Moving policies between domains with Windows Vista

This excerpt from "Microsoft Windows Vista Management and Administration" breaks down the process of taking GPOs created in one domain and moving them to another.

Microsoft Windows Vista Management and Administration This chapter excerpt from Microsoft Windows Vista Management and Administration, by Andrew Abbate, James Walker, Scott Chimner and Rand Morimoto, is printed with permission from Pearson Education, Copyright 2007.

Click here for the chapter download or purchase the entire book here.


Moving Policies Between Domains

In many situations it is useful to be able to take GPOs created in one domain and move them into another. Common scenarios for this would be in the case of a merger/acquisition or even something as simple as taking a GPO that was developed in an isolated task lab and moving it into production. You would initially expect that you'd have to print out the GPO settings and re-create the GPO from scratch with the same settings.

Although this is a perfectly acceptable method of doing things, it becomes difficult and time consuming if a GPO contains a significant number of settings. In the case of needing to export or import a large GPO, the simpler solution is to use the import function that allows you to "rewrite" a backed-up GPO to reference objects in your domain. This rewrite is based on a migration table that is configurable by the administrator. Importing a GPO in this manner can be accomplished with the Group Policy Management console with the following steps:

  1. Launch the GPMC (Start, Run, gpmc.msc).
  2. Expand the Forest container.
  3. Expand the Domains container and the domain containing the GPO.
  4. Browse to the Group Policy Objects container.
  5. Right-click the Group Policy Objects container and select Open Migration Table Editor.
  6. In the table, input source objects, declare the object type, and enter the destination object (see Figure 23.5).

    For example, you might define groups from one domain and add the equivalent group from another domain as the destination. This would be helpful in GPOs where a group is being modified or granted specific rights on a system.

    Figure 23.5

  7. When the migration table is updated, click File, Save.
  8. Enter a filename and click Save.
  9. Close the editor.

Now that a translation table has been defined, a GPO can be imported. In the source domain, back up the GPO you want to migrate with the following steps:

  1. Launch the GPMC (Start, Run, gpmc.msc).
  2. Expand the Forest container.
  3. Expand the Domains container.
  4. Expand the Domain Object that holds the GPO you are interested in.
  5. Expand Group Policy Objects.
  6. Right-click the GPO in question and choose Back Up.
  7. Browse to the location where you want to store the backed up GPO and enter a description. Click Back Up.
  8. When the backup is completed, click OK.

Copy the backed up GPO to portable media and copy it to the system in the new domain that is running the GPMC.

To import the GPO, perform the following steps from the Group Policy Management console:

  1. Launch the GPMC (Start, Run, gpmc.msc).
  2. Expand the Forest container.
  3. Expand the Domain container.
  4. Expand the Domain Object that holds the GPO you are interested in.
  5. Expand Group Policy Objects.
  6. Right-click Group Policy Objects and select New.
  7. Enter a name for the GPO that will receive the imported settings. Click OK.
  8. Right-click the empty GPO that was created in step 6 and choose Import Settings.
  9. The Import Wizard will launch. Click Next.
  10. Because the GPO is empty, skip the backup step and click Next.
  11. Browse to the location where the backup file from the other domain's GPO is stored. Click OK, then Next.
  12. Select the GPO backup and click Next.
  13. The Import Wizard will detect security principals and/or UNC (Universal Naming Convention) paths that are foreign. It will walk you through the translations. Click Next.
  14. At the Migrating References Wizard, choose to use a migration table. Browse to the previously created migration table and click Next.
  15. Review the summary and click Finish.
  16. When the import succeeds, click OK.

By mastering the process of mapping security principals and UNC names and such between domains, you can quickly and easily move GPOs back and forth between multiple domains for testing and deployment purposes.


GROUP POLICY BASICS FOR WINDOWS VISTA

 Home: Introduction
 Tip 1: A basic primer on Microsoft Group Policy
 Tip 2: How to configure GPOs
 Tip 3: What's new with Vista Group Policy?
 Tip 4: How to manage GPOs
 Tip 5: Troubleshooting GPOs for Vista
 Tip 6: Group Policy best practices
ADVANCED GROUP POLICY FOR WINDOWS VISTA
 Home: Introduction
 Tip 1: Which GPOs are available
 Tip 2: Further understanding GPOs in Vista
 Tip 3: Examples of useful GPOs in Vista
 Tip 4: Moving policies between domains
 Tip 5: Recommended practices with Vista Group Policy

This was first published in January 2008

Dig deeper on Windows Server Monitoring and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close