Solved

Export/Copy Local Group Policy to Domain Group Policy

Posted on 2008-10-21
9
9,926 Views
Last Modified: 2012-06-21
Hello all - I've searched everywhere for this and can't seem to find a good clear answer:

I've got a new Terminal Server that I spent quite awhile locking down settings via the LOCAL Group Policy (gpedit.msc). These settings are all under the USER portion (none under the 'Computer Portion) of the policy. I'd like to convert these settings over to a Domain Group Policy (in the Active Directory) - and have them applied that way instead.

What's the easiest and most efficient way of doing this? I should say that I know how to apply them ONCE they are over into an Active Directory (Domain) Group Policy - however getting them there is the problem. I've copied out the local 'windows\system32\group policy' folder which has the 'registry.pol' file in there - however not sure how (if possible) to import this into a Domain Group Policy?

Also, is there a good way to export into a file or report (csv, html, etc) the settings from the LOCAL Group Policy program (gpedit.msc)? I havent' found a way - because the 'export' function under there is some built-in MMC export which doesn't export actual policy settings - only the mmc specific info (Computer Configuration - User Configuration - and these names alone are literally all it exports).

Thanks.
0
Comment
Question by:kmruss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 4

Expert Comment

by:oks1977
ID: 22773468
Hi,

I have tried this on my VM.

1) Export the policy that was defined in the local computer. I'm assuming you know how to export security policy, end result is an INF file.
2) On the AD, open MMC and add "Security Configuration and Analysis"
3) You will need to open database, (Can create anyname) and compare with the local computer INF file that you have extracted.
4) Click Analysis. And you will see the that there are various ticks and cross. Tick means that the INF file and policy on that server is the same. Cross means no.

For those that you intend to make changes, let them remain as crosss. For those which you desired, let them remain as tick. After you have confirm it, right click on "Security Configuration and analysis" and click "Configure computer now" and the settings will be changed.

Some information is you might want to extract the default policy that was inside before you made any changes.

Hope the information helps.
0
 
LVL 1

Author Comment

by:kmruss
ID: 22773546
Quote '1) Export the policy that was defined in the local computer. I'm assuming you know how to export security policy, end result is an INF file.'

Actually, that is the main reason I posted this question:  gpedit.msc for the LOCAL security policy (remember, NOT a Domain Group Policy in AD or otherwise) does not seem to give you an actual option to EXPORT.

I've tried accessing the 'LOCAL' policy (remember gpedit.msc) via the 'Group Policy Management Console' as well - with no apples.

0
 
LVL 1

Author Comment

by:kmruss
ID: 22773623
Also - wanted to mention - I believe you are talking about the local SECURITY policy.  I just want to export the LOCAL GROUP policy (settings found in gpedit.msc) that determine what settings Windows locks down for users.
0
Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

 
LVL 4

Expert Comment

by:oks1977
ID: 22773746
Hi,

You can use secpol.msc on the local computers, it will let you see what security settings have been applied and you can export the policy with that.
0
 
LVL 4

Expert Comment

by:oks1977
ID: 22773750
Press enter too fast and it was posted.

Yes, you can use secpol.msc and it is exporting the LOCAL GROUP Policy.

Hope the information helps.
0
 
LVL 1

Author Comment

by:kmruss
ID: 22774257
Tried 'secpol.msc'.  As mentioned, this loads the SECURITY-based policy settings (password length, expiration, user rights, etc. etc.).

It does NOT load the regular 'Computer' and 'User' Configuration Policies that are set with 'gpedit.msc' - which is the 'LOCAL *GROUP* POLICY'  (notice no 'SECURITY' in there).

Load up 'gpedit.msc' and expand some of the upper and lower sections in Computer and User and you'll see what I mean.
0
 
LVL 4

Accepted Solution

by:
oks1977 earned 500 total points
ID: 22774607
ok. Thanks for the heads up.

http://www.frickelsoft.net/blog/?p=31

Based on the link above, I have 2 VMs, both of them Windows 2003 enterprise.

1) made changes to the netmeeting folder enabled some settings
2) copy the Machine and user folder from that server local group policy.
%systemroot%\system32\grouppolicy\
3) And paste it inside the AD to replace the policy. The default AD policy is as below:
\\AD\sysvol\AD.com\policy\{very long numbers}\

You can rename the orginal machine and user policy which is inside for backup.
And paste the local group policy that is inside.

Hope information helps.

0
 
LVL 1

Author Comment

by:kmruss
ID: 24169541
This was basically correct - thank you!  Sorry for the delay on this.

One thing to note - you are correct .. 'numbers are very long' on those DOMAIN group policies you are converting to - and you need to create a new 'blank' domain policy first before copying it over.  Once done, go into the \\AD\sysvol\AD.com\policy\{very long numbers}  and make a full backup of that folder just in case.  And also, tip: find out which group policy folder is which by creating a couple changes in the group policy and going into the folder under 'User' .. and the .reg files under there and see if that holds the changes you made (view with notepad).

Thanks - this finally worked though and saved a lot of headache of converting over all those 50+ settings.

Kevin
0
 
LVL 1

Author Closing Comment

by:kmruss
ID: 31508608
Thanks - points awarded!  Sorry for the delay.  You can read my response in the solution.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question