Solved

Export/Copy Local Group Policy to Domain Group Policy

Posted on 2008-10-21
9
9,640 Views
Last Modified: 2012-06-21
Hello all - I've searched everywhere for this and can't seem to find a good clear answer:

I've got a new Terminal Server that I spent quite awhile locking down settings via the LOCAL Group Policy (gpedit.msc). These settings are all under the USER portion (none under the 'Computer Portion) of the policy. I'd like to convert these settings over to a Domain Group Policy (in the Active Directory) - and have them applied that way instead.

What's the easiest and most efficient way of doing this? I should say that I know how to apply them ONCE they are over into an Active Directory (Domain) Group Policy - however getting them there is the problem. I've copied out the local 'windows\system32\group policy' folder which has the 'registry.pol' file in there - however not sure how (if possible) to import this into a Domain Group Policy?

Also, is there a good way to export into a file or report (csv, html, etc) the settings from the LOCAL Group Policy program (gpedit.msc)? I havent' found a way - because the 'export' function under there is some built-in MMC export which doesn't export actual policy settings - only the mmc specific info (Computer Configuration - User Configuration - and these names alone are literally all it exports).

Thanks.
0
Comment
Question by:kmruss
  • 5
  • 4
9 Comments
 
LVL 4

Expert Comment

by:oks1977
ID: 22773468
Hi,

I have tried this on my VM.

1) Export the policy that was defined in the local computer. I'm assuming you know how to export security policy, end result is an INF file.
2) On the AD, open MMC and add "Security Configuration and Analysis"
3) You will need to open database, (Can create anyname) and compare with the local computer INF file that you have extracted.
4) Click Analysis. And you will see the that there are various ticks and cross. Tick means that the INF file and policy on that server is the same. Cross means no.

For those that you intend to make changes, let them remain as crosss. For those which you desired, let them remain as tick. After you have confirm it, right click on "Security Configuration and analysis" and click "Configure computer now" and the settings will be changed.

Some information is you might want to extract the default policy that was inside before you made any changes.

Hope the information helps.
0
 
LVL 1

Author Comment

by:kmruss
ID: 22773546
Quote '1) Export the policy that was defined in the local computer. I'm assuming you know how to export security policy, end result is an INF file.'

Actually, that is the main reason I posted this question:  gpedit.msc for the LOCAL security policy (remember, NOT a Domain Group Policy in AD or otherwise) does not seem to give you an actual option to EXPORT.

I've tried accessing the 'LOCAL' policy (remember gpedit.msc) via the 'Group Policy Management Console' as well - with no apples.

0
 
LVL 1

Author Comment

by:kmruss
ID: 22773623
Also - wanted to mention - I believe you are talking about the local SECURITY policy.  I just want to export the LOCAL GROUP policy (settings found in gpedit.msc) that determine what settings Windows locks down for users.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Expert Comment

by:oks1977
ID: 22773746
Hi,

You can use secpol.msc on the local computers, it will let you see what security settings have been applied and you can export the policy with that.
0
 
LVL 4

Expert Comment

by:oks1977
ID: 22773750
Press enter too fast and it was posted.

Yes, you can use secpol.msc and it is exporting the LOCAL GROUP Policy.

Hope the information helps.
0
 
LVL 1

Author Comment

by:kmruss
ID: 22774257
Tried 'secpol.msc'.  As mentioned, this loads the SECURITY-based policy settings (password length, expiration, user rights, etc. etc.).

It does NOT load the regular 'Computer' and 'User' Configuration Policies that are set with 'gpedit.msc' - which is the 'LOCAL *GROUP* POLICY'  (notice no 'SECURITY' in there).

Load up 'gpedit.msc' and expand some of the upper and lower sections in Computer and User and you'll see what I mean.
0
 
LVL 4

Accepted Solution

by:
oks1977 earned 500 total points
ID: 22774607
ok. Thanks for the heads up.

http://www.frickelsoft.net/blog/?p=31

Based on the link above, I have 2 VMs, both of them Windows 2003 enterprise.

1) made changes to the netmeeting folder enabled some settings
2) copy the Machine and user folder from that server local group policy.
%systemroot%\system32\grouppolicy\
3) And paste it inside the AD to replace the policy. The default AD policy is as below:
\\AD\sysvol\AD.com\policy\{very long numbers}\

You can rename the orginal machine and user policy which is inside for backup.
And paste the local group policy that is inside.

Hope information helps.

0
 
LVL 1

Author Comment

by:kmruss
ID: 24169541
This was basically correct - thank you!  Sorry for the delay on this.

One thing to note - you are correct .. 'numbers are very long' on those DOMAIN group policies you are converting to - and you need to create a new 'blank' domain policy first before copying it over.  Once done, go into the \\AD\sysvol\AD.com\policy\{very long numbers}  and make a full backup of that folder just in case.  And also, tip: find out which group policy folder is which by creating a couple changes in the group policy and going into the folder under 'User' .. and the .reg files under there and see if that holds the changes you made (view with notepad).

Thanks - this finally worked though and saved a lot of headache of converting over all those 50+ settings.

Kevin
0
 
LVL 1

Author Closing Comment

by:kmruss
ID: 31508608
Thanks - points awarded!  Sorry for the delay.  You can read my response in the solution.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question