Link to home
Start Free TrialLog in
Avatar of shong1997
shong1997

asked on

ADMT Migration Group Policy Effects

Environment:
Two AD Forests
Source domain is Windows 2003
Target domain is Windows 2008
Two-way transitive trust between two forests
SID History is enabled and SID Filtering is disabled on the trust

All users with SID History and computers were succesfully migrated from the source domain to the target domain using ADMT.  The users are able to log in to the target domain, but now they're getting user-based GPOs from the source domains in addition to GPOs applied on the target domain.  Any ideas on how users would receive GPOs from the source domain even though their user objects are now resided in the target domain?

Thanks,

Avatar of Awinish
Awinish
Flag of India image

ADMT migrate user,computer account,printer etc but it doesn't migrate GPO's. You have to configure GPO newly on target domain or you have to take the back of GPO from source domain & create new GPO & import the setting in target domain using GPMC.

The computer you have added contains the GPO setting from previous domain & it gets applied.
Avatar of shong1997
shong1997

ASKER

I understand that ADMT does not migrate GPOs.  GPOs are configured in the target domain and linked to appropriate OUs.  However, after the migration of users/computers, I logged in to a migrated computer as one of the migrated users.  I ran GPResult.exe and saw some user-based GPOs from the old domain are still being applied to the user.  Any ideas?
I have never had such issue,just run gpupdate /force & reboot your computer twice & see if it works.

I read somewhere GPO can be applied but when you remove the GPO settings are not removed.AS GPO application works with registry modification & since you remove the GPO there is no modification you are doing. The policy is already applied & its still there even if you remove the GPO.
Could you try on one of the machine & see if it helps.

http://support.microsoft.com/kb/313222/en-us
Hi Awinish,

I ran 'GPUpate.exe /force' and rebooted the system as suggested.  I ran 'GPresult' again and what I found is very interesting - there are two sets of RSOP result showing on the screen. The first RSOP result shows the user is getting GPOs from both the source and the target. The second RSOP result shows the user is only getting GPOs from the target.  Does this have to do with the fact that I chose "Add" instead of "Replace" mode to update local profiles on the computer?

ASKER CERTIFIED SOLUTION
Avatar of shong1997
shong1997

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial