GPMC Migrating GPOS between domains


One administrator action  , a lot of configuration and results… Always is a help but . Sometime we need to implement other new gpos on a different domain .

Here is some info about the methods and solutions

There are four operations that GPMC provides to allow for archival and recovery of GPOs, and for migrating GPOs from one environment to another:

  • Copy. A copy operation allows you to transfer settings from an existing GPO in Active Directory directly into a new GPO. The new GPO created during the copy operation is given a new GUID and is unlinked. You can use a copy operation to transfer settings to a new GPO in the same domain, another domain in the same forest, or a domain in another forest. Because a copy operation uses an existing GPO in Active Directory as its source, trust is required between the source and destination domains. Copy operations are suited for moving Group Policy between production environments, and for migrating Group Policy that has been tested in a test domain or forest to a production environment, as long as there is trust between the source and destination domains.
  • Backup. Backing up a GPO copies the data in the GPO to the file system. The backup function also serves as the export capability for GPOs. A GPO backup can be used to restore the GPO to the backed-up state, or to import the settings in the backup to another GPO.
  • Import. The Import operation transfers settings into an existing GPO in Active Directory using a backed-up GPO in the file system location as its source. Import operations can be used to transfer settings from one GPO to another GPO within the same domain, to a GPO in another domain in the same forest, or to a GPO in a domain in a different forest. The import operation always places the backed-up settings into an existing GPO. It erases any pre-existing settings in the destination GPO. Import does not require trust between the source domain and destination domain. Therefore it is useful for transferring settings across forests and domains that don’t have trust. Importing settings into a GPO does not affect its DACL, links on sites domains or organizational units to that GPO, or a link to a WMI filter.
  • Restore. Restoring a GPO re-creates the GPO from the data in the backup. A restore operation can be used in both of the following cases: the GPO was backed up but has since been deleted, or the GPO is live and you want to roll back to a known previous state.



We need to check on the moment of the migration , whats our scenario

( My case is a env test without connection with the real domain )

  • Copy-GPO requires both source and destination domains to be online.
  • Backup-GPO/Import-GPO does not have the -CopyACL switch from Copy-GPO.
  • Import-GPO has a parameter to use a migration table, but it forces the option from the GUI which requires all accounts to be in the migration table
  • Neither Copy-GPO nor Import-GPO support WMI filter migration.

About migration tables :

The process

  1. Export GPOs from source domain
  2. Copy export files to destination domain
  3. Create and tweak migration table
  4. Manually recreate WMI filters in destination
  5. Remove GPOs of same name in destination
  6. Import GPOs to destination domain
  7. Manually reassign WMI filters
  8. Copy permissions (and sync SYSVOL permissions)
  9. Link GPOs to OUs
  10. Set link properties (enabled, enforced, etc.)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.