Recipe 9.3 Copying a GPO

9.3.1 Problem

You want to copy the properties and settings of a GPO to another GPO.

9.3.2 Solution Using a graphical user interface
  1. Open the GPMC snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the source GPO, and expand the Group Policy Objects container.

  3. Right-click on the source GPO and select Copy.

  4. Right-click on the Group Policy Objects container and select Paste.

  5. Select whether you want to use the default permissions or preserve the existing permissions, and click OK.

  6. A status window will pop up that will indicate whether the copy was successful. Click OK to close.

  7. Rename the new GPO by right-clicking it in the left pane and selecting Rename. Using a command-line interface
> copygpo.wsf <SourceGPOName> <TargetGPOName> Using VBScript
' This code copies a source GPO to a new GPO ' ------ SCRIPT CONFIGURATION ------ strSourceGPO  = "<SourceGPOName>"  ' e.g. SalesGPO strNewGPO     = "<NewGPOName>"     ' e.g. Marketing GPO strDomain     = "<DomainDNSName>"  ' e.g. ' ------ END CONFIGURATION --------- set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( )    ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the source GPO set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _                          objGPMConstants.SearchOpEquals, cstr(strSourceGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then    WScript.Echo "Did not find GPO: " & strGPO    WScript.Echo "Exiting."    WScript.Quit elseif objGPOList.Count > 1 then    WScript.Echo "Found more than one matching GPO. Count: " & _                 objGPOList.Count    WScript.Echo "Exiting."    WScript.Quit else    WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName End if ' Copy from source GPO to target GPO set objGPMResult = objGPOList.Item(1).CopyTo(0, objGPMDomain, strNewGPO) ' This will throw an exception if there were any errors ' during the actual operation. on error resume next objGPMResult.OverallStatus( ) if objGPMResult.Status.Count > 0 then    WScript.Echo "Status message(s): " & objGPMResult.Status.Count    for i = 1 to objGPMResult.Status.Count       WScript.Echo objGPMResult.Status.Item(i).Message    next    WScript.Echo vbCrLf end if ' Display the results if Err.Number <> 0 then    WScript.Echo "Error copying GPO."    WScript.Echo "Error: " & Err.Description else     WScript.Echo "Copy successful to " & strNewGPO & "." end if

9.3.3 Discussion

Prior to the GPMC tool, one of the big problems with managing GPOs in large environments is migrating them from one forest to another. It is common to have a test forest where GPOs are initially created, configured, and tested before moving them into production. The problem is that once you have the GPO the way you want it in the test forest, there is no easy way to move it to the production forest.

With the GPMC you can simply copy GPOs between domains and even forests. Copying GPOs between forests requires a trust to be in place between the two target domains (or a forest trust between the two forests). If this is not possible, you can import GPOs, which is similar to a copy except that a trust is not needed. A GPO import uses a back up of the source GPO in order to create the new GPO. See Recipe 9.7 for more information on importing a GPO.

Some properties of GPOs, such as security group filters or UNC paths, may vary slightly from domain to domain. In that case, you can use a GPMC migration table to help facilitate the transfer of those types of references to the target domain. For more information on migration tables, see the GPMC help file. Using VBScript

To copy a GPO, I have to first find the source GPO. To do this, I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If zero was returned or more than one are returned, I have to abort the script.

Now that I have a GPMGPO object, I'm ready to copy the GPO using the GPMGPO.CopyTo method. The first parameter to CopyTo is a flag that indicates how permissions in the source GPO should be handled when copying them to the new GPO. I specified 0 to use the default setting (see the GPMC help file for the other values). The second parameter is a GPMDomain object of the domain the GPO should be copied to. The last parameter is the display name of the new GPO.

9.3.4 See Also

Recipe 9.7 for importing a GPO and MSDN: GPMGPO.CopyTo

Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: