Jump to content

Agent Deploy - Create GPO on Domain Controller

Recommended Posts

I've created an Automate script that creates an Active Directory GPO and deploys the Automate agents via Startup Script. I've tested it on multiple domains successfully. 

  • Does not require Permissions/Credentials in Automate
  • Uses GitHub for initial GPO and PS module downloads (so not need to download files to your local server).
  • Automatically links the GPO to the root (optional Parameter in script)
  • Creates a ticket for accountability and script's results.

Please give me some feedback...




Agent Deploy - Create GPO on DC.xml Agent Deploy - Remove GPO on DC.xml

Edited by Braingears
Replaced Create GPO to use Tokens

Share this post

Link to post
Share on other sites

Installed and removed with a problem... the quick test I performed looked good.

I did run it against a 2008 DC on accident and it failed because of missing GPO cmdlets. I will edit to put an OS check at the beginning.

How are you keeping github updated with the latest agent? Is it manual or automated?

Share this post

Link to post
Share on other sites

Ok, is there any way to use your PS script with an IF LT_Installed = True and LT_URL = MyServer then Do nothing?


Thank you

Share this post

Link to post
Share on other sites


Is this script still working? I tried to run it but the github link is missing the GPO zip file and the script failed. Please advise. 

Share this post

Link to post
Share on other sites

I just tested the script and unfortunately didn't work for me:


Import-GPO : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) At C:\Windows\system32\config\systemprofile\AppData\Local\2b47f478a8a94a99bac4e 8b0220cc6e8.ps1:5 char:1 + Import-GPO -BackupGpoName $GPOName -Path $Path -TargetName $GPOName - ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Import-GPO], UnauthorizedAcce ssException + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Gro upPolicy.Commands.ImportGpoCommand The GPO CW Automate Agent Deployment was NOT imported successfully. At C:\Windows\system32\config\systemprofile\AppData\Local\2b47f478a8a94a99bac4e 8b0220cc6e8.ps1:6 char:65 + ... yContinue)) {Throw "The GPO $GPOName was NOT imported successfully."} + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (The GPO CW Auto...d successfu lly.:String) [], RuntimeException + FullyQualifiedErrorId : The GPO CW Automate Agent Deployment was NOT imp orted successfully.


Any ideas on what to try?


Share this post

Link to post
Share on other sites

I found that using the NT Authority\System account, it must be run from the Domain Controller with FSMO Roles installed. Try the PDC enabled server. 

Share this post

Link to post
Share on other sites

Thank you. Running the script on the PDC server worked.

Here is my feedback:

When script fails (like running it on a non PDC server) status should be Failed in LT so we know something went wrong.

Maybe before running the script you can check if it's a PDC server and if not log where it should be run:

if ((gwmi win32_computersystem).partofdomain -eq $true) {
    write-host -fore white "INFO : Your are a member of a domain"
    $PDCHost = (Get-ADDomain -EA Stop).PDCEmulator 
}catch{ write-host -fore red "ERROR : This script is for PDC Server"
    if ($PDCHost -eq "$env:computername.$env:userdnsdomain") {
                write-host -fore green "Your are on the PDC Server"
               .......(do what you need to do)
			write-host -fore red "ERROR : This script is for PDC Server. Please execute in this server: $PDCHost"
# If not a member of domain
} else {
    write-host -fore white "INFO : Your are in a workgroup"
 	....exit script


Also, I checked the .bat file that is created and command does not have the Force parameter. Can we add that as a script parameter? (also -Verbose for loggin purposes)


Thank you!!

Share this post

Link to post
Share on other sites

I have replaced the "Agent Deploy - Create GPO on DC" script due to the vulnerability lock-down of Deployment.aspx.

If you've already used the GPO Creator:

  • Import/Update both scripts. 
  • Run "Agent Deploy - Remove GPO on DC" on the existing client's Domain Controllers to remove the existing "CW Automate Agent Deployment" GPO.
  • Run "Agent Deploy - Create GPO on DC.." on the Domain Controller with PDC FSMO Role. This will create a new GPO. 
    • You can enter the Token's expire time (in Months, default = 12 Months). 
    • You can automatically link the GPO by enter "True" in the script parameter when you run it. 
    • If you do not enter "True", it will create the GPO, but not link it to the domain or OU. You must do this manually.  
  • Review the ticket that's generated and GPO on the server to ensure everything working as expected. 

Agent Deploy - Remove GPO on DC.xml Agent Deploy - Create GPO on DC with FSMO Roles.xml

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...