• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10718
  • Last Modified:

Export/Copy Local Group Policy to Domain Group Policy

Hello all - I've searched everywhere for this and can't seem to find a good clear answer:

I've got a new Terminal Server that I spent quite awhile locking down settings via the LOCAL Group Policy (gpedit.msc). These settings are all under the USER portion (none under the 'Computer Portion) of the policy. I'd like to convert these settings over to a Domain Group Policy (in the Active Directory) - and have them applied that way instead.

What's the easiest and most efficient way of doing this? I should say that I know how to apply them ONCE they are over into an Active Directory (Domain) Group Policy - however getting them there is the problem. I've copied out the local 'windows\system32\group policy' folder which has the 'registry.pol' file in there - however not sure how (if possible) to import this into a Domain Group Policy?

Also, is there a good way to export into a file or report (csv, html, etc) the settings from the LOCAL Group Policy program (gpedit.msc)? I havent' found a way - because the 'export' function under there is some built-in MMC export which doesn't export actual policy settings - only the mmc specific info (Computer Configuration - User Configuration - and these names alone are literally all it exports).

Thanks.
0
kmruss
Asked:
kmruss
  • 5
  • 4
1 Solution
 
oks1977Commented:
Hi,

I have tried this on my VM.

1) Export the policy that was defined in the local computer. I'm assuming you know how to export security policy, end result is an INF file.
2) On the AD, open MMC and add "Security Configuration and Analysis"
3) You will need to open database, (Can create anyname) and compare with the local computer INF file that you have extracted.
4) Click Analysis. And you will see the that there are various ticks and cross. Tick means that the INF file and policy on that server is the same. Cross means no.

For those that you intend to make changes, let them remain as crosss. For those which you desired, let them remain as tick. After you have confirm it, right click on "Security Configuration and analysis" and click "Configure computer now" and the settings will be changed.

Some information is you might want to extract the default policy that was inside before you made any changes.

Hope the information helps.
0
 
kmrussAuthor Commented:
Quote '1) Export the policy that was defined in the local computer. I'm assuming you know how to export security policy, end result is an INF file.'

Actually, that is the main reason I posted this question:  gpedit.msc for the LOCAL security policy (remember, NOT a Domain Group Policy in AD or otherwise) does not seem to give you an actual option to EXPORT.

I've tried accessing the 'LOCAL' policy (remember gpedit.msc) via the 'Group Policy Management Console' as well - with no apples.

0
 
kmrussAuthor Commented:
Also - wanted to mention - I believe you are talking about the local SECURITY policy.  I just want to export the LOCAL GROUP policy (settings found in gpedit.msc) that determine what settings Windows locks down for users.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
oks1977Commented:
Hi,

You can use secpol.msc on the local computers, it will let you see what security settings have been applied and you can export the policy with that.
0
 
oks1977Commented:
Press enter too fast and it was posted.

Yes, you can use secpol.msc and it is exporting the LOCAL GROUP Policy.

Hope the information helps.
0
 
kmrussAuthor Commented:
Tried 'secpol.msc'.  As mentioned, this loads the SECURITY-based policy settings (password length, expiration, user rights, etc. etc.).

It does NOT load the regular 'Computer' and 'User' Configuration Policies that are set with 'gpedit.msc' - which is the 'LOCAL *GROUP* POLICY'  (notice no 'SECURITY' in there).

Load up 'gpedit.msc' and expand some of the upper and lower sections in Computer and User and you'll see what I mean.
0
 
oks1977Commented:
ok. Thanks for the heads up.

http://www.frickelsoft.net/blog/?p=31

Based on the link above, I have 2 VMs, both of them Windows 2003 enterprise.

1) made changes to the netmeeting folder enabled some settings
2) copy the Machine and user folder from that server local group policy.
%systemroot%\system32\grouppolicy\
3) And paste it inside the AD to replace the policy. The default AD policy is as below:
\\AD\sysvol\AD.com\policy\{very long numbers}\

You can rename the orginal machine and user policy which is inside for backup.
And paste the local group policy that is inside.

Hope information helps.

0
 
kmrussAuthor Commented:
This was basically correct - thank you!  Sorry for the delay on this.

One thing to note - you are correct .. 'numbers are very long' on those DOMAIN group policies you are converting to - and you need to create a new 'blank' domain policy first before copying it over.  Once done, go into the \\AD\sysvol\AD.com\policy\{very long numbers}  and make a full backup of that folder just in case.  And also, tip: find out which group policy folder is which by creating a couple changes in the group policy and going into the folder under 'User' .. and the .reg files under there and see if that holds the changes you made (view with notepad).

Thanks - this finally worked though and saved a lot of headache of converting over all those 50+ settings.

Kevin
0
 
kmrussAuthor Commented:
Thanks - points awarded!  Sorry for the delay.  You can read my response in the solution.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now