For example, restore an object, a GPO, cleanup a DC from the environment...etc. But what if I have 50 GPOs to restore and they were linked to 150 OUs? While you learn the GUI way on these workshops, there's no story about an easy option to restore those GPO links on a wider scale.
In fact, there is no way to restore GPO links as such at all. You could perform authoritative restore on all the OUs but it seems overkill to me. Moreover, you would still need to find out which OUs you would need to restore.
I had some spare time during a break on the workshop so I though I'd give it a go and see how I could copy GPO links back from a DC in a Lag site to OUs on a production DC using PowerShell.
Lab:
I had 2 Windows Server 2008 Domain Controllers in the lab, one was in a Lag site with replication restricted to a small window overnight. Lag DC or Lag site means the replication is restricted to a small time window so the DC is intentionally kept behind in the replication to have live data in the system in case accidental deletion or modification happens on objects.The other DC was the production one, where I "accidentally" deleted some GPOs.
I restored the GPOs from the LAG DC with authoritatiove restore, but obviously the links disappeared.
So I had 1 DC where I still had the original state of the GPO links, but I still didn't want to go through all of them on the UI of GPMC. I wanted a quick script which would:
- Take a list of GPO GUIDs
- Look-up which OUs had it linked on the Lag DC
- Go to the Production DC and add these GUIDs back to the gpLink attribute of each OU
# List of GPO GUIDs I want to search for and restore links
$gpoGUIDsToBeResotred = @("034E8907-6058-4A19-B312-AB2A0408EDE4", "2EC45E73-E6BB-4F39-A221-E40630015B45")
$lagDC = "LAGDC"# DC name where the GPO links still exist
$prodDC = "ProdDC"# DC name where I want to create the GPO links again
# going through all GPO GUIDs
foreach($gpoGUID in $gpoGUIDsToBeResotred){
# Searching for OUs which have the give GPO GUID in their gpLink attribute
Get-ADOrganizationalUnit -server $lagDC -filt 'gplink -like "*$gpoGUID*"' | %{
$ou = $tmplinks = $null
# bind the same OU on the Production DC where we want to restore the GPO links
$ou = Get-ADOrganizationalUnit -server $prodDC -filter 'DistinguishedName -eq $_.DistinguishedName' -prop gplink
# store the current content of the gpLink attribute - this is very important as we want to append the attribute, not overwrite
$tmplinks = $ou.gplink
# add the new content to the gplink attribute of the OU
$ou.gplink = $tmplinks + "[LDAP://cn={$gpoGUID},cn=policies,cn=system,DC=litware,DC=com;0]"
# commit changes
Set-ADOrganizationalUnit -Instance $ou
}
}
To get the GUID of a GPO, you can add a command similar to the below to the beginning of the script (you can also look it up in GPMC):
PS C:\> $gpoGUID = (get-gpo "default domain policy").id.guid
List all OUs which have a particular GPO linked:
PS C:\> Get-ADOrganizationalUnit -server lagDC -filt 'gplink -like "*$gpoGUID*"' | ft
I think, all in all, people can be glad that after so many years Microsoft finally realised that they must start building tools of their core products - such as AD - around PowerShell and move away from providing just a UI. So I'm grateful that I can now go through all my PS scripts which utilise ADSI and replace it with a cmdlet from ActiveDirectory PS module :). Although, you still need a bit of thinking and scripting to make things work.
In this example, you would wonder why I didn't use a command from the GroupPolicy Powershell module to create the GPO links. Well, because there isn't such a command. So there's still way to go for MSFT, but it's a good start.
Use this example above carefully and always test in a QA environment.
Clipboard friendly code:
# List of GPO GUIDS I want to search for and restore links
$gpoGUIDsToBeResotred = @("034E8907-6058-4A19-B312-AB2A0408EDE4", "2EC45E73-E6BB-4F39-A221-E40630015B45")
$lagDC = "LAGDC" # DC name where the GPO links still exist
$prodDC = "ProdDC" # DC name where I want to create the GPO links again
# going through all GPO GUIDs
foreach($gpoGUID in $gpoGUIDsToBeResotred){
# Searching for OUs which have the give GPO GUID in their gpLink attribute
Get-ADOrganizationalUnit -server $lagDC -filt 'gplink -like "*$gpoGUID*"' | %{
$ou = $tmplinks = $null
# bind the same OU on the Production DC where we want to restore the GPO links
$ou = Get-ADOrganizationalUnit -server $prodDC -filter 'DistinguishedName -eq $_.DistinguishedName' -prop gplink
# store the current content of the gpLink attribute - this is very important as we want to append the attribute, not overwrite
$tmplinks = $ou.gplink
# add the new content to the gplink attribute of the OU
$ou.gplink = $tmplinks + "[LDAP://cn={$gpoGUID},cn=policies,cn=system,DC=litware,DC=com;0]"
# commit changes
Set-ADOrganizationalUnit -Instance $ou
}
}
May the Force...
t
No comments:
Post a Comment