Skip to content

Instantly share code, notes, and snippets.

@jeffpatton1971

jeffpatton1971/GPMgmt.psm1

Last active November 2, 2016 17:25
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jeffpatton1971/df5d43fdd40695046ee3 to your computer and use it in GitHub Desktop.
Save jeffpatton1971/df5d43fdd40695046ee3 to your computer and use it in GitHub Desktop.
Download ZIP
A rough draft of a group policy module and a script to show how to use it for a very specifc case
Raw
GPMgmt.psm1
Function Get-Gpo
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true,Position=0,ParameterSetName="DisplayName")]
[string]$DisplayName,
[Parameter(Mandatory=$true,Position=0,ParameterSetName="Id")]
[string]$Id,
[Parameter(Mandatory=$true,Position=0,ParameterSetName="All")]
[switch]$All,
[Parameter(Mandatory=$false,Position=1,ParameterSetName="All")]
[Parameter(Mandatory=$false,Position=1,ParameterSetName="Id")]
[Parameter(Mandatory=$false,Position=1,ParameterSetName="DisplayName")]
[string]$Domain,
[Parameter(Mandatory=$false,Position=2,ParameterSetName="All")]
[Parameter(Mandatory=$false,Position=2,ParameterSetName="Id")]
[Parameter(Mandatory=$false,Position=2,ParameterSetName="DisplayName")]
[switch]$UsePDC,
[Parameter(Mandatory=$false,Position=3,ParameterSetName="All")]
[Parameter(Mandatory=$false,Position=3,ParameterSetName="Id")]
[Parameter(Mandatory=$false,Position=3,ParameterSetName="DisplayName")]
[string]$Server,
[Parameter(Mandatory=$false,Position=4,ParameterSetName="All")]
[Parameter(Mandatory=$false,Position=4,ParameterSetName="Id")]
[Parameter(Mandatory=$false,Position=4,ParameterSetName="DisplayName")]
[string]$SOM
)
Begin
{
if (!($Domain))
{
$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name;
}
switch ($PSCmdlet.ParameterSetName)
{
'DisplayName'
{
if ($UsePDC)
{
Invoke-GPMgmt -Domain $Domain -Server $Server -UsePDC -SearchProperty GPODisplayName -SearchOption Equals -Value $DisplayName -SOM $SOM;
}
else
{
Invoke-GPMgmt -Domain $Domain -Server $Server -SearchProperty GPODisplayName -SearchOption Equals -Value $DisplayName -SOM $SOM;
}
}
'Id'
{
if ($UsePDC)
{
Invoke-GPMgmt -Domain $Domain -Server $Server -UsePDC -SearchProperty GPOID -SearchOption Equals $Id -SOM $SOM;
}
else
{
Invoke-GPMgmt -Domain $Domain -Server $Server -SearchProperty GPOID -SearchOption Equals -Value $Id -SOM $SOM;
}
}
'All'
{
if ($UsePDC)
{
Invoke-GPMgmt -Domain $Domain -Server $Server -UsePDC -SOM $SOM -All
}
else
{
Invoke-GPMgmt -Domain $Domain -Server $Server -SOM $SOM -All
}
}
}
}
Process
{
}
End
{
}
}
Function Get-GpLink
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[__ComObject]$GPO
)
Begin
{
$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain();
Invoke-GPMgmt -Domain $Domain -SearchProperty SOMLinks -SearchOption Contains -Value $GPO
}
Process
{
}
End
{
}
}
Function Invoke-GPMgmt
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$false,Position=0,ParameterSetName="GetGPO")]
[string]$Domain,
[Parameter(Mandatory=$false,Position=1,ParameterSetName="GetGPO")]
[string]$Server,
[Parameter(Mandatory=$false,Position=2,ParameterSetName="GetGPO")]
[switch]$UsePDC,
[Parameter(Mandatory=$false,Position=3,ParameterSetName="GetGPO")]
[ValidateSet('BackupMostRecent','GPOComputerExtensions','GPODisplayName','GPODomain','GPOEffectivePermissions','GPOID','GPOPermissions','GPOUserExtensions','GPOWMIFilter','SOMLinks')]
[string]$SearchProperty,
[Parameter(Mandatory=$false,Position=4,ParameterSetName="GetGPO")]
[ValidateSet('Contains','Equals','NotContains','NotEquals')]
[string]$SearchOption,
[Parameter(Mandatory=$false,Position=5,ParameterSetName="GetGPO")]
$Value,
[Parameter(Mandatory=$false,Position=6,ParameterSetName="GetGPO")]
[string]$SOM,
[Parameter(Mandatory=$false,Position=7,ParameterSetName="GetGPO")]
[switch]$All
)
Begin
{
$GPMgmt = New-Object -ComObject GPMgmt.GPM;
$Constants = $GPMgmt.GetConstants();
$sProperty = $Constants."SearchProperty$($SearchProperty)";
$sOption = $Constants."SearchOp$($SearchOption)";
$SearchCriteria = $GPMgmt.CreateSearchCriteria();
}
Process
{
switch ($PSCmdlet.ParameterSetName)
{
'GetGPO'
{
if (!($All))
{
Write-Verbose "Setting up searchCriteria";
$SearchCriteria.Add($sProperty, $sOption, $Value);
}
if ($UsePDC)
{
Write-Verbose "Use the PDC";
$GPMDomain = $GPMgmt.GetDomain($Domain,$Server,$Constants.UsePDC);
}
else
{
Write-Verbose "Use Any DC";
$GPMDomain = $GPMgmt.GetDomain($Domain,$Server,$Constants.UseAnyDC);
}
if ($SOM)
{
Write-Verbose "SOM Detected"
$GPMSom = $GPMDomain.GetSOM($SOM);
$GPMSomLinks = $GPMSom.GetGPOLinks();
foreach ($GPMSomLink in $GPMSOMLinks)
{
$GPMDomain.GetGPO($GPMSomLink.GPOID.ToString());
}
}
else
{
switch ($SearchProperty)
{
'GPODisplayName'
{
Write-Verbose "Search for GPOs";
$GPMDomain.SearchGPOs($SearchCriteria);
}
'SOMLinks'
{
Write-Verbose "Search for SOMs";
$GPMDomain.SearchSOMs($SearchCriteria);
}
default
{
Write-Verbose "Search All";
$GPMDomain.SearchGPOs($SearchCriteria);
}
}
}
}
}
}
End
{
}
}
Raw
Pown-LinkedGPO.ps1
Param
(
[string[]]$RootOU,
[string]$Group,
[string]$User
)
Import-Module ActiveDirectory;
Import-Module GPMgmt.psm1;
foreach ($o in $RootOU)
{
$GPOs = (Get-ADOrganizationalUnit -SearchBase $o -SearchScope Subtree -Filter *) |ForEach-Object {Get-Gpo -All -SOM $_.DistinguishedName} |Sort-Object -Property ID -Unique
foreach ($GPO in $GPOs)
{
Set-GPPermission -ID $GPO.ID -TargetName $Group -TargetType Group -PermissionLevel GPOEditDeleteModifySecurity
Set-GPPermission -ID $GPO.ID -TargetName $User -TargetType User -PermissionLevel GPOEditDeleteModifySecurity
}
}
@jeffpatton1971
Copy link
Author

Pown-LInkedGPO.ps1 -RootOU "ou=demo,dc=company,dc=com","ou=staff,dc=company,dc=com" -Group GPOwners -User gpm_act

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment