≡ Menu

In my previous post, we explored the way to identify list of group policies linked to a particular Active Directory OU. While it serves the purpose, there are few details missing there like whether GPO is enabled, enforced, what is the order of the GPO, etc.

Articles related to working with Group Policies using PowerShell

  1. Find Group Policies Objects in Domain using PowerShell
  2. Find Group Policies linked to Active Directory OU Using PowerShell

The applicability of Group Policy object on an Active Directory OU completely replies on status of Group Policy link on that OU. If the status of Group Policy link is in enabled state, then policy will get applied. If the status is disabled, policy is not applicable for members inside that OU. Below screen shot shows the link enable status of a Group Policy on LAB OU from GPMC editor.

GPO-Link-Enabled

When the GPO link is disabled, it appears like below in GPMC editor.

GPO-Link-disabled

Similarly enforced option has its significance to decide policy applicability.

So let us see how we can identify the link status, enforcement status and order of a Group Policy object on a OU using PowerShell since this these plays vital role in deciding the GPO applicability to objects inside that OU>

In my previous post, I used a property called LinkedGroupPolicyObjects to retrieve list of linked Group Policies on OU. There is another property called gPLink which gives more details about the policy that is linked. The values inside gPlink property talks about list of policies, their order, link enable status, enforce status. The format of gplink property looks like below.

[<GPO DN_1>;<GPLinkOptions_1>][<GPO DN_2>;<GPLinkOptions_2>]… [<GPODN_n>;<GPLinkOptions_n>]

Where GPO DN is the distinguished name of the GPO and GPLinkOptions represent the GPO enabled and enforcement status. Also first DN in the string has high precedence order while the last one has low precedence order. You can find more details about this structure at http://msdn.microsoft.com/en-us/library/cc232505.aspx

The below script take a OU name, searches active directory for OUs having that name, queries the group policies linked to that OU, identifies link status, enforcement status, order details and returns the information in Object format.

Code:

[cmdletbinding()]            
param(            
 [string]$OUName            
)            
$OUs = @(Get-ADOrganizationalUnit -Filter * -Properties gPlink | ? {$_.Name -eq "$OUName"})            
#Return if no OUs found with given name            
if(!$OU) { Write-Warning "No such OU found"; return }            
            
foreach($OU in $OUs) {            
 $OUName = $OU.Name            
 $OUDN = $OU.DistinguishedName            
 #Hackey way to get LDAP strings. Regex might be best option here            
 $OUGPLinks = $OU.gPlink.split("][")            
 #Get rid of all empty entries the array            
 $OUGPLinks =  @($OUGPLinks | ? {$_})            
 $order = $OUGPLinks.count;            
 foreach($GpLink in $OUGPLinks) {            
   $GpName = [adsi]$GPlink.split(";")[0] | select -ExpandProperty displayName            
   $GpStatus = $GPlink.split(";")[1]            
   $EnableStatus = $EnforceStatus = 0            
   switch($GPStatus) {            
    "1" {$EnableStatus = $false; $EnforceStatus = $false}            
    "2" {$EnableStatus = $true; $EnforceStatus = $true}            
    "3" {$EnableStatus = $false; $EnforceStatus = $true}            
    "0" {$EnableStatus = $true; $EnforceStatus = $false}            
   }            
   $OutputObj = New-Object -TypeName PSobject            
   $OutputObj | Add-Member -MemberType NoteProperty -Name OUName -Value $OUName            
   $OutputObj | Add-Member -MemberType NoteProperty -Name OUDN -Value $OUDN            
   $OutputObj | Add-Member -MemberType NoteProperty -Name GPName -Value $GPName            
   $OutputObj | Add-Member -MemberType NoteProperty -Name IsLinked -Value $EnableStatus            
   $OutputObj | Add-Member -MemberType NoteProperty -Name IsEnforced -Value $EnforceStatus            
   $OutputObj | Add-Member -MemberType NoteProperty -Name GPOrder -Value $Order            
   $OutputObj            
   $order--            
 }            
            
}            
            
            
            

Output:

Group Policy link status

The output is easy to understand. It mentions about OU name, its DN, policy name, link status, enforcement status, and order of the GPO that you see in GPMC console.

gpo status in gpmc

Hope this helps.. stay tuned for more articles in future.

This script is also available at technet library (http://gallery.technet.microsoft.com/Get-GPO-link-status-a6e5fe7e)

{ 2 comments }

Last time we have seen a few ways to find group policies using PowerShell. Expanding on the same horizon, I would like to share some more thoughts on finding Group Policies linked to AD OUs.

If you haven’t read my previous article on finding group policies, I prefer you go through that first. Here is the link to it.

Find Group Policies Objects in Domain using PowerShell

The previous post is about basics of finding group policies, but how to we find what all policies linked to a particular organization Unit? This can be accomplished by using ActiveDirectory module and GroupPolicy module.

First let us import both the modules

Import-Module ActiveDirectory            
Import-Module GroupPolicy            

The Get-ADOrganizationalUnit cmdlets helps in querying the Active Directory Organization units. It returns AD Object of each OU. One of the property for OU object is LinkedGroupPolicyObjects which contains information about list of policies that are currently linked to the OU. See below example for better understanding.

Get-ADOrganizationalUnit -Filter 'Name -like "*lab*"'

PS C:\> Get-ADOrganizationalUnit -Filter ‘Name -like “*lab*”‘

City :
Country :
DistinguishedName : OU=LAB,DC=techibee,DC=ad
LinkedGroupPolicyObjects : {cn={98CBBC75-DE94-4093-9B46-D4100230849E},cn=policies,cn=system,DC=techibee,DC=ad}
ManagedBy :
Name : LAB
ObjectClass : organizationalUnit
ObjectGUID : dc39b7f3-fa61-400b-aa48-318b5ca959ca
PostalCode :
State :
StreetAddress :

In my case I have only one OU with the name lab so it returned single object. Based on the name of your OU, you may need to fine tune the filter part. As you can see in the output LinkedGroupPolicyObjects attribute is an array of linked Group policy object paths. So, we need to convert these distinguished names (DN) of the Group Policies into display names for better understanding.

There are two ways to do that.

Using Group Policy Module:

Using Group Policy cmdlets query the display name and other information of Group policy object like creation time, modified time, owner of GPO etc. I used a regex to take out the GUID of GPO from the DN and used it for searching the GPO using Get-GPO cmdlet.

$LinkedGPOs = Get-ADOrganizationalUnit -Filter 'Name -like "*lab*"' | select -ExpandProperty LinkedGroupPolicyObjects            
$GUIDRegex = "{[a-zA-Z0-9]{8}[-][a-zA-Z0-9]{4}[-][a-zA-Z0-9]{4}[-][a-zA-Z0-9]{4}[-][a-zA-Z0-9]{12}}"            
            
foreach($LinkedGPO in $LinkedGPOs) {            
    $result = [Regex]::Match($LinkedGPO,$GUIDRegex);            
    if($result.Success) {            
        $GPOGuid = $result.Value.TrimStart("{").TrimEnd("}")            
        Get-GPO -Guid $GPOGuid            
    }            
            
}

Using [ADSI]

The information about group policy can also be obtained using the [ADSI] interface. The information returned by this method is properties of Group policy object in active directory. This contains variety of information that you generally see in Active Directory for a GP object. Display Name, Sysvol path of GPO, etc. are available in the output.

$LinkedGPOs = Get-ADOrganizationalUnit -Filter 'Name -like "*lab*"' | select -ExpandProperty LinkedGroupPolicyObjects            
            
foreach($LinkedGPO in $LinkedGPOs) {             
[adsi]"LDAP://$LinkedGPO" | select DisplayName, WhenCreated, WhenChanged, gPCFileSysPath | fl             
            
}

Based on your comfort level you can choose one of these methods to query list of Group Policies linked to a OU.

Hope this helps and happy learning…

{ 14 comments }

Do you have a mix of Windows Server 2003 and Windows Server 2012 R2 domain controllers in your domain and occasionally experiencing logon issues? It could be due to Computers which changed their machine password recently and failing to communicate with domain after that. AskDS(Microsoft Active Directory support team) recently published an article about this which gives further details into this problem and a few possible workarounds. You might want to try them if you are seeing similar problems in your environment.

http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx

 

{ 0 comments }

I came across a post from a PowerShell MVP at happysysadmin.com blog about finding boot performance of Windows Client operating system with PowerShell. I liked this post alot because of very good explanation he provided about different parameters involved in boot and how to interpret them.

Worth taking a look.

http://www.happysysadm.com/2014/07/windows-boot-history-and-boot.html

Thanks  for this wonderful article.

{ 0 comments }

Windows Server 2012 and Windows 8.1 has inbuilt module for managing Group Policy objects in Windows environment. It has a total of 26 cmdlets to serve different types of Group policy operations. In this article I will focus on Get-GPO cmdlet and its usage.

You can start with importing the module first.

Import-Module GroupPolicy

This module is made available automatically when you install domain controller role in Windows Server 2012. If you want to install this module on a member server running windows server 2012, you can do it by adding Group Policy Management feature. This installs both MMC and PowerShell modules.

gpo module install

If you want to install this feature also via PowerShell, then try the below two commands. This will install GPMC.

Import-Module ServerManager            
Add-WindowsFeature GPMC

Get total no. of cmdlets in GroupPolicy module

To see the no. of cmdlets available in this module, below command will help.

(Get-Command -Module GroupPolicy | ? {$_.CommandType -ne "Alias" }).Count

List all Group policies in domain.

If you want to list all Group policies in current domain, use Get-GPO cmdlet with -All parameter. This will all GPOs in the current domain. This will return information like Displayname, GUID, GPO status, creation and modified time, etc of each GPO.

Get-GPO -All

Search for a GPO

Searching for a GPO by display name is also easy. Its matter of filtering the output generated from Get-GPO cmdlets.

Get-Gpo -all | ? {$_.displayName -match "Logon" }
filter-gpo-by-name

Convert to GUID to Name and Name to GUID:

If you know GUID of a GPO, you can get the display name of and similarly you can get GUID if you know the display name of it. Finding this information in prior operation systems requires either nontrivial coding or usage of third party tools/scripts.

Get-GPO -Name LogonPolicy | select id
Get-GPO -Guid 98cbbc75-de94-4093-9b46-d4100230849e | select displayname

gpo-name-to-guid-to-name

Specify DC name/domain name to query:

If you would like to query Group policy information from a specific domain controller, you can do that by pointing Get-GPO cmdlet to domain controller by specifying -Server parameter. You can also specify the name of the domain in FQDN format.

Get-GPO -all -Server TIBDC1

Export Group policy information to CSV:

The group policy information can be easily exported to a CSV/Excel by using Export-CSV cmdlet in combination with Get-GPO cmdlet.

Get-GPO -all | export-csv c:\temp\GPOinfo.csv -NoTypeInformation

Hope this helps. Happy learning. In next post I will cover about other Group Policy cmdlets and their usage.

{ 4 comments }

Previously I talked about how to read the start menu pinned items and their group details using PowerShell. If you have missed that article, read it from https://techibee.com/powershell/query-start-menu-groups-and-pinned-programs-in-windows-8-1-using-powershell/2395 . In this post I will share my thoughts on customizing the start menu layout for Windows 8.1 based users using Group policies.

In my previous post, I have used Export-StartLayout cmdlets to export the start menu pinned items configuration. When I was using that cmdlets, I came across Import-StartLayout cmdlets which I thought can be used for importing the start menu layout. But after some reading, I understood that it is used only for importing into build images. So, this is not useful for deploying a standard new (or updated) start menu style to existing users who are already using Windows 8.1 desktops.

While searching for ways to do it, I came across a group policy named “Start Screen layout” at below path in group policy console.

Start menu layout GPO

User Configuration => Administrative Templates => Start Menu and Task bar => Start Screen Layout

And the policy description says this:

===========================

Specifies the Start screen layout for users.

This setting lets you specify the Start screen layout for users and prevents them from changing its configuration. The Start screen layout you specify must be stored in an XML file that was generated by the Export-StartLayout PowerShell cmdlet.

To use this setting, you must first manually configure a device’s Start screen layout to the desired look and feel. Once you are done, run the Export-StartLayout PowerShell cmdlet on that same device. The cmdlet will generate an XML file representing the layout you configured.

Once the XML file is generated and moved to the desired file path, type the fully qualified path and name of the XML file. You can type a local path, such as C:\StartLayouts\myLayout.xml or a UNC path, such as \\Server\Share\Layout.xml. If the specified file is not available when the user logs on, the layout won’t be changed. Users cannot customize their Start screen while this setting is enabled.

If you disable this setting or do not configure it, the Start screen layout won’t be changed and users will be able to customize it.

===========================

So, I enabled this policy with the exported XML file that I captured with Export-StartLayout. It worked as expected but with a few caveats.

It worked but took away a few things users/administrators really need. After applying the style through Group policies, noticed the following.

  • Users cannot pin any more new items – this is already mentioned in GPO description
  • Whatever the previously pinned items by the users will go vanished – that is what I observed in testing. Let me know if you see any different behaviour
  • Users cannot even pin new items to their task bar from Apps menu

So bottom line is that, you should keep above points in mind before deciding to deploy start menu layout using Group policy. Setting a default layout in build is a good idea in my opinion.

{ 0 comments }

Like any other Hypervisor infrastructure, VMs in Microsoft Hyper-V can also sync time from its host. This time synchronization happens through Hyper-V integration services. Along with Time sync a few other things like OS Shutdown, Data exchange, heartbeat, snapshot operations are performed via this integration service.

These features can be enabled or disabled via PowerShell in Hyper-V environment. In this post, let us see how to enable/disable time synchronization in Hyper-V environment using PowerShell.

To know the status of time synchronization between VM and the Hypervisor, try below command. It shows the list of features controlled via Integration services and their status.

Get-VMIntegrationService -VMName Win8

and you will see below output.

VMTimesync-Hyperv

As you can see in the output, Time synchronization is enabled. To disable that feature, we can use Disable-VMIntegrationService cmdlet.

Get-VMIntegrationService -VMName Win8 -Name "Time Synchronization" | Disable-VMIntegrationService

Similarly to enable, it we can use Enable-VMIntegrationService cmdlet.

Get-VMIntegrationService -VMName Win8 -Name "Time Synchronization" | Enable-VMIntegrationService

At any point of time, you can view the current state by running Get-VMIntegrationService.  Like Time synchronization, we can manage other features like OS shutdown, VSS, Key-Value Pair exchange, Hearbeat via these cmdlets.

Get-VMIntegrationService -VMName Win8 -Name "Time Synchronization"

Hope this helps

{ 1 comment }

The PowerShell script discussed in this article will help in querying Programs and groups pinned to start menu in Windows 8.1 metro UI. It also gives their size and the executable that it is pointing.

Windows 8.1 has a PowerShell cmdlet, Export-StartLayout, that helps in exporting the current UI setting. This will export Start Menu items along with their group name and size to XML file (or bin file). Parsing this XML file will help in reading the list of applications that are currently pinned to start menu.

The below code will export the details to XML file and read details from it to produce output in Object format. The details will contains, application name, group that it belongs, size of the icon in start menu, and fensepost value (not sure what it represents as I am writing this. Will search for it later).

CODE: Get-StartMenuItems.ps1

[cmdletbinding()]            
param(            
)            
$XMLPath = Join-Path $env:temp "startmenu.xml"            
            
Export-StartLayOut -As XML -Path $XMLPath            
$Content = Get-Content $XMLPath            
$Groups = $Content.GetElementsByTagName("group")            
foreach($Group in $Groups) {            
 #$Group.Getenumerator()            
            
 $Tiles = $Group.Getenumerator()            
 $GroupName = $Group.Name            
 foreach($Tile in $Tiles) {            
            
  $AppID = $Tile.AppID            
  $Size = $Tile.size            
  $FensePost = $Tile.FencePost            
  $OutputObj = New-Object -TypeName PSobject            
  $OutputObj | Add-Member -MemberType NoteProperty -Name GroupName -Value $GroupName            
  $OutputObj | Add-Member -MemberType NoteProperty -Name AppID -Value $AppID            
  $OutputObj | Add-Member -MemberType NoteProperty -Name AppSize -Value $Size            
  $OutputObj | Add-Member -MemberType NoteProperty -Name FensePost -Value $FensePost            
  $OutputObj            
              
 }            
            
            
}            

Output:

startmenuitems

This script is available at TechNet Gallery… http://gallery.technet.microsoft.com/Get-start-menu-items-in-df4158c7

{ 0 comments }

While playing with a code today, I wanted to pin a few of my applications to start menu using PowerShell. I know that it is pretty easy through “Shell.Application” Com Object by accessing verbs() of the executable or link file.

I quickly verified that applications I want to link to start menu has the verb “Pin to Start”. So, I thought its matter of calling that verb through PowerShell. In past I have done similar thing for pinning applications to task bar(read this post for details — https://techibee.com/powershell/pin-applications-to-task-bar-using-powershell/685) , so thought of applying same logic here. But at the end failed miserably.

Though the application I want to pin to start menu has this verb when I right click on it, same is not visible when accessed programmatically. Do you understand what I am saying? See the below example.

For demonstration, I want to pin “Microsoft Word” application to start menu. So, I right clicked on windows.exe to see if it has verb called “Ping to start” – yes it has.

pin-start-menu-ui

Now I tried to access the verbs programmatically using PowerShell. Below few lines of code will return verbs of the given application.

$shell = New-Object -ComObject "Shell.Application"            
$Folder = $shell.NameSpace("C:\Program Files\Microsoft Office 15\root\office15")            
$exe = $Folder.ParseName("winword.exe")            
$exe.Verbs()

After running above code, you can clearly see that there is no Pin to Start verb in output. So you cannot call it programmatically.

pin-to-start-verb-missing

After searching for some time, I came across a post in MSDN forums which says that programatical access to pin to start verb is restricted in Windows 8.1. This means you cannot no more perform pin to start menu operation using scripts/tools. Only users can interactively do this.

Related threads:

http://social.msdn.microsoft.com/Forums/en-US/35e91e6a-7d5e-4a32-9a9c-c30990de8a05/why-could-not-get-pin-to-start-context-menu-for-lnk-file-in-windows-81-rtm?forum=windowsgeneraldevelopmentissues

Then how to customize the start screen in Windows 8.1 environment? This I will cover in my next post. Stay tuned.

{ 0 comments }

Often you might be hearing complaints that SQL queries running slow on Windows Server 2008 R2 or Windows Server 2012. You will be puzzled after finding CPU, Memory, Disk, and Network utilization normal but still the queries are running slow when compared with other Windows Server 2003 boxes.

Many people I talked to said they have this problem though their server is built with high Hardware configuration. I has similar chat with one of my previous college when on vacation last week. Since this is more hindering problem for Windows Administrators, I want to put up an article based on this.

Both Windows Server 2008(and R2) and Windows Server 2012(and R2) comes with a default Power Plan of “Balanced” and this is the culprit in most slow performance cases. All latest processors has something called P-States (Power States) which will allow low power utilization by Processor by reducing the processor clock speed when Server is not loaded with any tasks and appears ideal. When a new process starts that requires high CPU processing power, the Operating system switches the processor from lower P-States to higher P-States to increase the CPU performance. This is in a Nut Shell. Read the articles posted at the end of this article to read more about these P-States.

Switching to lower P-States (Balanced Power plan) helps you in saving energy bills at the cost of slow running application. To get rid of this new Power optimization thing and let your processor run at full frequency, follow the below procedure.

Change the Power plan in Windows OS to “High Performance”:

To change a power plan:

  1. Click on Start and then Control Panel.
  2. From the list of displayed item under Control Panel click on Power Options, which takes you to select a power plan page. If you do not see Power Options, type the word ‘power’ in the Search Control Panel box and then select choose a power plan.
  3. By default, the option to change power plans is disabled. To enable this, click the Change settings that are currently unavailable link.
  4. Choose the High Performance option
  5. Close the Power Option window

Change the Power plan in Hardware to “High Performance”:

There are a similar settings available at the Hardware level as well. I recommend you change them at hardware level as to “High Performance”. In case of HP hardware, you can manage them from ILO Power option. Below are the options available in HP hardware and make sure to select HP Static High Performance mode.

You can configure Power Regulator for any of four operating modes:

  • HP Static High Performance mode
  • HP Static Low Power mode
  • HP Dynamic Power Savings mode
  • OS Control mode

As you can see there is an OS control mode available as well. By selecting this option, you are configuring hardware to allow OS to change the hardware level settings. When this option is selected, and you switch the OS to “high performance” power plan, the hardware also automatically switched to high performance mode.

A restart is required after the above changes. It is not mandatory that this particular solution will help in all cases but it is one of the things you should try when you notice slow SQL query times on a Windows Server.

There is a KB article (http://support.microsoft.com/kb/2207548/en-us) on this topic which recommends setting the server to high performance mode when performance degradation is observed.

If you want tune your Windows Server 2008 R2 or Windows Server 2012 further, you might find this article useful (http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv-R2.mspx)

Related links:

https://software.intel.com/en-us/blogs/2008/05/29/what-exactly-is-a-p-state-pt-1

http://h10032.www1.hp.com/ctg/Manual/c00300430.pdf

http://support.microsoft.com/kb/2207548/en-us

{ 0 comments }