Step 6 – Configure any security filtering and delegation settings on the GPO
Once the import completes we need to evaluate if we want to filter the scope of the GPO using security group
filtering or modify the list of who has rights to edit the GPO. For this scenario, we’ll leave the GPO with the
default set of permissions.
Step 7 – Link the GPO to the relevant containers in Active Directory
The GPO has been created and populated with the folder redirection settings we originally configured in our
test domain, but it isn’t linked anywhere yet. We need to link it to the Marketing organizational unit in our
Active Directory tree. To do this, we’ll right-click on the Marketing organizational unit and select Link an
Existing GPO. After finding the Marketing Folder Redirection GPO in the list and clicking OK, the GPO will be
linked.
We have now successfully migrated our GPO from test to production. Of course, this GPO only had a few policy
settings—but this procedure will work equally well with GPOs containing hundreds of settings, saving hours
worth of time and energy manually re-creating and configuring GPOs.
Summary
In this example we used the import operation because our test and production domains were isolated and did
not have network connectivity. If we had connectivity between the two domains, we could have added both
domains to GPMC and, after creating and editing our migration table, simply performed a drag and drop
operation to copy the GPO.
Finally, it is worth noting that in many cases you will not have to use migration tables—if your GPO contains
only registry policy settings, for example, there are no SIDs or UNC paths you will need to map and therefore a
migration table does not need to be specified.
In addition, when creating copies of GPOs in the same domain, you generally can just make a copy in a single
step—the only choice you have to make is whether to copy the DACL on the GPO.
Larger-Scale Migrations
While copying or importing individual GPOs can work quite well for small-scale deployments or incremental
updates, moving larger numbers of GPOs from test to production can be considerably more work.
Thanks to the scripting functionality in GPMC, you can write custom scripts to automate larger-scale
migrations. GPMC includes several sample scripts that you can use to get started, all of which can be found at
%programfiles%\gpmc\scripts on any computer where you have installed GPMC. Below are three sample
scripts that are particularly useful for migrating GPOs across domains:
ImportAllGPOs.wsf. This script will take all of the GPOs in a backup location and automatically re-create
them in the target domain. You can specify a migration table when importing a single GPO, and the script
takes care of re-creating the GPOs for you.
CreateEnvironmentFromXML.wsf. This script will take an XML file representing a complete policy
environment and re-create that environment from scratch. This includes creating the organizational unit
tree, creating GPOs, importing settings into the GPOs from backups, linking GPOs to the correct
organizational units, setting security filtering and delegation on the GPOs, configuring group membership,
and so on. An /undo switch can be passed to the script to do the inverse, and delete the data specified in
the XML file instead of creating it. This script can be a very useful and powerful tool for setting up and
tearing down test environments.
CreateXMLFromEnvironment.wsf. This script creates an XML file that is compatible with the
CreateEnvironmentFromXML.wsf script. You can run this in your production domain to create an XML file
and set of backups that represents that domain, then pass it to the CreateEnvironmentFromXML.wsf script
in your test domain to completely re-create your production domain’s policy infrastructure.
These scripts can be modified to suit your individual needs. See the GPMC SDK for details on scripting the
GPMC object model. The GPMC SDK is located at %programfiles%\gpmc\scripts\gpmc.chm on any computer
where you have installed GPMC.
Related Links
For more information, see the following resources:
Administering Group Policy with the GPMC white paper
Microsoft GPMC Web site
TechNet Group Policy Center
Marketing Developers Desktop \\ProductionServer\RedirectedFolders\%UserName%\Desktop
Migrating GPOs Across Domains with GPMC
help://MS.TechNet.2005MAR.1033/winnetsv/tnoffline/prodtechnol/winnetsv/deploy/u