List Group Policy Information for an OU

List Group Policy Information for an OU:

Returns the values found on the Group Policy page in Active Directory Users and Computers for the Students OU.

vbscript:

On Error Resume Next

Set objContainer = GetObject _
("LDAP://ou=Students,dc=mydomain,dc=com")

strGpLink = objContainer.Get("gPLink")
intGpOptions = objContainer.Get("gPOptions")

If strGpLink <> " " Then
arrGpLinkItems = Split(strGpLink,"]")
For i = UBound(arrGPLinkItems) to LBound(arrGpLinkItems) + 1 Step -1
arrGPLink = Split(arrGpLinkItems(i-1),";")
strDNGPLink = Mid(arrGPLink(0),9)
WScript.Echo GetGPOName
Select Case arrGPLink(1)
Case 0
WScript.Echo "No Override is cleared and the GPO is enabled."
Case 1
WScript.Echo "No Override is cleared and the GPO is disabled."
Case 2
WScript.Echo "No Override is checked and the GPO is enabled."
Case 3
WScript.Echo "No Override is checked and the GPO is disabled."
End Select
Next
WScript.Echo VbCrLf
End If

If intGpOptions = 1 Then
WScript.Echo "Block Policy Inheritance is checked."
Else
WScript.Echo "Block Policy Inheritance is not checked."
End If

Function GetGPOName
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

objCommand.CommandText = _
";;" & _
"distinguishedName,displayName;onelevel"
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
If objRecordSet.Fields("distinguishedName") = strDNGPLink Then
GetGPOName = objRecordSet.Fields("displayName")
objConnection.Close
Exit Function
End If
objRecordSet.MoveNext
Loop
objConnection.Close
End Function

Default Tasks Scripts With GPMC Kit

Default Tasks Scripts With GPMC Kit

Group Policy Scripting

Guys After long Gap again i started posting my scripts in this blog. from this post i am staring GPO Scripting with small intro about GPMC lib also.

The Group Policy Management Console (GPMC) provides a comprehensive set of COM interfaces that you can use to script many of the operations supported by the console

Group Policy Management Console (GPMC), which provides a Microsoft Management Console (MMC)—based UI for easy management of Windows Server 2003 and Windows 2000 Group Policy. The GPMC represents a big step forward in Group Policy Object (GPO) management capabilities as compared with Win2K's native tools. With the native tools, scripting GPO management is difficult. However, GPMC includes a set of scripting interfaces for automating many common GPO management tasks. Using these scripting interfaces, you can manage the Group Policy environment, including generating reports of GPO settings, creating and copying GPOs, and finding unlinked GPOs. Microsoft provides several GPMC scripts that cover many common scripting tasks. You can also create your own scripts to perform custom GPO management tasks.

Although you can manage Win2K domain-based Group Policies, GPMC runs only on Windows 2003 and Windows XP Professional computers. (For more information about GPMC's requirements and features, see "Windows Server 2003's Group Policy Management Console," July 2003, http://www.winnetmag.com, InstantDoc ID 39190.) You can download the GPMC from the Microsoft Download Center (http://www.microsoft.com/downloads/details.aspx?familyid=f39e9d60-7e41-4947-82f5-3330f37adfeb&displaylang=en). When you install the GPMC, the system creates a folder called Scripts, which contains all the prewritten GPMC scripts. On a Windows 2003 or XP client, this folder is in the %programfiles%\gpmc directory. The main administrative scripts have a .wsf extension, which is one of the file formats associated with Windows Script Host (WSH). Scripts with the .wsf extension are XML-formatted files that can call other scripts written in VBScript or JScript, which means that one script can take advantage of both the VBScript and JScript scripting engines. For the scripts in this article, I use VBScript without relying on .wsf files.

The GPMC interfaces are implemented in gpmgmt.dll, which resides in the %programfiles%\gpmc directory. Microsoft geared these interfaces toward automating the GPMC functions as well as managing GPOs. Thus, you can use the interfaces not only to script GPMC operations such as creating mapping tables for GPO migrations but also to query and modify GPOs. However, the GPMC interfaces don't let you read or configure policy settings within a GPO. For example, you can't create a script that enables the Remove Run from Start Menu Administrative Template policy within a GPO. This limitation is unfortunate; nonetheless, the GPMC interfaces still provide a level of automation that surpasses what has been available to date. Let's take a look at how to get started with GPMC scripting and how you can use the GPMC objects to perform various administrative tasks, such as retrieving permissions for a GPO and obtaining Resultant Set of Policies (RSoP) reports.


Listing 1: Code That Creates the GPM and GPMConstants Objects

Set GPMC = CreateObject("GPMgmt.GPM")
Set Constants = GPMC.GetConstants()

Listing 2: GetGPOPerms.vbs

Set GPMC = CreateObject("GPMgmt.GPM")
Set Constants = GPMC.GetConstants()
Set GPMCDomain = GPMC.GetDomain("mycompany.net", "", Constants.UseAnyDC)
Set MyGPO = GPMCDomain.GetGPO("{31B2F340-016D-11D2-945F-00C04FB984F9}")
Set GPOSec = MyGPO.GetSecurityInfo()
For indx=1 to GPOSec.Count
Set Ace = GPOSec.Item(indx)
Set UsrorGrp= Ace.Trustee
PrincipalName=UsrorGrp.TrusteeName
Select Case Ace.Permission
Case Constants.permGPOApply
Perm="Read and Apply Group Policy"
Case Constants.permGPOEdit
Perm="Edit Group Policy"
Case Constants.permGPOEditSecurityAndDelete
Perm="Edit Group Policy, Modify Security and Delete Group Policy"
Case Constants.permGPORead
Perm="Read Group Policy"
Case Constants.permGPOCustom
Perm="Custom Permission"
End Select
WScript.Echo "The User or Group: " & PrincipalName & _
" has the following permission: " & Perm
Next

Listing 3: RSoPLogging.vbs

Set GPMC = CreateObject("GPMgmt.GPM")
Set Constants = GPMC.GetConstants()
Set RSOP= GPMC.GetRSOP(Constants.RSOPModeLogging,"",0)
RSOP.LoggingComputer="myworkstation"
RSOP.LoggingUser="darren"
RSOP.CreateQueryResults()
RSOP.GenerateReportToFile Constants.ReportHTML,"c:\reports\myrsop.html"

Search Users by MailBox Limit attribute

'On error resume next
'set RootDSE = GetObject("LDAP://RootDSE")

set objFSO = CreateObject("Scripting.FileSystemObject")
'set objInputFile = objFSO.openTextFile("C:\Documents and Settings\Desktop\scripts\in.txt",1)
set objOutputFile = objFSO.CreateTextFile("C:\Documents and Settings\Desktop\scripts\TEXT.TXT",True)


Set con = CreateObject("ADODB.Connection")
Set com = CreateObject("ADODB.Command")


con.provider = "ADsDSOObject"
con.open "Active Directory Provider"
com.ActiveConnection = con
com.Properties("searchscope") = 2
com.Properties("Page Size") = 100000


strSQL="select distinguishedName,cn,displayName,mail from 'LDAP://dc=ABC,dc=com'where objectclass='user'and objectclass <>'computer'"
com.CommandText = strSQL
Set rs = com.Execute
While Not rs.EOF
Set objUser = GetObject("LDAP://" & rs("distinguishedName"))

if mDBUseDefaults <> "FALSE" and mDBStorageQuota = "" and mDBOverQuotaLimit = "" then

objOutputFile.writeLine rs("cn") & "|" & rs("displayName") & "|" & rs("mail")

'rs.MoveNext
end if
rs.movenext
Wend

'Wend
msgbox "done"
set RootDSE = Nothing
set con = Nothing
set objUser = Nothing

Schema Admin Replication Script

'on error resume next
set objFSO = CreateObject("Scripting.FileSystemObject")
strfile = "SchemaAdmins#" & day(date) & "-" & month(date) & "-" & year(date) & ".csv"
set objOutputFile = objFSO.CreateTextFile("E:\AdminReports\" & strfile,1)
set con = CreateObject("ADODB.Connection")
set com = CreateObject("ADODB.Command")
con.Provider = "ADsDSOObject"
con.open "Active Directory Provider"
com.ActiveConnection = con
com.Properties("searchscope") = 2
com.Properties("Page Size") = 100000
str = "select distinguishedName,cn,displayName from 'LDAP://ABC.com/dc=ABC,dc=com' where objectcategory='group' and cn='Schema Admins'"
com.commandText = str
set rs = com.Execute
While Not rs.EOF
Set objGroup = GetObject ("LDAP://" & rs("distinguishedName"))
For each objMember in objGroup.Members
objOutputFile.writeline objMember.cn & "," & objMember.displayname & "," & objMember.mail
Next
rs.movenext
Wend
set RootDSE = Nothing
set con = Nothing
set objUser = Nothing
Set objMail = CreateObject("cdonts.newmail")
objMail.From = "delegatesAcccounts@ABC.com"
objMail.To = "Recepient address list separated by comma"
objMail.Subject = "Schema Admins User List"
objMail.BodyFormat = 0
objMail.MailFormat = 0
objMail.Body = "Hi - Pls find the Schema Admins users details as on " & now() & "."
objMail.AttachFile (strfile)
objMail.send
Set objMail = Nothing

Enumerating Password Expired Users From Domin

On error resume next


set objFSO = CreateObject("Scripting.FileSystemObject")
set objInputFile = objFSO.openTextFile("C:\Documents and Settings\Desktop\scripts\success\in.txt",1)
set objOutputFile = objFSO.CreateTextFile("C:\Documents and Settings\Desktop\scripts\success\TEXT.TXT",True)


Set con = CreateObject("ADODB.Connection")
Set com = CreateObject("ADODB.Command")


con.provider = "ADsDSOObject"
con.open "Active Directory Provider"
com.ActiveConnection = con
com.Properties("searchscope") = 2
com.Properties("Page Size") = 100000
While Not objInputFile.AtEndofStream

str = objInputFile.readline
msgbox str

strSQL="select distinguishedName,pwdlastSet from 'LDAP://dc=ABC,dc=com' where objectClass='user' and cn='" & Trim(str) & "'"
com.CommandText = strSQL
Set rs = com.Execute


if Not rs.EOF then
msgbox "j"
Set objUser = GetObject("WinNT://ABC.com/" & rs("cn"))


objOutputFile.WriteLine rs("cn") & "|" & objUser.PasswordExpirationDate

End If
Wend
msgbox "done"
set RootDSE = Nothing
set con = Nothing
set objUser = Nothing

Restarting WMI Services Using Command Line

Starting Winmgmt Service

The following procedure describes how to start the WMI service.

To start Winmgmt Service

• At a command prompt, enter net start winmgmt [/].

For more information about the switches that are available, see winmgmt. You use the built-in Administrator account or an account in the Administrators group running with elevated rights to start the WMI service. For more information, see User Account Control and WMI.

Stopping Winmgmt Service

The following procedure describes how to stop the WMI Service.

To stop Winmgmt Service

1. At a command prompt, enter net stop winmgmt.

2. Other services that are dependent on the WMI service also halt, such as SMS Agent Host or Windows Firewall.

Windows 2000: For WMI failures that occur because of improper provider unloading, the REG_SZ registry key value should be set to 1 (one). The default value is 0 (zero).

HKLM\Software\Microsoft\WBEM\
CIMOM\Force Clean Shutdown

winmgmt

Winmgmt is the WMI service within the SVCHOST process running under the LocalSystem account. In all cases, the WMI service automatically starts when the first management application or script requests connection to a WMI namespace. For more information, see Starting and Stopping the WMI Service.

Windows 2000 and Windows NT 4.0: The WMI service runs as a separate service process.

When run from the command prompt, the WMI service has the following switches.

Switches

Term	Description
/backup	Causes WMI to back up the repository to the specified file name. The filename argument should contain the full path to the file location. This process requires a write lock on the repository so that write operations to the repository are suspended until the backup process is completed.
/restore	Manually restores the WMI repository from the specified backup file. The filename argument should contain the full path to the backup file location. To perform the restore operation, WMI saves the existing repository to write back if the operation fails. Then the repository is restored from the backup file that is specified in thefilename argument. If exclusive access to the repository cannot be achieved, existing clients are disconnected from WMI. The flag argument must be a 1 (force — disconnect users and restore) or 0 (default — restore if no users connected) and specifies the restore mode.
/resyncperf	Registers the system performance libraries with WMI.
/standalonehost []	Moves the Winmgmt service to a standalone Svchost process that has a fixed DCOM endpoint. The default endpoint is "ncacn_ip_tcp.0.24158". However, the endpoint may be changed by running Dcomcnfg.exe. For more information about setting up a fixed port for WMI, see Setting Up a Fixed Port for WMI. The level argument is the authentication level for the Svchost process. WMI normally runs as part of a shared service host and you cannot increase the authentication level for WMI alone. If levelis not specified, the default is 4 (RPC_C_AUTHN_LEVEL_PKT or WbemAuthenticationLevelPkt). You can run WMI more securely by increasing the authentication level to Packet Privacy (RPC_C_AUTHN_LEVEL_PKT_PRIVACY or WbemAuthenticationLevelPktPrivacy). The authentication levels for Visual Basic and scripting are described inWbemAuthenticationLevelEnum. For C++, see Setting the Default Process Security Level Using C++. For more information, see Maintaining WMI Security. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This switch is not available.
/sharedhost	Moves the Winmgmt service into the shared Svchost process. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This switch is not available.
/verifyrepository	Performs a consistency check on the WMI repository. When you add the /verifyrepository switch without the argument, then the live repository currently used by WMI is verified. When you specify the path argument, you can verify any saved copy of the repository. In this case, the path argument should contain the full path to the saved repository copy. The saved repository should be a copy of the entire repository folder. For more information about errors returned by this command, see the Remarks section. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This switch is not available.
/salvagerepository	Performs a consistency check on the WMI repository, and if an inconsistency is detected, rebuilds the repository. The content of the inconsistent repository is merged into the rebuilt repository, if it can be read. The salvage operation always works with the repository that the WMI service is currently using. For more information about errors returned by this command, see the Remarks section. % MOF files that contain the #pragma autorecover preprocessor statement are restored to the repository. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This switch is not available.
/resetrepository	The repository is reset to the initial state when the operating system is first installed. MOF files that contain the #pragma autorecover preprocessor statement are restored to the repository. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This switch is not available.

Obsolete Switches

Term	Description
/exe	Causes Winmgmt.exe to run as an application rather than as a service. The primary use of the /exe switch is to allow you to debug providers more easily. When the /exe switch is used, Winmgmt.exe is run in the user security context. Normally, WMI should run as a service. Using this switch places an icon in the taskbar.
/kill	Terminates all Winmgmt.exe processes on the local system, including WMI processes started as a service by the Service Control manager or invoked by using the /exe switch. You must have administrative rights to use this switch. Windows Vista and Windows Server 2008: This switch is not available. Instead use net stop wmiapsrv and net stop winmgmt at the command prompt. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This switch is available.
/clearadap	The ADAP process is not available starting in Windows Vista. ThePerformance Counter Classes are created by the WMIPerfClass Provider and data is supplied by the WMIPerfInst Provider. Be aware that you can still use the wmiadap command for certain performance counter operations. For more information, seewmiadap. Windows Server 2003, Windows XP, Windows 2000, Windows XP, and Windows NT 4.0: Removes all of the ADAP information from the registry, effectively resetting the state of each performance library. The ADAP utility stores state information about the system performance libraries in the registry.
/unregserver	Removes registry entries added through the self-registration process and should rarely be used. Windows Vista and Windows Server 2008: This switch is not available. Instead use regsvr32 -u wmisvc.dll at the command prompt. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This switch is available.
/regserver	Registers the Windows Management Service, adding entries to the operating system registry. The /regserver switch should be implemented by any .exe server. Windows Vista and Windows Server 2008: This switch is not available. Instead use regsvr32 wmisvc.dll at the command prompt. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This switch is available.

Remarks

The WMI repository, also known as the CIM repository, is not just a single file, but a collection of files within the Repository folder that work together as a database. When you use the /backup switch to backup the repository, the resulting backup is a single compressed file.

WMI returns the error ERROR_INTERNAL_DB_CORRUPTION (net helpmsg 1358) if a verification operation indicates that the repository is not in a consistent state. This error can be returned from any command which performs repository verification, such as /verifyrepository or /salvagerepository.

Note If WMI returns error messages, be aware that they may not indicate problems in the WMI service or in WMI providers. Failures can originate in other parts of the operating system and emerge as errors through WMI. Under any circumstances, do not delete the WMI repository as a first action because deleting the repository can cause damage to the system or to installed applications.

For more information about the source of the problem, download and run the WMI Diagnosis Utility diagnostic command line tool. This tool produces a report that can usually isolate the source of the problem and provide instructions on how to fix it. The report also aids Microsoft support services in assisting you. You can download theWMI Diagnosis Utility.

Requirements

Client	Requires Windows Vista, Windows XP, Windows 2000 Professional, Windows NT Workstation 4.0 SP4 and later, Windows Me, Windows 98, or Windows 95.
Server	Requires Windows Server 2008, Windows Server 2003, Windows 2000 Server, or Windows NT Server 4.0 SP4 and later.
DLL	Requires Winmgmt.exe.