Solved

Export/Copy Local Group Policy to Domain Group Policy

Posted on 2008-10-21
9
9,271 Views
Last Modified: 2012-06-21
Hello all - I've searched everywhere for this and can't seem to find a good clear answer:

I've got a new Terminal Server that I spent quite awhile locking down settings via the LOCAL Group Policy (gpedit.msc). These settings are all under the USER portion (none under the 'Computer Portion) of the policy. I'd like to convert these settings over to a Domain Group Policy (in the Active Directory) - and have them applied that way instead.

What's the easiest and most efficient way of doing this? I should say that I know how to apply them ONCE they are over into an Active Directory (Domain) Group Policy - however getting them there is the problem. I've copied out the local 'windows\system32\group policy' folder which has the 'registry.pol' file in there - however not sure how (if possible) to import this into a Domain Group Policy?

Also, is there a good way to export into a file or report (csv, html, etc) the settings from the LOCAL Group Policy program (gpedit.msc)? I havent' found a way - because the 'export' function under there is some built-in MMC export which doesn't export actual policy settings - only the mmc specific info (Computer Configuration - User Configuration - and these names alone are literally all it exports).

Thanks.
0
Comment
Question by:kmruss
  • 5
  • 4
9 Comments
 
LVL 4

Expert Comment

by:oks1977
ID: 22773468
Hi,

I have tried this on my VM.

1) Export the policy that was defined in the local computer. I'm assuming you know how to export security policy, end result is an INF file.
2) On the AD, open MMC and add "Security Configuration and Analysis"
3) You will need to open database, (Can create anyname) and compare with the local computer INF file that you have extracted.
4) Click Analysis. And you will see the that there are various ticks and cross. Tick means that the INF file and policy on that server is the same. Cross means no.

For those that you intend to make changes, let them remain as crosss. For those which you desired, let them remain as tick. After you have confirm it, right click on "Security Configuration and analysis" and click "Configure computer now" and the settings will be changed.

Some information is you might want to extract the default policy that was inside before you made any changes.

Hope the information helps.
0
 
LVL 1

Author Comment

by:kmruss
ID: 22773546
Quote '1) Export the policy that was defined in the local computer. I'm assuming you know how to export security policy, end result is an INF file.'

Actually, that is the main reason I posted this question:  gpedit.msc for the LOCAL security policy (remember, NOT a Domain Group Policy in AD or otherwise) does not seem to give you an actual option to EXPORT.

I've tried accessing the 'LOCAL' policy (remember gpedit.msc) via the 'Group Policy Management Console' as well - with no apples.

0
 
LVL 1

Author Comment

by:kmruss
ID: 22773623
Also - wanted to mention - I believe you are talking about the local SECURITY policy.  I just want to export the LOCAL GROUP policy (settings found in gpedit.msc) that determine what settings Windows locks down for users.
0
 
LVL 4

Expert Comment

by:oks1977
ID: 22773746
Hi,

You can use secpol.msc on the local computers, it will let you see what security settings have been applied and you can export the policy with that.
0
 
LVL 4

Expert Comment

by:oks1977
ID: 22773750
Press enter too fast and it was posted.

Yes, you can use secpol.msc and it is exporting the LOCAL GROUP Policy.

Hope the information helps.
0
 
LVL 1

Author Comment

by:kmruss
ID: 22774257
Tried 'secpol.msc'.  As mentioned, this loads the SECURITY-based policy settings (password length, expiration, user rights, etc. etc.).

It does NOT load the regular 'Computer' and 'User' Configuration Policies that are set with 'gpedit.msc' - which is the 'LOCAL *GROUP* POLICY'  (notice no 'SECURITY' in there).

Load up 'gpedit.msc' and expand some of the upper and lower sections in Computer and User and you'll see what I mean.
0
 
LVL 4

Accepted Solution

by:
oks1977 earned 500 total points
ID: 22774607
ok. Thanks for the heads up.

http://www.frickelsoft.net/blog/?p=31

Based on the link above, I have 2 VMs, both of them Windows 2003 enterprise.

1) made changes to the netmeeting folder enabled some settings
2) copy the Machine and user folder from that server local group policy.
%systemroot%\system32\grouppolicy\
3) And paste it inside the AD to replace the policy. The default AD policy is as below:
\\AD\sysvol\AD.com\policy\{very long numbers}\

You can rename the orginal machine and user policy which is inside for backup.
And paste the local group policy that is inside.

Hope information helps.

0
 
LVL 1

Author Comment

by:kmruss
ID: 24169541
This was basically correct - thank you!  Sorry for the delay on this.

One thing to note - you are correct .. 'numbers are very long' on those DOMAIN group policies you are converting to - and you need to create a new 'blank' domain policy first before copying it over.  Once done, go into the \\AD\sysvol\AD.com\policy\{very long numbers}  and make a full backup of that folder just in case.  And also, tip: find out which group policy folder is which by creating a couple changes in the group policy and going into the folder under 'User' .. and the .reg files under there and see if that holds the changes you made (view with notepad).

Thanks - this finally worked though and saved a lot of headache of converting over all those 50+ settings.

Kevin
0
 
LVL 1

Author Closing Comment

by:kmruss
ID: 31508608
Thanks - points awarded!  Sorry for the delay.  You can read my response in the solution.
0

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now