936ED3-00C8-4FE7-95A1-803874AB7EA0}, CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) Set oGPO = oGPRroot.GetObject(sGPO) oGPO.CopyTo oCategory
GPOObject.CopyTo(TargetContainerObject) or MyGPOObject = OriginalGPOObject.CopyTo(TargetContainerObject)
The following code creates a copy of the GPO in the target category.
public static void CopyGPO() { string sCategoryTarget = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sGPO = "FAGPR://CN={C1AF6C94-7738-4E7A-83CB-4EA154B2F2D5}, CN=NewCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); IfaGPRGpo oGPO1 = oGPRroot.GetObject(sGPO1); oGPO1.CopyTo(oCategoryTarget); Console.WriteLine("GPO copied successfully"); Console.ReadKey(); }
Enumerate a list of GPO links within a GPO and generates a list of Link Status and Link Order properties for each GPO link.
oGPO.EnumerateLinks p_pvarLinks, p_pvarLinkStatus, p_pvarLinkOrder
The following code enumerates the GPO links for a GPO.
Dim oGPRroot, oGPO, sGPOPath Dim p_pvarLinks, p_pvarLinkStatus, p_pvarLinkOrder, linkldap Set oGPRroot = Wscript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=MYREPOSITORYDB;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=MYWORKSTATION;Use Encryption for Data=False;Tag with column collation when possible=False") sGPOPath = "FAGPR://CN={6A63640A-09E5-4833-B43F-BEB96DE47AC8}, CN=cat2, DC=MYDOMAIN,DC=COM" Set oGPO = oGPRroot.GetObject(sGPOPath) oGPO.EnumerateLinks p_pvarLinks, p_pvarLinkStatus, p_pvarLinkOrder For Each linkLdap in p_pvarLinks WScript.Echo linkLdap Next
oGPO.EnumerateLinks(p_pvarLinks, p_pvarLinkStatus, p_pvarLinkOrder)
The following code enumerates the GPO links for a GPO.
public static void Enumerate_GPOLinks() { string sGPOPath = "FAGPR://CN={4F246D45-332E-45AC-B728-B7A0A612C61E}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"; dynamic p_pvarLinks; dynamic p_pvarLinkStatus; dynamic p_pvarLinkOrder; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRGpo3 oGPO = oGPRroot.GetObject(sGPOPath); oGPO.EnumerateLinks(out p_pvarLinks, out p_pvarLinkStatus, out p_pvarLinkOrder); foreach (object linkLdap in p_pvarLinks) { Console.WriteLine(linkLdap.ToString()); } Console.ReadKey(); }
Returns a collection of GPO Links.
Returns a collection of Link Status.
Returns a collection of Link Order.
Links a GPO to a category.
GPOObject.LinkGPO "GPOGUID"
The following code links a GPO to a category.
Dim oGPRroot, oCategory Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject("FAGPR://CN=Desktop,DC=NetIQLabs,DC=com") oCategory.LinkGPO "{31B2F340-016D-11D2-945F-00C04FB984F9}"
GPOObject.LinkGPO("GPOGUID")
The following code links a GPO to a category.
public static void LinkGPOtoCategory() { string sCategory = "FAGPR://CN=NewCategory, DC=MYDOMAIN,DC=LAB"; string sGPO = "{4F246D45-332E-45AC-B728-B7A0A612C61E}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.LinkGPO(sGPO); Console.WriteLine("GPO was linked to category successfully"); Console.ReadKey(); }
Migrate a GPO across different domains or to a different category within the same domain. You can specify either a category or a GPO as the target. In either case, specify the GP Repository path of the target object.
GPOObject.MigrateTo TargetCategory
GPOObject.MigrateToEx TargetGPO, True|False
The following sample migrates all GPOs in a category to another category across domains in the same database.
Dim oGPRroot, oSourceCat, oGPO, sSourceCat, oTargetCat, sTargetCat sSourceCat = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" sTargetCat = "FAGPR://CN=UserOU,CN=RELEASE,DC=USA,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oSourceCat = oGPRroot.GetObject(sSourceCat) Set oTargetCat = oGPRroot.GetObject(sTargetCat) oSourceCat.EnumType = "GPO" For Each oGPO in oSourceCat oGPO.MigrateTo(oTargetCat) Next wscript.echo "Operation completed."
The following sample migrates all GPOs in a category to another category across domains in the same database.
public static void MigrateGPO_CattoCatAcrossDomainsSameDB() { string sCategorysource = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sCategorytarget = "FAGPR://CN=MyCategory, DC=MYTARGETDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategorysource = oGPRroot.GetObject(sCategorysource); IfaGPRCategory oCategorytarget = oGPRroot.GetObject(sCategorytarget); oCategorysource.EnumType = "GPO"; foreach (IfaGPRGpo oGPO in oCategorysource) { oGPO.MigrateTo(oCategorytarget); } Console.WriteLine("GPOs were migrated successfully."); Console.ReadKey(); }
The following sample migrates all GPOs in a category to another category across domains in a different database.
Dim oSourceGPRroot, oTargetGPRroot Dim sSourceConnect, sTargetConnect Dim oSourceCat, oGPO, sSourceCat, oTargetCat, sTargetCat sSourceConnect = "DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;" sTargetConnect = "DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;" sSourceCat = "FAGPR://CN=cat1,CN=ImportedGPOs,DC=rootdev2,DC=com" sTargetCat = "FAGPR://CN=cat2,CN=ImportedGPOs,DC=rootdev22,DC=com2" Set oSourceGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oSourceGPRroot.ConnectTo(sSourceConnect) Set oTargetGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oTargetGPRroot.ConnectTo(sTargetConnect) Set oSourceCat = oSourceGPRroot.GetObject(sSourceCat) Set oTargetCat = oTargetGPRroot.GetObject(sTargetCat) oSourceCat.EnumType = "GPO" For Each oGPO in oSourceCat oGPO.MigrateTo oTargetCat Next wscript.echo "Operation completed."
The following sample migrates all GPOs in a category to another category across domains in a different database.
public static void MigrateGPO_CattoCatAcrossDomainsDiffDB() { string sCategorysource = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sCategorytarget = "FAGPR://CN=MyCategory, DC=MYTARGETDOMAIN,DC=LAB"; IfaGPRRoot oGPRrootSource = new faGPRRoot(); IfaGPRRoot oGPRrootTarget = new faGPRRoot(); oGPRrootSource.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); oGPRrootTarget.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=JALQEGP611\test_instance;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=JALQEGP611;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategorySource = oGPRrootSource.GetObject(sCategorysource); IfaGPRCategory oCategoryTarget = oGPRrootTarget.GetObject(sCategorytarget); oCategorySource.EnumType = "GPO"; foreach (IfaGPRGpo oGPO in oCategorySource) { oGPO.MigrateTo(oCategoryTarget); } Console.WriteLine("GPOs were migrated successfully."); Console.ReadKey(); }
The following sample migrates a GPO in a category to another category that already contains the same GPO. If the value is set to True, the target GPO will be renamed to match the source GPO. If the value is set to False, the target GPO name will be retained.
Dim oGPRroot, oGPO, zGPO, sGPOTarget, sGPOSource sGPOSource="FAGPR://CN={251C91F3-F547-415F-BCA9-3B349B916E8D}, CN=Target, DC=GPDOM700,DC=LAB" sGPOTarget="FAGPR://CN={251C91F3-F547-415F-BCA9-3B349B916E8D}, CN=Target2, DC=GPDOM7002,DC=LAB2" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oGPO = oGPRroot.GetObject(sGPOSource) Set zGPO = oGPRroot.GetObject(sGPOTarget) oGPO.MigrateToEx zGPO, false wscript.echo "Operation completed."
The following sample migrates a GPO in a category to another category that already contains the same GPO. If the value is set to True, the target GPO will be renamed to match the source GPO. If the value is set to False, the target GPO name will be retained.
public static void MigrateGPO_CattoCatwhichAlreadyContainsaGPO() { string sGPOsource = "FAGPR://CN={4F246D45-332E-45AC-B728-B7A0A612C61E}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sGPOtarget = "FAGPR://CN={C1AF6C94-7738-4E7A-83CB-4EA154B2F2D5}, CN=NewCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRGpo3 oGPOSource = oGPRroot.GetObject(sGPOsource); IfaGPRGpo3 oGPOtarget = oGPRroot.GetObject(sGPOtarget); oGPOSource.MigrateToEx(oGPOtarget, false); Console.WriteLine("GPOs were migrated successfully."); Console.ReadKey(); }
Copies information from a GPO to a different GPO. The PasteOptions parameter allows you to specify which information should be copied. PasteOptions can contain any combination of the following values: DATA, Links, Name, Security, WMI. To specify multiple values, separate them with the pipe symbol ( | ), such as "DATA|Links|Name|Security|WMI". When you specify the Name value, PasteOptions adds the prefix, “Copy of” to the GPO name. For example, PasteOptions copies MyGPO as Copy of MyGPO. You can also specify ALL to copy all information.
GPOObject.PasteToGpo TargetGPOObject, PasteOptions
The following sample allows you to copy the name and links from the source GPO to the target GPO.
Dim oGPRroot, sGPO, sGPOTarget, oGPO, oGPOTarget sGPO = "FAGPR://CN={6E936ED3-00C8-4FE7-95A1-803874AB7EA0}, CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" sGPOTarget = "FAGPR:// CN={B0DF1662-1F2A-4A4A-8073-357E138AB148}, CN=ExampleOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oGPO = oGPRroot.GetObject(sGPO) Set oGPOTarget = oGPRroot.GetObject(sGPOTarget) oGPO.PasteToGpo oGPOTarget, "Name|Links"
GPOObject.PasteToGpo(TargetGPOObject, PasteOptions)
The following sample allows you to copy the name and links from the source GPO to the target GPO.
public static void PastetoanExistingGPO() { string sGPO = "FAGPR://CN={4F246D45-332E-45AC-B728-B7A0A612C61E}, CN=MyCategory, DC=MYDOMAIN,DC=LAB"; string sGPOTarget = "FAGPR://CN={1E28B502-B8B2-4957-9C94-D39B1BD8F18A}, CN=NewCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRGpo oGPO = oGPRroot.GetObject(sGPO); IfaGPRGpo oGPOTarget = oGPRroot.GetObject(sGPOTarget); oGPO.PasteToGpo(oGPOTarget, "ALL"); Console.WriteLine("GPO pasted successful"); Console.ReadKey(); }
Retrieves the name of a GPO.
StrName = GPOObject.Name
The following sample allows you to list GPO names in a category.
REM List names of GPOs in a Category Dim oGPRroot, oCategory, oGPO, sCategory sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" For Each oGPO in oCategory Wscript.Echo oGpo.Name Next
StrName = GPOObject.Name
The following sample allows you to list GPO names in a category.
public static void ReadGPOName() { string sCategory = "FAGPR://CN=MyCategory, DC=MYTARGETDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; foreach (IfaGPRGpo2 oGPO in oCategory) { Console.WriteLine(oGPO.Name); } Console.ReadKey(); }
The Synchronize GPO Link Order tool (NqGPASyncLinkOrder.exe) allows you to synchronize the GPO link order in the GP Repository to match the GPO link order in Active Directory. GPA automatically runs this tool when you indicate for it to run from the Offline Mirror wizard, when you create an offline mirror from the command line, or when you execute this tool from the command line. Using the Offline Mirror wizard simplifies synchronizing GPO link order. For more information on synchronizing link order using the Offline Mirror wizard, see Section 5.9.3, Synchronizing GPO Link Order Using the Offline Mirror Wizard. For general information about synchronizing GPO link orders, see Section 5.8.4, Synchronizing GPOs with AD Before Export.
NOTE:
To synchronize all GPOs under all the GP Repository domains, do not specify a domain (/D) or Active Directory (AD) container (/ADContainer).
The Synchronize GPO Link Order tool also synchronizes the block inheritance settings in the GP Repository to match the block inheritance settings in Active Directory during the upgrade process.
To synchronize GPO link order between the GP Repository and AD using the command-line tool:
Log on to a GPA Console computer with an account that has permissions to modify GPOs in the GP Repository and to read Active Directory in the domain where you want to synchronize GPO link order.
Open a command prompt window.
Navigate to the \Tools folder under the product installation path. If you used the default installation path, navigate to C:\Program Files\NetIQ\Group Policy Administrator\Tools.
Run the Synchronize GPO Link Order tool, NqGPASyncLinkOrder.exe. For general information about the synchronizing link order, see Section 5.8.4, Synchronizing GPOs with AD Before Export.
Your command may be similar to one of the following examples:
NqGPASyncLinkOrder /ADContainer:OU=DV - Link Order, DC=GPDOM800, DC=Lab" /S:. /DB:GPO_REPOSITORY NqGPASyncLinkOrder /D:OU=DV - LO - LEVEL 2, OU=DV - LO - LEVEL 1, OU=DV - LO - LINK ORDER, DC=GPDOM800, DC=Lab" /S:. /DB:GP_REPOSITORY
The Synchronize GPO Link Order tool displays a completion status in the command prompt window.
NOTE:For more information about using the Offline Mirror wizard to synchronize link order from the GPA console, see Section 5.9.3, Synchronizing GPO Link Order Using the Offline Mirror Wizard.
The Synchronize GPO Link Order tool creates a log file in the %Temp% folder for the current user. Refer to this file for before and after details about link order changes.
NqGPASyncLinkOrder [/D:MyDomain.com | /ADContainer:LDAPPath][/S:MyDBServer /DB:MyDataBase /U:MyUser /P:MyPassword]
The following table describes the command-line parameters and variables.
Variable name |
Replace with |
---|---|
/D: Domain_DNS_Name |
DNS name of the source domain, such as domainname.local, which synchronizes all GPOs in the domain. If you do not specify this parameter, the tool synchronizes the GPO link order of all GPOs in all domains. (optional) |
/ADContainer:LDAPPath |
LDAP path of the AD Container (Domain, Site, or OU) for the sync operation, which links the GPOs directly under the specified domain.(optional). For example: LDAP://OU=OUname, DC=DomainName, D=local (optional). |
/S: Repository_Server |
Name of the Microsoft SQL Server where you installed the GP Repository. The default value, period (.), indicates you installed the GP Repository on the local Microsoft SQL Server. (mandatory) |
/DB: DatabaseName |
Name of the GP Repository database (mandatory). |
/U: SQLUserName |
Microsoft SQL Server logon user name used by SQL Authentication to access the GP Repository (optional). |
/P: SQLUserPassword |
Microsoft SQL Server logon password used by SQL Authentication to access the GP Repository (optional). |
NqGPASyncLinkOrder /S:GPDOM800 /DB:MyDataBase /U:MyUser /P:MyPassword or NqGPASyncLinkOrder /D:MyDomain.com /S:GPDOM800 /DB:MyDataBase /U:MyUser /P:MyPassword or NqGPASyncLinkOrder /ADContainer:LDAPPath /S:GPDOM800 /DB:MyDataBase /U:MyUser /P:MyPassword
Undo a checkout without saving any changes to the GP Repository.
GPOObject.UndoCheckOut
The following sample allows you to undo the checkout of all GPOs checked out in a category. When you undo a checkout, GPA discards any changes you have made to the GPOs.
REM Undo Checkout for all checked out GPOs in a category Dim oGPRroot, oCategory, oGPO, sCategory sCategory = "FAGPR://CN=UserOU,CN=RELEASE,DC=Repository,DC=Net" Set oGPRroot = WScript.CreateObject("faGPRRoot.faGPRRoot") oGPRroot.ConnectTo("DRIVER={ODBC Driver 13 for SQL Server};SERVER="<SQL Server Instance Name>";Trusted_Connection=Yes;DATABASE=GPO_REPOSITORY;") Set oCategory = oGPRroot.GetObject(sCategory) oCategory.EnumType = "GPO" For Each oGPO in oCategory If oGPO.StatusCheckedOut = True then oGPO.UndoCheckOut end if Next
GPOObject.UndoCheckOut()
The following sample allows you to undo the checkout of all GPOs checked out in a category. When you undo a checkout, GPA discards any changes you have made to the GPOs.
public static void UndoGPO() { string sCategory = "FAGPR://CN=MyCategory, DC=MYDOMAIN,DC=LAB"; IfaGPRRoot oGPRroot = new faGPRRoot(); oGPRroot.ConnectTo("Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=GPO_REPOSITORY;Data Source=GPA_SERVER;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=GPA_SERVER;Use Encryption for Data=False;Tag with column collation when possible=False"); IfaGPRCategory oCategory = oGPRroot.GetObject(sCategory); oCategory.EnumType = "GPO"; foreach (IfaGPRGpo oGPO in oCategory) { oGPO.UndoCheckOut(); } Console.WriteLine("Undo GPO checkout successful"); Console.ReadKey(); }