使用Powershell编辑/修改GPO

Question

目标:我正在尝试通过Powershell (v3)修改GPO (2008R2 AD)。具体地说，就是User Configuration -> Policies -> Windows Settings -> FileRedirection -> Documents UNC path的值。

初始尝试：

import-module grouppolicy;
$StringToFind = "\\this\is\a\template\path";
$StringToRepalce="\\server123\%CustomerID%\%username%\Documents\";
$GPOBackupFolder = "C:\src\psh\gpoBackupEditRestore\backups";
$GPO = copy-gpo -SourceName "Customer GPO Template v1.4" -targetName "Customer $CustomerID" -CopyACL;
$GPOBackup = $Backup-GPO -guid $gpo.id -path $GPOBackupFolder;
$GPOBackupXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\Backup.xml";
$GPOGPReportXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\GPReport.xml";
$NewBackupXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\nBackup.xml";
$NewGPReportXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\nGPReport.xml";

$GPOBackup=gc $GPOBackupXMLPath;
$GPOGPReport= gc $GPOGPReportXMLPath;
foreach($line in $GPOBackup){ac $NewBackupXMLPath $line.Replace($StringToFind,$StringToReplace);}
foreach($line in $GPOGPReport){ac $NewGPReportXMLPath $line.Replace($StringToFind,$StringToReplace);}

remove-item -force $GPOBackupXMLPath;
remove-item -force $GPOGPReportXMLPath;
move-item -force $NewBackupXMLPath $GPOBackupXMLPath
move-item -force $NewGPReportXMLPath $GPOGPReportXMLPath

Remove-GPO -ID $GPO.ID   #remove GPO before restore. deleting/commenting this line does not change outcome.
Restore-GPO -BackupID $GPOBackup.ID -Path $GPOBackupFolder

假设我正确地读取了http://technet.microsoft.com/en-us/library/ee461027.aspx上的信息，上面的Powershell代码片段应该会将本地文件夹位置的XML恢复到AD中的GPO。[我已经确认了模板值($StringToFind)不会出现在GPOBackupFolder目录中的任何其他文件中。]

但是，本地XML文件中更改的值不会恢复到AD。我已经确认了这一点，方法是在还原GPO之后对其执行另一次备份，并将初始(修改过的)备份文件(已还原)与还原后备份值(现在包含/Original/ values!)进行比较。

是否有其他人尝试过和/或可以解释此行为，说明为什么Restore-GPO不能还原备份文件的内容？

Answer 1

更新:我找到了一种在DC上直接修改GPO的ini文件的方法。

由于此解决方案不使用任何API，因此我认为这是一个技巧；然而，到目前为止，这是我遇到的唯一解决方案。

根据我对AD架构和DC复制的了解(从我有限的工作经验中)，DC的SYSVOL部分将被复制到Forrest中的其他DC，就像是通过MMC进行更改一样。有人能证实这一点吗？

注意:据我所知，此脚本必须从与受影响的GPO相同的组织中的DC本地运行。

$GPO = copy-gpo -SourceName "$GPOTemplateName" -TargetName "$NewGPOName" -CopyACL
#Found post referencing how to Manually Edit GPO's: http://blogg.husbanken.no/it/2013/04/13/manually-edit-gpo-settings/
$adGPO=[ADSI]"LDAP://$($GPO.path)";
$GPOFilePath = $adGPO.psbase.properties.gPCFileSysPath;

#Specifically the path to the GPO section affecting Folder Redirection
$GPOFolderRedirectionINIPath = "$GPOFilePath\User\Documents & Settings\fdeploy.ini";

#Functions for importing/exporting an INI file with Powershell in a very standard way:  http://blogs.technet.com/b/heyscriptingguy/archive/2011/08/20/use-powershell-to-work-with-any-ini-file.aspx
. ".\get-inicontent.ps1"; # From:  http://gallery.technet.microsoft.com/scriptcenter/ea40c1ef-c856-434b-b8fb-ebd7a76e8d91
. ".\out-inifile.ps1";   # From: http://gallery.technet.microsoft.com/scriptcenter/7d7c867f-026e-4620-bf32-eca99b4e42f4

$GPOFolderRedirectionINI = get-iniContent $GPOFolderRedirectionINIPath;
$GPOFolderRedirectionINI["My Documents"]["s-1-1-0"]="\\New\Path\To\CustomerFolder\%USERNAME%\"
$GPOFolderRedirectionINI | out-iniFile $GPOFolderRedirectionINIPath -Force

我已经证明了这一点，并且它运行正常&如果幸运的话，其他人会发现这种方法很有帮助；但是我希望有人能找到更好的方法来做到这一点。

干杯!

Answer 2

我偶然发现了这篇文章，并决定不做任何修改就自己去做。虽然内容实际上在XML文件中，但GPO Restore实际上查看的是registry.pol。我是在做机器级别的策略，所以它是在DomainSysvol\GPO\Machine\registry.pol中。

一旦我编辑了这个文件(这个文件有点模糊-请看这里的说明)- https://gallery.technet.microsoft.com/scriptcenter/Read-or-modify-Registrypol-778fed6e

...I能够还原复制的GPO并使其具有正确的设置。

我有300个GPO我需要创建，所有看起来有点相似，所以这将节省无数小时的时间。

Answer 3

#Full name of GPO
$GPOedits = "Name1", "Name2"
#Local path to back GPO up to
$Pathbkp = "C:\Location"
#Names of old paths
$Pathstoedit = @("Stuff")
#Names of new paths -in same order as old paths
$Pathseditted = @("NewStuff")

foreach ($GPOedit in $GPOedits)
{Backup-GPO -Name $GPOedit -Path $Pathbkp}

$configFiles = Get-ChildItem $Pathbkp *.xml -rec
foreach ($file in $configFiles)
{
Write-Host "Editting $file."
$n = 0
foreach ($Pathtoedit in $Pathstoedit)
{
    $Patheditted = $Pathseditted[$n]
    $Pathtoedit = $Pathtoedit.Replace(".domain", "")
    $Patheditted = $Patheditted.Replace(".domain", "")
    [regex]$addfqdn = "\\"
    $Patheditted = $addfqdn.replace($Patheditted, ".dir.ad.dla.mil\", 1)
    Write-Host "Changing $Pathtoedit to $Patheditted"

    (Get-Content $file.PSPath) |
    Foreach-Object { $_ -replace [Regex]::Escape($Pathtoedit), $Patheditted } |
    Set-Content $file.PSPath

    [regex]$addfqdn = "\\"
    $Pathtoedit = $addfqdn.replace($Pathtoedit, ".domain\", 1)
    Write-Host "Changing $Pathtoedit to $Patheditted"

    (Get-Content $file.PSPath) |
    Foreach-Object { $_ -replace [Regex]::Escape($Pathtoedit), $Patheditted } |
    Set-Content $file.PSPath

    $n = $n + 1
}
}

Write-Host "Check you work, we are about to import policy changes!"
Pause

foreach ($GPOedit in $GPOedits)
{
Write-Host "Restoring $GPOEdit"
Restore-GPO -Name $GPOedit -Path $Pathbkp
Write-Host "Checking GUID"
$GUID = Get-GPO -Name "$GPOedit" | select -ExpandProperty "ID"
$GUID = "{$GUID}"
Write-Host "Checking GPT.ini for $GUID"
$GPT = Get-ChildItem -Path "\\domain\SYSVOL\Domain\Policies\$GUID" -File | select -ExpandProperty "Name"
If ($GPT -like "*gpt.ini*") { Write-Host "GPT.ini located" }
else { Write-Host "GPT.ini NOT FOUND" }
}