PowerShell Script with GP cmdlets: Registry setting, Link
The following is a sample script that sets a Preference registry value in a GPO, then compares that same value to all of the GPO's linked in the same domain. If the value is not already set in a linked GPO, the new GPO is linked to that domain as well.
You can copy and paste the following text into a .ps1 file and run it, given a few modifications (the comments denote where you should replace my example names with your own GPO and domain names). The # symbols act like comments in the .ps1 file so you don't need to worry about them being run or printing out.
Hope this helps!
LiliaG, Group Policy PM
## The following script sets a Preference registry value in a GPO, then compares that same value to all of the GPO's linked in the same domain
## it depends on being opened from the Active Directory provider shortcut to the PowerShell console, or navigating to that AD provider first
# necessary for any work with group policy cmdlets
import-module grouppolicy
# create new GPO. Replace "GPDEMO" with the name of your choice
new-GPO GPDEMO
# set the variable $key to the string value of the registry key to be set
$key = 'HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader8.0InstallPath'
# set GP Pref Registry Value
Set-GPPrefRegistryValue -Name GPDEMO -Context User -Key $key -ValueName (Default) -Value "C:ProgramFiles(x86)AdobeReader8.0Reader" -Type String -Action Create
#get all GPO's linked in the domain you choose
#first step is to get the domain object you want
#Replace <your domain here> with the NetBIOS, DNS, SID, or Distinguished Name of the domain
$domain = get-ADDomain -Identity <your domain here>
# enter "get-ADDomain -?" for help
# the next step gets all the GPO's currently linked to that domain and extends the attributes to include the GUID of those GPO's
# the second portion of this line is important for parsing the resulting list of GPOs, do not skip it! You must get the " -properties Name " in order to refer to the GPO's by their GUID.
$GPOList = $domain.AppliedGroupPolicies | %{Get-ADObject $_ -Properties Name}
# sets up the variable to be compared against the other GPO's in the domain
$preference = get-GPPrefRegistryValue -Name GPDEMO -Context User -Key $key -ValueName (Default)
# warning: this does not check to see if there are other GPO's linked to the domain, this loop will break if there is only one GPO linked in the domain
# loop through
$i = 0
$redundantSetting = 0
while ($i -lt $GPOList.count) {
$CompareGPO = get-GPO -GUID $GPOList[$i].Name
# report out equality
if (($preference.Value).equals($comparePref.Value))
{
"Equal!"
$redundantSetting++
} else {
"Not Equal!"
}
# reset the loop
$comparePref = 0
$i++
}
# if none of the GPO's linked to the domain have the setting, link this new GPO. Otherwise, do not link it.
if ($redundantSetting -gt 0)
{
new-GPLink GPDEMO -Target $domain
} else {
"Not linking a redundant GPO"
}
Now, when I detect a redundant setting, I just print something out to the screen. You can do something more interesting, like write to a file, trigger another script, send an email, etc. In fact, I hope you do! Let me know what you do with this script, how you improve it, if/how you use it, or if it causes you any trouble.