Copy Group Policies to a new domain (Windows 2003)

When we want to test policies in another environment, we need to be sure the policies and structure in the test domain are the same as in the production environment. So we need to mirror the production to have the best test production. 

Ofcourse there are always things in a production environment that do not occur in test, but we can make sure the following is exactly the same in test :

• Group Policies
• OU Structure
• Users
• Groups
• Permissions

There are, unfortunatly, not many ways we can copy group policies to another domain. But there is a way for mirroring your production domain (or any other Active Directory Domain)….

The way we create a copy is by using two scripts that come with the GPMC (Group Policy Management Console).

We can use the first script to extract all the info (see above) from the domain and put this in an XML file. The script is called : CreateXMLFromEnvironment.wsf. This script must be run on the Source Domain, the domain you want to copy. The following syntax can be used :

CreateXMLFromEnvironment.wsf OutputFile [/Domain:value] [/DC:value] [/TemplatePath:value] [/StartingOU:value] [/ExcludePermissions] [/IncludeAllGroups] [/IncludeUsers]

The only mandatory parameter for this script is the location of the XML output file. The options can be used as follows:

• Domain : Specify domain to capture
• DC : Specify Domain Controller to use
• TemplatePath : Specify the file system location where you want to store the GPO backups
• StartingOU : Specify the DN (Distinguished Name) of the OU where you want to start the capture
• ExcludePermissions : No permissionson eiter GPO’s or container objects are captured
• IncludeAllGroups : Includes all Groups in the Users container within the domain, as well as any other groups found in the domain. If not specified, no gruops will be included
• IncludeUsers : Includes all Users as wel as groups

After you have run this script, the output will be placed in the file location given as a parameter. This will include a env.xml, manifest.xml and GUID’s of all GPO’s exported. Copy these files and directories to a location on the new domain controller and now you can use the import script.

Make sure the Active Directory where you place the policies, has the same ADM files as the source Active Directory.

Note: Make sure the location of the importfile and the GPO’s are in the same directory (and drive) as on the source server. In the XML file the location to the GPO’s is hardcoded and settings will not be imported if the GPO’s are not found!

The script is called : CreateEnvironmentFromXML.wsf. The only mandatory parameter for this script is the location of the XML input file. This script must be run on the Target Domain. The following syntax can be used :

CreateEnvironmentFromXML.wsf /XML:value [/Undo] [/Domain:value] [/DC:value] [/ExcludeSettings] [/ExcludePermissions] [/CreateUsersEnabled] [/PasswordForUsers:value] [/MigrationTable:value] [/ImportDefaultGPOs] [/Q]

The options can be used as follows:

• XML : Specify inputfile
• Undo : Removes objects found in the XML file, rather then adding them to the new domain
• Domain : Specify domain to capture
• DC : Specify Domain Controller to use
• ExcludeSettings : Exclude GPO Settings
• ExcludePermissions : Exclude GPO permissions
• CreateUsersEnabled : All users created are enabled by default, instead of disabled
• PasswordForUsers : Specify a default password for the users created
• MigrationTable : Choose a migration table to apply to all GPO’s
• ImportDefaultGPOs : Import settings capured in the Default Domain Policy and Default Domain Controllers Policy GPO’s
• Q : Runs script without feedback

Comments