2

目标:我正在尝试通过 Powershell (v3) 修改 GPO (2008R2 AD)。特别是用户配置 -> 策略 -> Windows 设置 -> 文件重定向 -> 文档 UNC 路径的值。

初步尝试:

import-module grouppolicy;
$StringToFind = "\\this\is\a\template\path";
$StringToRepalce="\\server123\%CustomerID%\%username%\Documents\";
$GPOBackupFolder = "C:\src\psh\gpoBackupEditRestore\backups";
$GPO = copy-gpo -SourceName "Customer GPO Template v1.4" -targetName "Customer $CustomerID" -CopyACL;
$GPOBackup = $Backup-GPO -guid $gpo.id -path $GPOBackupFolder;
$GPOBackupXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\Backup.xml";
$GPOGPReportXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\GPReport.xml";
$NewBackupXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\nBackup.xml";
$NewGPReportXMLPath="$GPOBackupFolder\$($GpoBackup.ID)\nGPReport.xml";

$GPOBackup=gc $GPOBackupXMLPath;
$GPOGPReport= gc $GPOGPReportXMLPath;
foreach($line in $GPOBackup){ac $NewBackupXMLPath $line.Replace($StringToFind,$StringToReplace);}
foreach($line in $GPOGPReport){ac $NewGPReportXMLPath $line.Replace($StringToFind,$StringToReplace);}

remove-item -force $GPOBackupXMLPath;
remove-item -force $GPOGPReportXMLPath;
move-item -force $NewBackupXMLPath $GPOBackupXMLPath
move-item -force $NewGPReportXMLPath $GPOGPReportXMLPath

Remove-GPO -ID $GPO.ID   #remove GPO before restore. deleting/commenting this line does not change outcome.
Restore-GPO -BackupID $GPOBackup.ID -Path $GPOBackupFolder

假设我在http://technet.microsoft.com/en-us/library/ee461027.aspx上正确阅读了信息,上面的 Powershell 片段应该将本地文件夹位置的 XML 还原到 AD 中的 GPO。[[我已确认模板值 ($StringToFind) 不会出现在 GPOBackupFolder 目录中的任何其他文件中。]]

但是,本地 XML 文件中的更改值不会恢复到 AD。我通过在恢复 GPO 并将初始(修改后的)备份文件(已恢复)与恢复后备份值(现在包含 /Original/ 值!)进行比较后对 GPO 进行额外备份来确认这一点。

有没有其他人尝试过这个和/或可以解释这种行为,为什么 Restore-GPO 不会恢复备份文件的内容?

4

3 回答 3

2

更新:我找到了一种直接修改 DC 上 GPO 的 ini 文件的方法。

由于这个解决方案不使用任何 API,我认为这是一个 HACK;但是,到目前为止,这是我遇到的唯一解决方案。

根据我已经能够收集到的(从我在那个世界中有限的工作)关于 AD 架构和 DC 复制的信息,DC 的 SYSVOL 部分将被复制到 Forrest 中的其他 DC,就像通过 MMC 进行的更改一样. 谁能证实这一点?

注意:据我所知,此脚本必须在与受影响的 GPO 相同的组织中的 DC 本地运行。

$GPO = copy-gpo -SourceName "$GPOTemplateName" -TargetName "$NewGPOName" -CopyACL
#Found post referencing how to Manually Edit GPO's: http://blogg.husbanken.no/it/2013/04/13/manually-edit-gpo-settings/
$adGPO=[ADSI]"LDAP://$($GPO.path)";
$GPOFilePath = $adGPO.psbase.properties.gPCFileSysPath;

#Specifically the path to the GPO section affecting Folder Redirection
$GPOFolderRedirectionINIPath = "$GPOFilePath\User\Documents & Settings\fdeploy.ini";

#Functions for importing/exporting an INI file with Powershell in a very standard way:  http://blogs.technet.com/b/heyscriptingguy/archive/2011/08/20/use-powershell-to-work-with-any-ini-file.aspx
. ".\get-inicontent.ps1"; # From:  http://gallery.technet.microsoft.com/scriptcenter/ea40c1ef-c856-434b-b8fb-ebd7a76e8d91
. ".\out-inifile.ps1";   # From: http://gallery.technet.microsoft.com/scriptcenter/7d7c867f-026e-4620-bf32-eca99b4e42f4

$GPOFolderRedirectionINI = get-iniContent $GPOFolderRedirectionINIPath;
$GPOFolderRedirectionINI["My Documents"]["s-1-1-0"]="\\New\Path\To\CustomerFolder\%USERNAME%\"
$GPOFolderRedirectionINI | out-iniFile $GPOFolderRedirectionINIPath -Force

我已经对此进行了 POC,并且它运行正常并且如果运气好的话,其他人会发现这种方法很有帮助;但是我希望有人找到更好的方法来做到这一点。

干杯!

于 2013-07-10T14:56:12.873 回答
1

我偶然发现了这篇文章,并决定自己承担它而不做黑客。虽然内容实际上在 XML 文件中,但 GPO 还原实际上是在查看 registry.pol。我在做机器级策略,所以它在 DomainSysvol\GPO\Machine\registry.pol 中。

一旦我编辑了该文件(有点混淆 - 请参阅此处获取说明) - https://gallery.technet.microsoft.com/scriptcenter/Read-or-modify-Registrypol-778fed6e

...我能够恢复复制的 GPO 并使其具有正确的设置。

我需要创建 300 个 GPO,它们看起来都有些相似,因此这将节省无数小时的时间。

于 2014-11-29T03:48:55.593 回答
0 
#Full name of GPO
$GPOedits = "Name1", "Name2"
#Local path to back GPO up to
$Pathbkp = "C:\Location"
#Names of old paths
$Pathstoedit = @("Stuff")
#Names of new paths -in same order as old paths
$Pathseditted = @("NewStuff")

foreach ($GPOedit in $GPOedits)
{Backup-GPO -Name $GPOedit -Path $Pathbkp}

$configFiles = Get-ChildItem $Pathbkp *.xml -rec
foreach ($file in $configFiles)
{
Write-Host "Editting $file."
$n = 0
foreach ($Pathtoedit in $Pathstoedit)
{
    $Patheditted = $Pathseditted[$n]
    $Pathtoedit = $Pathtoedit.Replace(".domain", "")
    $Patheditted = $Patheditted.Replace(".domain", "")
    [regex]$addfqdn = "\\"
    $Patheditted = $addfqdn.replace($Patheditted, ".dir.ad.dla.mil\", 1)
    Write-Host "Changing $Pathtoedit to $Patheditted"

    (Get-Content $file.PSPath) |
    Foreach-Object { $_ -replace [Regex]::Escape($Pathtoedit), $Patheditted } |
    Set-Content $file.PSPath

    [regex]$addfqdn = "\\"
    $Pathtoedit = $addfqdn.replace($Pathtoedit, ".domain\", 1)
    Write-Host "Changing $Pathtoedit to $Patheditted"

    (Get-Content $file.PSPath) |
    Foreach-Object { $_ -replace [Regex]::Escape($Pathtoedit), $Patheditted } |
    Set-Content $file.PSPath

    $n = $n + 1
}
}

Write-Host "Check you work, we are about to import policy changes!"
Pause

foreach ($GPOedit in $GPOedits)
{
Write-Host "Restoring $GPOEdit"
Restore-GPO -Name $GPOedit -Path $Pathbkp
Write-Host "Checking GUID"
$GUID = Get-GPO -Name "$GPOedit" | select -ExpandProperty "ID"
$GUID = "{$GUID}"
Write-Host "Checking GPT.ini for $GUID"
$GPT = Get-ChildItem -Path "\\domain\SYSVOL\Domain\Policies\$GUID" -File | select -ExpandProperty "Name"
If ($GPT -like "*gpt.ini*") { Write-Host "GPT.ini located" }
else { Write-Host "GPT.ini NOT FOUND" }
}
于 2018-05-04T14:39:09.840 回答