Link to home
Start Free TrialLog in
Avatar of Parity123
Parity123Flag for United States of America

asked on

Powershell: GPO script


I have backed up a GPO from one of the domains, and copied it to the network share.

I need help with creating a script to do the following in all the domains in the forest: (I am trying to avoid creating this manually in all the domains in a few forests)

a) Create a GPO called "MyGPO"
b) Import the settings from the network share the backed up gpo is
c) Link the GPO to an OU

Really appreciate your assistance with this.

Avatar of Jeremy Weisinger
Jeremy Weisinger

I haven't tested it but something like this should do it. If you want a prompt for the relevant info (like OU to link to, backup GPO name, etc) we could do that too.

Import-GPO -BackupGpoName 'Backed up GPO name' -TargetName MyGPO -path \\servername\backupLocation -CreateIfNeeded |New-GPLink -target "ou=MyOU,dc=contoso,dc=com" -LinkEnabled Yes

Open in new window

Avatar of Parity123


Thanks. Could you please assist with prompt for location of backup, OU to link to and also create gpo.
Sure but what do you mean by:
...and also create gpo
Never mind I did not see the createifneeded switch.
Hello Jeremy,

I want to run this script for all the domains in the forest. Is there any error handling you could assist with that I could log

Here's the prompts
$GPOScrName = Read-Host 'Enter the name of the source GPO'
$GPOBackupPath = Read-Host 'Enter the location of the GPO backup where the source GPO is'
function Check-OUtarget {
    $OUName = Read-Host 'Enter the name of the OU you want to link the GPO to'
    $OUNameFilter = '*'+$OUName+'*'
    $global:OUobj = Get-ADOrganizationalUnit -Filter {Name -like $OUNameFilter} -Properties *
    If($OUobj.Count -gt 1){
        Write-host "`n`nThere are more than one OU that matches that name.`nPlease type in a more specific name to match the list below:`n`n" -ForegroundColor Cyan
        $OUobj.CanonicalName | Write-Host -ForegroundColor Yellow 
        Write-host "`n" 
    $global:OUDN = $OUobj.DistinguishedName


Import-GPO -BackupGpoName $GPOScrName -TargetName MyGPO -path $GPOBackupPath -CreateIfNeeded |New-GPLink -target $OUDN -LinkEnabled Yes

Open in new window

There are several ways to handle errors.

Try Catch Finally
ErrorVariable with If statements

and probably many others.

What are you looking for specifically?
This is what I have so far:
$domains = (get-adforest).domains
foreach($domain $domains {

Try {Import-Gpo -BackupGPOName $backupgponame -TargetName $targetgponame -Path $path -domain $domain -CreateIfNeeded | New-GpLink -target $LinkOU -domain $domain}

        Catch {
                  Write-Log "ERROR: Failed to create/import gpo! for $domain"                  
            Write-log "Created/Imported $targetgponame and linked to $LinkOU"


I want to be able to handle error:
a) If GPLink already exists it should say it already exists and skip
b) if any error in importing gpo  or linking gpo it should exit

Thanks very much for your help
Is it possible to also remove authenticated users group and another group called group1
Avatar of Jeremy Weisinger
Jeremy Weisinger

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The OU location is the same in every domain
Thanks. This is exactly what I needed.
Glad to help!