Downloads
23368.zip

Do you have a scripting-related question or problem? You can send your question or problem to winscriptsol@winnetmag.com.

I'm using Microsoft Active Directory Service Interfaces (ADSI) to automate system administration and security tasks. I've looked for information about how to write ADSI scripts to audit and manage Windows 2000 Group Policy Objects (GPOs), but I can't find a way to connect to GPOs to retrieve Group Policy settings. Can you help?

At this time, no scriptable interfaces exist for using ADSI to manage Group Policy settings. The only Group Policy­related task you can perform with ADSI scripts is managing GPO links. You can use the ADSI OLE DB provider to list GPO links, and you can use standard ADSI interfaces to add and delete GPO links.

The script in Listing 1, page 12, demonstrates how to use the ADSI OLE DB provider to list the GPOs that are linked to a domain and all the organizational units (OUs) in that domain. In the Code Library on the Windows Scripting Solutions Web site (http://www.winscriptingsolutions.com), you'll find two additional scripts —AdsiAdd GpoLink.vbs and Adsi-DelGpoLink.vbs—that demonstrate how to add and delete a GPO link to and from an OU, respectively. To understand all three scripts, you need to understand where Win2K stores GPOs in Active Directory (AD) and how Win2K links GPOs to sites, domains, and OUs.

Win2K stores GPOs in the domain's default naming context (NC) CN= Policies container. For example, if you create a GPO in the lab.local domain, the GPO resides in the CN=Policies, CN=System,DC=lab,DC=local container. Win2K stores GPOs as groupPolicyContainer objects in AD and sets each object's cn attribute to a globally unique identifier (GUID) when you create the GPO. The name that appears on the Group Policy tab in a site, domain, or OU Properties dialog box is identified by the object's displayName attribute.

Win2K links GPOs to a site, domain, or OU through the site's, domain's, or OU's gPLink attribute. This attribute is a single-valued string with two parts. The first part is the ADsPath to the groupPolicyContainer object that's linked to the corresponding site, domain, or OU. The second part is a value that specifies the state of the No Override and Disabled options for the GPO link. Web exclusive Table 1 lists the four possible GPO link options and their corresponding values. As the first sample gPLink attribute in Figure 1, page 13, shows, square brackets enclose each ADsPath and value, which are separated by a semicolon. I added the indent and arrow () to make this long continuous string easier to read. Win2K can link multiple groupPolicyContainer objects to a single site, domain, or OU by concatenating multiple ADsPath/value pairs, as the second sample gPLink attribute in Figure 1 shows.

Now that you know where Win2K stores GPOs in AD and how Win2K links GPOs to target containers, let's examine Listing 1. AdsiListGpoLinks .vbs uses the ADSI OLE DB provider and ActiveX Data Objects (ADO) to list the GPOs linked to a domain and its OUs. The script first binds to rootDSE, which it uses to obtain the distinguished name (DN) of the current domain's default NC. The script uses the DN to construct the base DN string that represents the starting point for the script's two search operations, then stores that string in the strBase-DN variable.

Callout A in Listing 1 highlights the two Lightweight Directory Access Protocol (LDAP) query strings that the script uses later. The first query string, strGpoQuery, finds all groupPolicyContainer objects in the current domain. This subtree search will return the cn and displayName attributes for each object. The second query string, strDomainOuQuery, finds the domain and its OUs and returns the distinguishedName and gPLink attributes for each domain and OU.

Next, the script creates the ADO Connection and Command objects. It sets the connection's Provider property to "ADsDSOObject", which is the name of the ADSI OLE DB provider.

The code at callout B performs the first query. The script sets the ADO Command object's CommandText property to the value of strGpoQuery, then calls the Execute method to initiate the search for groupPolicyContainer objects. The search results are returned in an ADO Recordset object. Using VBScript's While...Wend statement, the script enumerates the record set and stores the cn and displayName attributes for each groupPolicyContainer object as key/value pairs in a Dictionary object named oHash. The result is a Dictionary object that contains the cn (key) and displayName (value) for each groupPolicyContainer object in the domain, as Table 1 shows.

The code at callout C performs the second query. The steps are essentially the same as those in the first query. However, what happens inside the While...Wend statement differs. First, the script writes the domain's or OU's distinguishedName to StdOut. Next, the script uses VBScript's For Each... Next statement to enumerate the oHash Dictionary object's keys. Inside each loop iteration, VBScript's InStr function determines whether the current oHash key (i.e., the groupPolicyContainer object's cn) is present in the domain or OU's gPLink string attribute. If the cn is present, the script writes the groupPolicyContainer object's display-Name to StdOut, as Web exclusive Figure 1 shows.

You might be interested to know that the Win2K Support Tools include an ActiveX component named iadstools .dll that provides additional functions you can use to manage GPOs. The Win2K CD-ROM includes these tools in the \support\tools directory. See iadstools.doc in your Support Tools installation directory for a list of the tools' functions and general usage instructions.

The Microsoft Windows 2000 Server Resource Kit Supplement One includes several Group Policy tools that provide additional GPO management capabilities. However, none of the tools expose individual Group Policy settings. The tools are

  • Group Policy Migration Tool (gpolmig.exe)
  • Group Policy Verification Tool (gpotool.exe)
  • Group Policy Results Tool (gpresult.exe)
  • FullArmor's FAZAM 2000 (reduced-functionality version)

You might want to contact FullArmor (http://www.fullarmor.com) to see whether the full-blown version of FAZAM 2000 addresses your Group Policy scripting needs.