Discussion:
Create and populate GPO programatically?
(too old to reply)
Cary Shultz
2010-04-22 16:47:37 UTC
Permalink
Good afternoon!

I would like to know - without using the GPMC stuff - if it is possible
using VBScript or PowerShell to create a GPO and to populate that GPO (to
install a piece of software, for example).

Thanks,

Cary
Florian Frommherz
2010-04-22 17:26:59 UTC
Permalink
Howdie!
Post by Cary Shultz
I would like to know - without using the GPMC stuff - if it is possible
using VBScript or PowerShell to create a GPO and to populate that GPO
(to install a piece of software, for example).
There are a couple of PoSH CMDlets for Group Policy but they don't do
what you're looking for.

What is it you are looking for? Maybe a timely created GPO that kicks
off settings between 6am and 8pm?

Cheers,
Florian
Cary Shultz
2010-04-22 18:37:19 UTC
Permalink
Schoenen Guten Abend, Florian!

We deploy a management agent (small piece of software .... .msi file) to all
of the workstations at the clients that we manage and the boss would like to
do this via GPO (and he almost *NEVER* wants to do that!!!!). So, he is
trying to programmatically create a GPO (it has to be very vanilla so that
we can use this in all of the environments that we manage) and then make the
configuration changes programmatically so that the software deployment
package is created automatically. I have spent a couple of hours looking
and all I am seeing is "use the GPMC built-in scripts"....but that only
creates the GPO (and requires some 'arguments' to be populated). As they
say here in SW Virginia - that might could work (das kannst Du vergessen,
Florian....das ist wie man sagt- "das habe ich vergessen gehabt"....YIKES!)
but does only half the job...

I am not aware of any way to do this...have looked at Darren's stuff and at
your stuff and at the lovely Lilia's stuff.....just not finding it. And, I
do not know GPOs well enough to do that (better said, do not have the
time....to be honest....to find out if I am good enough!).

Ich bedanke mich im voraus und verbleibe (I loved writing that in e-mails
when I worked in Germany...that is a cool sentence!)......

Cary
Post by Florian Frommherz
Howdie!
Post by Cary Shultz
I would like to know - without using the GPMC stuff - if it is possible
using VBScript or PowerShell to create a GPO and to populate that GPO
(to install a piece of software, for example).
There are a couple of PoSH CMDlets for Group Policy but they don't do what
you're looking for.
What is it you are looking for? Maybe a timely created GPO that kicks off
settings between 6am and 8pm?
Cheers,
Florian
Florian Frommherz
2010-04-22 19:45:40 UTC
Permalink
Howdie!
Post by Cary Shultz
I am not aware of any way to do this...have looked at Darren's stuff and
at your stuff and at the lovely Lilia's stuff.....just not finding it.
And, I do not know GPOs well enough to do that (better said, do not have
the time....to be honest....to find out if I am good enough!).
I don't believe there's something out there that does that nor do I
believe that searching for that everywhere is worth the outcome (Es
lohnt sich wahrscheinlich nicht, so viel Zeit zu investieren, I'd say).
Software Installation is kind of "special" as there are a couple of
files involved.

If you want to go that route anyways, hmm, I'd probably look at Mark's
article here:
http://gpupdate.spaces.live.com/blog/cns!95A4CDC36943279A!120.entry --
it describes how you're going about changing the distribution point of
managed software AND gives you a good idea of what files are around and
what to look for. So that would be my way to start.

You'll probably want to create a vanilla software package and all that
and track/audit the changes GP does to SYSVOL and the directory. After
that, sneak into the files create (*.aas, ...) and see what it does. But
then again, I doubt you'll find much to do in reasonable time as you'd
have to programmatically implement that rather than easily "script" it.

I'm curious as to what you're trying to automate here. I couldn't figure
that out from just reading your posting. What I try to do is
customize/tailor down software packages as far as I can. ORCA helps you
customize MSIs. I kind of build three/four versions of an MSI/MST for
deployment and just throw them on customer's distribution points. I do
the customization on the package rather than the GPO, if possible.
Post by Cary Shultz
Ich bedanke mich im voraus und verbleibe (I loved writing that in
e-mails when I worked in Germany...that is a cool sentence!)......
Haha, that is a fun sentence. You rarely read that unless you're having
email conversations with federal agencies or officials.

Ich werde mir jetzt ein Bier genehmigen.

Have a good day, Cary :)
Florian
Cary Shultz
2010-04-22 23:19:14 UTC
Permalink
Florian,

Enjoy your beer! I will look at Mark's link (thank you for that) but I
think that you are indeed correct: it appears that a lot of time is needed
for this. And time is one thing that I do not have! My wife and two little
boys actually enjoy me being home! Go figure, right!

Anyway, here is a nutshell is what we are trying to do (with a little
background to give you the context of this 'process'):

1. We sign a new client. They have four servers and 65 workstations. We
need to install our "MyIT" software to those four servers and 65
workstations.
2. Someone from sales generally puts our agent on one of the servers so
that we can poke around and do an assessment (but I digress)
3. When the contract for this client starts (actually, generally a little
bit before - depending on the circumstances), we need to install the agent
on all of the 'computers'
4. The boss wants to - via our MyIT Management Interface - create a 'script'
that can create the Group Policy Object, put the .msi file in a specific
place (shared folder, called \\server1\MyITAgent - we have variables
available to us via the MyIT Management Console so that is not a problem)
and then configure the GPO - via this 'script' - to be linked to the Domain
Level and to deploy the application via the distribution point of
\\server1\MyITAgent$\myitagent.msi.

Does that make more sense? Or, am I failing miserably?

Thanks.

Cary
Post by Florian Frommherz
Howdie!
Post by Cary Shultz
I am not aware of any way to do this...have looked at Darren's stuff and
at your stuff and at the lovely Lilia's stuff.....just not finding it.
And, I do not know GPOs well enough to do that (better said, do not have
the time....to be honest....to find out if I am good enough!).
I don't believe there's something out there that does that nor do I
believe that searching for that everywhere is worth the outcome (Es lohnt
sich wahrscheinlich nicht, so viel Zeit zu investieren, I'd say). Software
Installation is kind of "special" as there are a couple of files involved.
If you want to go that route anyways, hmm, I'd probably look at Mark's
http://gpupdate.spaces.live.com/blog/cns!95A4CDC36943279A!120.entry --
it describes how you're going about changing the distribution point of
managed software AND gives you a good idea of what files are around and
what to look for. So that would be my way to start.
You'll probably want to create a vanilla software package and all that and
track/audit the changes GP does to SYSVOL and the directory. After that,
sneak into the files create (*.aas, ...) and see what it does. But then
again, I doubt you'll find much to do in reasonable time as you'd have to
programmatically implement that rather than easily "script" it.
I'm curious as to what you're trying to automate here. I couldn't figure
that out from just reading your posting. What I try to do is
customize/tailor down software packages as far as I can. ORCA helps you
customize MSIs. I kind of build three/four versions of an MSI/MST for
deployment and just throw them on customer's distribution points. I do the
customization on the package rather than the GPO, if possible.
Post by Cary Shultz
Ich bedanke mich im voraus und verbleibe (I loved writing that in
e-mails when I worked in Germany...that is a cool sentence!)......
Haha, that is a fun sentence. You rarely read that unless you're having
email conversations with federal agencies or officials.
Ich werde mir jetzt ein Bier genehmigen.
Have a good day, Cary :)
Florian
Florian Frommherz [MVP]
2010-04-23 06:00:24 UTC
Permalink
Hey Cary,
Enjoy your beer! I will look at Mark's link (thank you for that) but I
think that you are indeed correct: it appears that a lot of time is
needed for this. And time is one thing that I do not have! My wife and
two little boys actually enjoy me being home! Go figure, right!
The beer was fine, thanks. I actually enjoyed it with my girlfriend next
to me and a an episode of "Two and a half men". I fully understand there
are more important things than... anything else. :)
4. The boss wants to - via our MyIT Management Interface - create a
'script' that can create the Group Policy Object, put the .msi file in a
specific place (shared folder, called \\server1\MyITAgent - we have
variables available to us via the MyIT Management Console so that is not
a problem) and then configure the GPO - via this 'script' - to be linked
to the Domain Level and to deploy the application via the distribution
point of \\server1\MyITAgent$\myitagent.msi.
I see, that makes sense -- but honestly, I don't see why you'd want to
automate that part so badly. Other than physical access to the
customer's network, it probably takes 5 minutes to get the things
configured and set the GPO up for mass-install (let's count test-driving
out for now).

Cheers,
Florian
Cary Shultz
2010-04-23 09:39:56 UTC
Permalink
Florian,

I agree - there are more important things in life....but I think that I am
missing that! 12 - 14 hour work days, well, this is IT, right?

Anyway, I think that he wants to automate this so badly simply because of
all the clients that we have and will have....being able to click a button
(which would be the "Deploy Agent to all workstations" script....) and to
get this done would be ideal. I believe that things will soon change at
work where this would be a really great thing (w/o getting into the details
here). Anyway, I fully understand your "why?" question. He is always
looking to save time (and I - honestly - would be the one doing this
"manually").

Anyway, I hope that the episode of 2.5 Men was a good one. My wife and I
love that show. Rose is an absolute nut job - and we love her! That poor
"little" boy is not going to be right in the head with those two....and
Uncle Charlie - well...... We watch that show all the time.

As always, Thanks for your input. I will post the VBScript that he is
currently using - but I need to look at it first. I might just see what is
not happening. He mentioned something about "access denied" but that was
the end of that conversation (for the moment....he gets excited sometimes
when talking about new technology or 'cool' things...and he talks like I
do....non-stop!....but, he is quite intelligent - generally speaking -so it
is always a lesson when I do speak with him - without it feeling like a
lesson!).

Cary
Post by Florian Frommherz [MVP]
Hey Cary,
Enjoy your beer! I will look at Mark's link (thank you for that) but I
think that you are indeed correct: it appears that a lot of time is
needed for this. And time is one thing that I do not have! My wife and
two little boys actually enjoy me being home! Go figure, right!
The beer was fine, thanks. I actually enjoyed it with my girlfriend next
to me and a an episode of "Two and a half men". I fully understand there
are more important things than... anything else. :)
4. The boss wants to - via our MyIT Management Interface - create a
'script' that can create the Group Policy Object, put the .msi file in a
specific place (shared folder, called \\server1\MyITAgent - we have
variables available to us via the MyIT Management Console so that is not
a problem) and then configure the GPO - via this 'script' - to be linked
to the Domain Level and to deploy the application via the distribution
point of \\server1\MyITAgent$\myitagent.msi.
I see, that makes sense -- but honestly, I don't see why you'd want to
automate that part so badly. Other than physical access to the customer's
network, it probably takes 5 minutes to get the things configured and set
the GPO up for mass-install (let's count test-driving out for now).
Cheers,
Florian
kj [SBS MVP]
2010-04-23 16:33:48 UTC
Permalink
Ah, "to the better things in life" !!!

Suggest purusing ove the following for your enterainment and enjoyment...
then go have another beer.

http://technet.microsoft.com/en-us/magazine/2007.05.grouppolicy.aspx
Post by Cary Shultz
Florian,
I agree - there are more important things in life....but I think that
I am missing that! 12 - 14 hour work days, well, this is IT, right?
Anyway, I think that he wants to automate this so badly simply
because of all the clients that we have and will have....being able
to click a button (which would be the "Deploy Agent to all
workstations" script....) and to get this done would be ideal. I
believe that things will soon change at work where this would be a
really great thing (w/o getting into the details here). Anyway, I
fully understand your "why?" question. He is always looking to save
time (and I - honestly - would be the one doing this "manually").
Anyway, I hope that the episode of 2.5 Men was a good one. My wife
and I love that show. Rose is an absolute nut job - and we love her!
That poor "little" boy is not going to be right in the head with
those two....and Uncle Charlie - well...... We watch that show all
the time.
As always, Thanks for your input. I will post the VBScript that he is
currently using - but I need to look at it first. I might just see
what is not happening. He mentioned something about "access denied"
but that was the end of that conversation (for the moment....he gets
excited sometimes when talking about new technology or 'cool'
things...and he talks like I do....non-stop!....but, he is quite
intelligent - generally speaking -so it is always a lesson when I do
speak with him - without it feeling like a lesson!).
Cary
Post by Florian Frommherz [MVP]
Hey Cary,
Enjoy your beer! I will look at Mark's link (thank you for that)
but I think that you are indeed correct: it appears that a lot of
time is needed for this. And time is one thing that I do not have!
My wife and two little boys actually enjoy me being home! Go
figure, right!
The beer was fine, thanks. I actually enjoyed it with my girlfriend
next to me and a an episode of "Two and a half men". I fully
understand there are more important things than... anything else. :)
4. The boss wants to - via our MyIT Management Interface - create a
'script' that can create the Group Policy Object, put the .msi file
in a specific place (shared folder, called \\server1\MyITAgent - we
have variables available to us via the MyIT Management Console so
that is not a problem) and then configure the GPO - via this
'script' - to be linked to the Domain Level and to deploy the
application via the distribution point of
\\server1\MyITAgent$\myitagent.msi.
I see, that makes sense -- but honestly, I don't see why you'd want
to automate that part so badly. Other than physical access to the
customer's network, it probably takes 5 minutes to get the things
configured and set the GPO up for mass-install (let's count
test-driving out for now). Cheers,
Florian
--
/kj
Loading...