We help IT Professionals succeed at work.

ADMT Migration Group Policy Effects

shong1997
shong1997 asked
on
Environment:
Two AD Forests
Source domain is Windows 2003
Target domain is Windows 2008
Two-way transitive trust between two forests
SID History is enabled and SID Filtering is disabled on the trust

All users with SID History and computers were succesfully migrated from the source domain to the target domain using ADMT.  The users are able to log in to the target domain, but now they're getting user-based GPOs from the source domains in addition to GPOs applied on the target domain.  Any ideas on how users would receive GPOs from the source domain even though their user objects are now resided in the target domain?

Thanks,

Comment
Watch Question

AwinishSenior Solution Architect

Commented:
ADMT migrate user,computer account,printer etc but it doesn't migrate GPO's. You have to configure GPO newly on target domain or you have to take the back of GPO from source domain & create new GPO & import the setting in target domain using GPMC.

The computer you have added contains the GPO setting from previous domain & it gets applied.

Author

Commented:
I understand that ADMT does not migrate GPOs.  GPOs are configured in the target domain and linked to appropriate OUs.  However, after the migration of users/computers, I logged in to a migrated computer as one of the migrated users.  I ran GPResult.exe and saw some user-based GPOs from the old domain are still being applied to the user.  Any ideas?
AwinishSenior Solution Architect

Commented:
I have never had such issue,just run gpupdate /force & reboot your computer twice & see if it works.

I read somewhere GPO can be applied but when you remove the GPO settings are not removed.AS GPO application works with registry modification & since you remove the GPO there is no modification you are doing. The policy is already applied & its still there even if you remove the GPO.
AwinishSenior Solution Architect

Commented:
Could you try on one of the machine & see if it helps.

http://support.microsoft.com/kb/313222/en-us
AwinishSenior Solution Architect

Commented:

Author

Commented:
Hi Awinish,

I ran 'GPUpate.exe /force' and rebooted the system as suggested.  I ran 'GPresult' again and what I found is very interesting - there are two sets of RSOP result showing on the screen. The first RSOP result shows the user is getting GPOs from both the source and the target. The second RSOP result shows the user is only getting GPOs from the target.  Does this have to do with the fact that I chose "Add" instead of "Replace" mode to update local profiles on the computer?

We have found the root cause of the problem - the workstation's DNS was pointed to source domain's DNS.  Once we pointed it to the target domain's DNS, ran "GPUpdate.exe /force', the RSOP only shows the GPOs from the target domain.