Scripting Group Policy tasks using GPMC

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Scripting Group Policy tasks

The Group Policy Management Console (GPMC) provides a comprehensive set of COM interfaces for scripting many Group Policy-related operations. The interfaces are documented in the Group Policy Management Console SDK, which is located at %programfiles%\gpmc\scripts\gpmc.chm on any computer where you installed GPMC. (The Group Policy Management Console SDK is only available in English.)

When you install GPMC, a set of sample scripts illustrating the use of these interfaces are installed to the %programfiles%\gpmc\scripts directory.

The sample scripts address real-world administrative problems and scenarios. You can perform various tasks such as finding all Group Policy objects (GPOs) in a domain that have duplicate names or generating a list of all GPOs in a domain whose settings are disabled or partially disabled.


  • Scripted control of individual settings inside a GPO is not provided.

The scripts include examples written in VBScript and JScript. They all have the .wsf extension and are executed through Windows Script Host (WSH), which is included with Windows ServerĀ 2003 and other recent versions of Windows. All of the scripts should be executed from the command line. Executing a script with the /? switch displays the usage for that script.

The sample scripts echo output to the command window and must be executed using cscript.exe. If cscript.exe is not your default scripting host, you will need to explicitly specify cscript.exe on the command line. For example: "d:\program files\gpmc\scripts>cscript ListAllGPOs.wsf".


  • You can run "cscript //H:cscript" from a command line to make cscript the default scripting host.

You can modify and distribute the sample scripts in accordance with the terms of the End User License Agreement.

Many of the sample scripts rely on a library of common helper functions contained in the file Lib_CommonGPMCFunctions.js. If you copy these scripts to another location, you must also copy this library file to that location for the script samples to work.

Scripting samples for Group Policy administrative tasks

The following table shows the administrative tasks you can perform with sample scripts included with Group Policy Management.

Administrative task Script name Description

Back up all GPOs in a domain


Backs up all GPOs in a domain to the specified folder.

Back up a GPO


Given a GPO name or a globally unique identifier (GUID), backs up the GPO to the specified folder.

Copy a GPO


Creates a new GPO and copies the settings from the source GPO into the new destination GPO, given a source GPO name or GUID and a new destination GPO name.

Create a policy environment using an XML representation


Reads an XML file that specifies a policy environment; for example, organizational units, GPOs, links, and security groups. The script can either create the environment in a domain by creating the objects, or delete the environment by deleting objects specified in the XML file.

Create a GPO with default options


Creates a GPO with the specified name, in the current domain, using the default options.

Create a migration table


Creates migration tables that can be edited and used to map paths and security principals to new values when importing and copying GPOs across domains.

Create an XML representation of a policy environment


Reads an existing policy environment and creates an XML file representing that environment. The XML file captures information about organizational units, GPOs, and GPO links, and security on GPOs. You can use this script in conjunction with the CreateEnvironmentFromXML.wsf script to create a replica of a domain for staging purposes.

Delete a GPO


Deletes the specified GPO when given a GPO name or GUID. By default the script deletes links to that GPO within the same domain.

Grant Permissions for all GPOs in a Domain


Grants a user or group the specified level of permission for all GPOs in the specified domain.

Import settings into a GPO


Imports the settings from the specified backup to an existing destination GPO in the specified domain.

Import multiple GPOs into a domain


Creates a new GPO and imports settings into that GPO for each backed-up GPO stored at a specific file system location.

Restore a GPO


Restores a backed-up GPO.

Restore all GPOs


Restores all GPOs that are stored at a given file system location

Grant permissions for GPOs linked to a domain, organizational unit, or site


Grants a user or group the specified permission type for all GPOs that are linked to a specified domain, organizational unit, or site. You can specify Read, Apply, Edit, FullEdit, or None for the permission type.

Set GPO permissions


Sets the permission level for a security principal on a given GPO. You can specify Read, Apply, Edit, FullEdit, or None for the permission type.

Set permissions to create GPOs


Grants or removes the ability to create GPOs in a domain for a given security principal.

Set policy-related permissions on a given site, domain, or organizational unit


Sets policy-related permissions on a given site, domain, or organizational unit.

List disabled GPOs


Prints all GPOs in the specified domain that are disabled or partially disabled.

List GPO information


Prints the information for a specific GPO, including creation time, modification time, owner, status, version number, security groups that filter the GPO, security groups that have full control, edit, read, or custom permissions, and links.

List scope of management information


Prints information for a specific site, domain, or organizational unit, including GPO links and policy-related permissions.

List GPO by policy extension


Prints all GPOs in the specified domain for which a specific policy extension is configured; for example, find all GPOs that contain the Software Installation or Folder Redirection policy settings.

List GPOs by security group


Prints all GPOs on which a given security principal has the specified permission or effective permission. You can specify Read, Apply, Edit, or Fulledit for the permission type.

List GPOs with duplicate names


Prints all GPOs in the specified domain that have duplicate names.

List GPOs without Apply permission


Prints all GPOs in the specified domain that do not apply to anyone because Apply permission is not set on the GPO.

Listing GPOs Orphaned in SYSVOL


Finds and prints all GPOs in SYSVOL with no corresponding component in Active Directory.

List domains, organizational units, and sites with external GPO links


Prints all domains, organizational units, and sites in the specified domain that link to a GPO in a different domain.

List unlinked GPOs in a domain


Prints all GPOs in the specified domain that have no links. Links outside the domain, including site links, are not checked.

Get reports for all GPOs


Takes a domain name, and gets reports for all GPOs in that domain.

Get reports for GPO


Generates XML and HTML reports for a given GPO.

List all GPOs in a domain


Prints all GPOs in the specified domain.

Print the scope of management policy tree


Prints a list of all organizational units in the specified domain with the list of GPOs that are linked to the domain and each organizational unit.

List GPO backups in a given file system location


Prints information about all backed up GPOs at the file system location specified by the user.

See Also


Group Policy Object Editor Extensions
Scripts overview for GPMC