How to edit group policy objects (GPO) using PowerShell
Group policy objects (GPOs) have to be modified to meet the changing IT management, administration and security needs of an organization. This article compares the process of using PowerShell to edit GPOs, to that of modifying GPOs using ADManager Plus, an integrated AD, Office 365 and Exchange management and reporting solution.
PowerShell allows you to modify GPO settings using different cmdlets such as Set-GPRegistryValue, Set-GPPermissions, Set-GPPrefRegistryValue, Set-GPInheritance, and so on. ADManager Plus, on the other hand, allows you to modify the administrative templates settings, with purely GUI-based actions, making GPO modification simple and quick.
Windows PowerShell
Steps to get all edit GPO using PowerShell.
- Ensure you have the necessary permissions to perform this action, and also to execute PowerShell scripts.
- Get name of the GPO to be modified and the domain in which it is located.
- Create the script using the appropriate GPO cmdlets, and execute it in the PowerShell window.
A sample PowerShell script to modify GPO
Copied
Import-Module GroupPolicy
Set-GPRegistryValue -Name "DemoGPO" -key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName NoControlPanel -Type DWORD -value 01
Click to copy entire script
This script will block access to the Control Panel by modifying the DemoGPO.
ADManager Plus
To modify a GPO,
- Click the Manage GPOs feature under GPO Management in Management tab.
- Select the desired domain. For the GPO to be modified, click the Edit GPO icon.
- In the Edit GPO Settings window, go to GPO Name -->Computer/User Configuration -->Policies-->Administrative Templates.
- Locate the folder where the desired setting is located, modify it and click Apply.
Screenshot
» Start 30-day Free Trial
Also, ADManger Plus allows you to enable or disable GPOs, or their user or computer configuration, or delete GPOs, right from page where it lists all available GPOs in the domain.
Limitations of using PowerShell to get linked GPOs report
- You will not be able to manage GPOs or GPO links using PowerShell if you do not have enough privileges in the AD domains from which you wish to generate this report. With ADManager Plus, as admins or technician do not have to connect to the DC directly, their permissions do not have to be modified.
- You must be proficient in AD, GPOs, and also PowerShell scripting as a variety of commands such as Set-GPRegistryValue, Set-GPPermissions, Set-GPPrefRegistryValue, Get-GPO, Get-GPOReport, and so on have to be used in combination, along with the names of the settings or values to be modified. With ADManager Plus, as all operations are GUI-based, managing GPOs is quite easy.
- You must know how to execute the scripts from the PowerShell window. As ADManager Plus is purely GUI-based, one can perform all GPO and AD management operations easily, wth just mouseclicks.
- The smallest of mistakes like a misplaced hyphen or comma, lack of sufficient permission to configure any of the settings, or a typo in the cmdlet names or its parameters and attributes will lead to errors. As all actions in ADManager Plus are GUI-driven, there is no need to write scripts, eliminating the chances of errors.
