Windows Server 2008 and Windows Vista : Migrating GPOs (part 1) - Migrating GPOs Across Domains

Reasons for Migrating GPOs

A company may want to move a GPO and its settings from one environment to another for numerous reasons. Examples of GPO migrations might include the following:

• Production domain A to Production domain B

• Test domain A to Production domain A

• Production domain A in Forest A to Production domain B in Forest B

Any combination of these examples is also a valid reason for a GPO to be migrated from one domain to another.

Requirements for Migrating GPOs between Domains

A GPO cannot be migrated between domains without the correct configurations in place and the correct permissions established, because rogue GPOs could appear in your domain without your knowledge or approval. Such a situation usually leads to a trust relationship between the domains, but that is not necessary. There does not need to be a trust between domains to migrate GPOs from one to the other.

If a trust is not in place to perform the migration, you must consider one of the following alternatives:

• Perform an import of the GPO from the source domain. This requires that the GPO be backed up from the source domain and then made available to the target domain for importing.

• Use the Stored User Names and Passwords utility. This allows for simultaneous access to both domains, thus allowing a copy operation to be made from the source domain to the target domain.

Settings in a GPO That Require Translation

Many areas of a GPO refer to unique settings or objects in a domain. These unique settings or objects typically have a path or identifier that make them unique for that domain. When a GPO setting is migrated from one domain to another, even in the same forest, these settings must be translated. The translation takes the identifier from the source domain and converts it to the corresponding identifier in the new target domain.

The settings and objects that must be translated include security principals and paths, which are located in specific settings in a GPO, and will require a translation of the setting if configured in both the source and target domain.

The following settings contain security principals and must be updated during migration, if required:

• User Rights Assignment

• Restricted Groups

• System Services

• File System

• Registry

• Folder Redirection

• Security filtering on the GPO itself

• Access control list on software installation objects

The following settings can contain Universal Naming Convention (UNC) paths, which must be updated to new values as part of the migration process:

• Folder Redirection

• Software Installation

• Scripts

Migrating GPOs Across Domains

The GPMC offers two options for migrating a GPO from one domain to another. You can either use the Copy and Paste combination, or you can use the Backup and Import combination. Both options offer the ability to control certain aspects of the GPO and the settings during the operation.

Migrating a GPO Using Copy and Paste

To use the copy and paste method to migrate a GPO, first ensure that you have permissions in both domains. Then you must include both domains in the GPMC at the same time. This allows you to see both domains, copying the GPO from one domain and pasting it to the other.

The benefit of using the copy and paste method is that you can control the permissions of the GPO during the pasting process, as you can see in Figure 1.

Figure 1. When pasting a GPO into a domain, you can control which permissions are used—the default permissions or permissions from the copied GPO.

The process of copying a GPO from one domain to another is similar to a standard copy and paste of a file. To copy and paste a GPO from one domain to another, follow these steps:

1.	Ensure that both the source domain and the target domain are added to the GPMC.
2.	Expand the Group Policy Objects node in the source domain.
3.	Right-click the GPO that you want to migrate, and then click Copy.
4.	Right-click the Group Policy Objects node in the target domain, and then click Paste. The Cross-Domain Copying Wizard appears.
5.	On the Cross-Domain Copying Wizard page, click Next.
6.	Select an option to control permissions from the source GPO to the target GPO: Choosing to use the default permissions for new GPOs will configure the GPO with the default permissions of any new GPO in the domain. Choosing to preserve or migrate the permissions from the original GPOs will allow you to select a migration table.
7.	On the Migrating References page, choose whether to preserve or migrate the permissions: Choosing to copy them identically from the source will leave all security principals and UNC paths in the new GPO the same as the source GPO. Choosing to use the migration table to map them to new values in the new GPOs will allow you to choose a migration table to use as part of the migration. The option to use the migration table exclusively is available if you choose to use a migration table. This option verifies all security principals and UNC paths found in the GPO and in the migration table. If the GPO has a security principal or UNC path that is not mapped in the migration table, the migration will fail.
8.	On the Completing the Cross-Domain Copying Wizard page, click Finish.

After the migration is complete, you will have a new GPO in the target domain. The permissions will be as you migrated them in the wizard, and you will have a fully functioning GPO. The GPO is not linked to any Active Directory node initially. After you link the new GPO to the domain, organizational unit, or site, the settings will start to apply to the objects under the scope of management of the GPO.

Migrating a GPO Using Backup and Import

The backup and import method for migrating GPOs is another option for getting your GPOs from one domain to another, quite different from the copy and paste method. Of course, you still must have the appropriate permissions in both domains to perform the backup from the source domain and the import in the target domain.

With this method, the specified target GPO must already exist. This is because the Import function takes the settings from the backed-up GPO and copies them into the existing GPO.

To perform the migration using the backup and import method, follow these steps:

1.	In the GPMC, expand the Group Policy Objects node in the source domain.
2.	Right-click the GPO that you want to migrate, and then click Backup.
3.	Expand the Group Policy Objects node in the target domain after the backup completes.
4.	Right-click the GPO that you will import the settings into, and then click Import Settings. The Import Settings Wizard appears.
5.	On the Welcome to the Import Settings Wizard page, click Next.
6.	Click Backup to perform a backup of the settings in this GPO. When the backup is complete, click Next.
7.	On the Backup Location page, select the folder from the Backup Folder list to which you backed up the source GPO in step 2. You may click Browse to find this folder. Click Next.
8.	On the Source GPO page, select the GPO that you will use as the source GPO from which you want to import settings, and then click Next.
9.	On the Scanning Backup page, note whether any security principals or UNC paths need to be considered in the translation, as shown in Figure 2, and then click Next. Figure 2. During the import process, the system indicates whether any security principals or UNC paths need to be considered for translation during the import.
10.	Select the option for handling the security principals or UNC paths on the Migrating References page: Choosing to copy them identically from the source will leave all security principals and UNC paths in the new GPO the same as the source GPO. Selecting this option takes you immediately to the Summary page of the Import Wizard. Choosing to use the migration table to map them to new values in the new GPOs will allow you to choose a migration table to use as part of the migration. Selecting this option forces you to take further steps in selecting the migration table. The option to use the migration table exclusively is available if you choose to use a migration table. This option verifies all security principals and UNC paths found in the GPO and in the migration table. If the GPO has a security principal or UNC path that is not mapped in the migration table, the migration will fail. If you choose to use a migration table, you must also select the migration table on the Migrating References page. Select your migration table from the list or by clicking Browse.
11.	On the Migrating References page, click Next.
12.	On the Import progress page, click OK.
13.	On the Copy progress page, click OK.

As with the copy and paste method, the migrated GPO is not linked to an Active Directory node. After the GPO is linked to the domain, organizational unit, or site, it will start to affect all objects in the scope of management.