| ||
Now that we've created GPMC objects that represent domains and sites, it's time to ask those objects to do something useful, such as listing GPOs and their properties, such as their display names , creation times, version numbers , and so forth.
The GPMDomain object has a SearchGPOs method designed to return a collection of GPOs (GPMGPOCollection object) in a domain that meets given search criteria. This collection object has a Count property that tells you the number of GPOs in the collection and an Item property that returns a handle to a selected GPO in the collection based on its index number.
Note | The script in this section is called List_GPO_Properties . |
The simplest way to see how this works is to create a GPMGPOCollection object and walk through its contents. Create a collection of all GPOs in a given domain by using a null set of search criteria. The following code listing creates a GPMDomain object, searches it for all GPOs to create a GPMGPOCollection, and walks through the collection to display information about the GPOs.
Like all GPMC scripts, start by creating an initial set of GPM objects. The ConvertToDNS function is documented earlier in this chapter.
Set gpm = CreateObject("gpmgmt.gpm") Set gpmConstants = gpm.GetConstants Set RootDSE = GetObject("LDAP://RootDSE") adsiDomain = RootDSE.Get("DefaultNamingContext") dnsDomain = ConvertToDNS(adsiDomain) adsiForestRoot = RootDSE.Get("RootDomainNamingContext") dnsForestRoot = ConvertToDNS(adsiForestRoot) set gpmDomain = gpm.GetDomain(dnsDomain,"",gpmConstants.UsePDC) Set gpmSitesContainer =_ gpm.GetSitesContainer(dnsForestRoot," "," ",gpmConstants.UsePDC)
Now create a GPMSearchCriteria object to hold the criteria for the GPO search. You'll provide this object to the SearchGPOs method as a parameter. Providing one object as a parameter to another object's method call is not an unusual thing to see in scripts, but it can be a bit confusing the first time you encounter it. Leaving the GPMSearchCriteria object empty tells SearchGPOs to return all GPOs in the domain.
set gpmSearchCriteria = gpm.CreateSearchCriteria() set GPO_Domain_List = gpmDomain.SearchGPOs(gpmSearchCriteria)
The script now walks through the collection using For Each...In...Next and displays the properties of each GPMGPO object in the collection. The variable you use as the argument in the For Each expression becomes the handle to the object within the loop.
For Each GPO In GPO_Domain_List WScript.Echo String(20,"=") With GPO WScript.Echo "GPO Friendly Name: " & .DisplayName WScript.Echo "GPO GUID:" & .ID WScript.Echo "GPC Object Active Directory Path: " & .Path WScript.Echo "GPO Domain Name: " & .DomainName WScript.Echo "GPO Created: " & .CreationTime WScript.Echo "GPO Last Modified: " & .ModificationTime WScript.Echo "Computer GPC Object Version: " & .ComputerDSVersionNumber WScript.Echo "Computer GPT File Version: " & .ComputerSysvolVersionNumber WScript.Echo "User GPC Object Version: " & .UserDSVersionNumber WScript.Echo "User GPT File Version: " & .UserSysvolVersionNumber WScript.Echo vbNL End With Next
If you want more information about the individual properties enumerated in this loop, see the GPMGPO documentation in the Platform SDK. Here's a sample output of the script:
==================== GPO Friendly Name: Default Domain Controllers Policy GPO GUID:{6AC1786C-016F-11D2-945F-OOC04fB984F9} GPC Object Active Directory Path: cn={6AC1786C-016F-11D2-945F- 00004fB984F9),cn=policies,cn=system,DC=company,DC=com GPO Domain Name: company.com GPO Created: 12/4/2003 11:45:32 AM GPO Last Modified: 12/28/2003 1:52:24 PM Computer GPC Object Version: 13 Computer GPT File Version: 13 User GPC Object Version: 2 User GPT File Version: 2
You don't have to content yourself with simply listing parameters. You can perform useful calculations, as well. For example, you can emulate the information provided by the GpoTool utility (as seen in Chapter 3) to show the status of the user and computer sides of a GPO and compare the version numbers of the Active Directory GPC (Group Policy Container) object that represents the GPO and the version numbers of the GPT.ini file in SYSVOL to see if you have a replication problem. Do this in the same script with another For Each ... In ... Next loop as follows :
For Each GPO In GPO_Domain_List WScript.Echo String(20,"=") With GPO WScript.Echo "GPO Friendly Name: " & .DisplayName If .isuserenabled Then WScript.Echo "The User settings in this GPO are enabled." Else WScript.Echo "The User settings in this GPO are disabled." End If If .iscomputerenabled Then WScript.Echo "The Computer settings in this GPO are enabled." Else WScript.Echo "The Computer settings in this GPO are disabled." End If If .ComputerDSVersionNumber = .ComputerSysvolversionNumber Then WScript.Echo "The versions assigned to Computer settings in this GPO " &_ "are consistent between Active Directory and Sysvol." Else WScript.Echo "WARNING! The Computer settings in this GPO show a " &_ "version mismatch between Active Directory and Sysvol." End If If .UserDSVersionNumber = .UserSysvolVersionNumber Then WScript.Echo "The versions assigned to User settings in this GPO " &_ "are consistent between Active Directory and Sysvol." Else WScript.Echo "WARNING! The User settings in this GPO show a " &_ "version mismatch between Active Directory and Sysvol." End If WScript.Echo vbNL End With Next
Here is sample output from the script:
==================== GPO Friendly Name: Default Domain Controllers Policy The User settings in this GPO are enabled. The Computer settings in this GPO are enabled. The versions assigned to Computer settings in this GPO are consistent between Active Directory and Sysvol. The versions assigned to User settings in this GPO are consistent between Active Directory and Sysvol.
| ||