Porgramatically modify GptTmpl.inf

by dsf3g at 2012-11-11 07:50:35

So, in our organization we’ve got a bunch of OUs with very similar policies. I’m trying to create a script that will allow me to provision these OUs programatically. I’ve got all the pieces working, and just need to put them together. My question is more about Active Directory than Powershell per se.

At the moment I’ve got a script that creates the AD groups that go in the OU and then creates and links an empty GPO to that OU. What I want to do is populate that GPO with values. Now, I’ve experimented a bit and found that I can do what I want by manually editing the GptTmpl.inf file that resides here (I’m only concerned with Computer policies):

\MYDOMAIN\sysvol\MYDOMAIN.local\Policies{GPO-SID}\Machine\Microsoft\Windows NT\SecEdit<br>
I can use Powershell and the GroupPolicy powershell extensions to get all the SIDs I need and create the groups and GPO.

Next, updating the GptTmpl.inf with the custom values I want is a piece of cake.

My worry, though, is that the settings might not propagate as desired. I’ve noticed, for instance, that when I manually modify the GptTmpl.inf file with a text editor, the AD and sysvol versions that you see in the GPMC do not change as they do when you use the GPMC to modify. Now, I know that FRS or DFS replication will ensure that every Domain Controller in our enterprise has the same GptTmpl.inf file, but wil there by adverse effects from these settings not updating?

For the record, there will be no computer objects or user accounts in these GPOs at this time. They will be added a couple of days later.

Amd I playing with fire and setting myself up for some real trouble by doing this, or is this perfectly OK to do?

OH, one more thing: I’m using Quest’s AD extensions for this. And my plan is to first connect to the PDCE, and modify the GptTmpl.inf directly on the PDCE via UNC rather than the Domain SYSVOL directory path I showed above.
by coderaven at 2012-11-11 08:22:41
I think what you are requesting is common.
There are only a few recommendations I have for you when dealing with the group policies.
1. Try to use starter GPOs. This allows you to start from a good baseline and just add a few things. This may make it a lot easier if you are adding common settings.
2. Much like the starter GPOs, you have Copy-GPO cmdlet that would allow you to do something pretty close to the Starter GPOs.

Depending on what you are doing, you need to pay attention to GPO versioning. This is the playing with fire part you were talking about. The AD entries for the GPO and the version in the INI file for the GPO need to be in sync. As they increment AD and the clients will know when to reapply. I can not do a full explanation without doing a little more looking but take this example from what I do understand.

You create a new GPO via script and link it. At that point both the Computer and User side version are 0. As you edit the policy in GPMC and GPEdit, the version in AD will change and it will update the version on the sysvol. After that, if you edit the policy via script and do not increment the version number in AD as well as the INF, the GPO will become out of sync. Doing a GPO analysis will tell you if you have them out of sync and you can check the GPO object in AD vs the version in the INF. The clients will check the AD objects and if there is a new version of the GPO, they will not reapply in many cases if the version has not changed. So if you make edits via script and the policy versions are still 0 or the same version they currently have applied, in AD, the clients will think there is nothing new to do. FRS and DFSR will continue to sync the files because they don’t pay attention to the version of the GPO, they are just syncing the files.

I hope that helps.
by dsf3g at 2012-11-11 08:53:44
Thanks, coderaven. Currently I have a script that copies a model GPO, then we can go in an tweak it. But the resulting GptTmpl.inf is so simple, this step really isn’t necessary. My plan is to create an empty GOP and write the entire GptTmpl.inf file with my desired settings.

It’s the GPO versioning bit that has me a little concerned. Now, since nothing is actually receiving the policy when I first create it (these are completely empty OUs) the versioning should be less of a problem, I suspect, because when objects are added to the OU these policies will be new to them regardless of the version number. But I just want to be 100% certain I’m not screwing things up by doing this, or that there is a way to sych the two copies via Powershell.
by dsf3g at 2012-11-15 12:17:34

I wrote a script. It works. Tesed it in our lab forest. Group Policies come up just as expected in GPMC. However, because of the un-orthodox nature of what I was doing, my superiors had me open an Advisory Case with Microsoft. The guys I spoke with seemed tickled by what I’d done, and suspected that it wouldn’t cause any problems, but stated that my method was un-supported and could not guarantee that it would cause no problems down the line.

So my pretty little script will not, alas, be deployed in in our enterprise. Sniff, sniff.

Oh well. OTOH, I do not want to be the guy who is blamed when, six months from now, group policy starts failing all over the domain. Better safe than sorry. :slight_smile: