Copy Site to Zone Assignment List to new GPO

We are about to change our Windows 7 client invironment to Windows 10. In that process we have to copy our Site to Zone Assignment List from a User Configuration GPO to a Computer Configuration GPO.

How can this be done in the best manner?

I've been looking at some Powershell solutions but I can't make it happen.

Any ideas?

Regards
Kasper K
Kasper KatzmannSeniorkonsulentAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
Sorry, that line should clear the old list; here's the corrected version:
Param(
	[Parameter(Mandatory=$True, Position=0)][ValidateNotNull()]
	[string]$Source,
	[Parameter(Mandatory=$True, Position=1)][ValidateNotNull()]
	[string]$Target,
	[ValidateSet('User', 'Computer')]
	[string]$SourceConfiguration = 'User',
	[ValidateSet('User', 'Computer')]
	[string]$TargetConfiguration = 'Computer'
)
If (-not ($SourceGPO = Get-GPO -Name $Source -ErrorAction SilentlyContinue)) {
	Throw "Source GPO '$($Source)' not found."
}
If (-not ($TargetGPO = Get-GPO -Name $Target -ErrorAction SilentlyContinue)) {
	Throw "Target GPO '$($Target)' not found."
}
If (($SourceGPO.Id -eq $TargetGPO.Id) -and ($SourceConfiguration -eq $TargetConfiguration)) {
	Throw "I'm sorry, Dave. I'm afraid I can't do that."
}
$ZoneName = @{'0' = 'Computer'; '1' = 'Intranet'; '2' = 'Trusted'; '3' = 'Internet'; '4' = 'Restricted'}
$SourceHive = If ($SourceConfiguration -eq 'User') {'HKEY_CURRENT_USER'} Else {'HKEY_LOCAL_MACHINE'}
$TargetHive = If ($TargetConfiguration -eq 'User') {'HKEY_CURRENT_USER'} Else {'HKEY_LOCAL_MACHINE'}
$BaseKey = 'Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings'

Set-GPRegistryValue -Guid $TargetGPO.Id -Additive -Key "$($TargetHive)\$($BaseKey)" -ValueName 'ListBox_Support_ZoneMapKey' -Type DWord -Value 1 | Out-Null
Remove-GPRegistryValue -Guid $TargetGPO.Id -Key "$($TargetHive)\$($BaseKey)\ZoneMapKey" -ErrorAction SilentlyContinue | Out-Null

Get-GPRegistryValue -Guid $SourceGPO.Id -Key "$($SourceHive)\$($BaseKey)\ZoneMapKey" | ForEach-Object {
	"* '$($_.ValueName)': $($ZoneName[$_.Value])" | Write-Host
	Set-GPRegistryValue -Guid $TargetGPO.Id -Additive -Key "$($TargetHive)\$($BaseKey)\ZoneMapKey" -ValueName $_.ValueName -Type $_.Type -Value $_.Value | Out-Null
}

Open in new window

1
 
Niten KumarPrincipal Systems AdministratorCommented:
Basically you want to copy the user configuration settings from one GPO to the computer configuration settings on another GPO.  Is that correct?
0
 
Kasper KatzmannSeniorkonsulentAuthor Commented:
That's correct.
The reason is that Windows 10 handles the Site to Zone Assignment List differently than in ealier versions.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Kasper KatzmannSeniorkonsulentAuthor Commented:
Anyone?
0
 
oBdACommented:
Okay, I'll bite.
This will set the target GPO's list to be identical to the source's; any former content of the target's list will be lost.
You can copy from user to computer any way you want, including inside the same GPO.
No safeguards or confirmation prompts.
Tested on Server 2012.
Copy-GPIESiteToZoneAssignment.ps1:
Param(
	[Parameter(Mandatory=$True, Position=0)][ValidateNotNull()]
	[string]$Source,
	[Parameter(Mandatory=$True, Position=1)][ValidateNotNull()]
	[string]$Target,
	[ValidateSet('User', 'Computer')]
	[string]$SourceConfiguration = 'User',
	[ValidateSet('User', 'Computer')]
	[string]$TargetConfiguration = 'Computer'
)
If (-not ($SourceGPO = Get-GPO -Name $Source -ErrorAction SilentlyContinue)) {
	Throw "Source GPO '$($Source)' not found."
}
If (-not ($TargetGPO = Get-GPO -Name $Target -ErrorAction SilentlyContinue)) {
	Throw "Target GPO '$($Target)' not found."
}
If (($SourceGPO.Id -eq $TargetGPO.Id) -and ($SourceConfiguration -eq $TargetConfiguration)) {
	Throw "I'm sorry, Dave. I'm afraid I can't do that."
}
$ZoneName = @{'0' = 'Computer'; '1' = 'Intranet'; '2' = 'Trusted'; '3' = 'Internet'; '4' = 'Restricted'}
$SourceHive = If ($SourceConfiguration -eq 'User') {'HKEY_CURRENT_USER'} Else {'HKEY_LOCAL_MACHINE'}
$TargetHive = If ($TargetConfiguration -eq 'User') {'HKEY_CURRENT_USER'} Else {'HKEY_LOCAL_MACHINE'}
$BaseKey = 'Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings'

Set-GPRegistryValue -Guid $TargetGPO.Id -Additive -Key "$($TargetHive)\$($BaseKey)" -ValueName 'ListBox_Support_ZoneMapKey' -Type DWord -Value 1 | Out-Null
Remove-GPRegistryValue -Guid $TargetGPO.Id -Key $TargetKey -ErrorAction SilentlyContinue | Out-Null

Get-GPRegistryValue -Guid $SourceGPO.Id -Key "$($SourceHive)\$($BaseKey)\ZoneMapKey" | ForEach-Object {
	"* '$($_.ValueName)': $($ZoneName[$_.Value])" | Write-Host
	Set-GPRegistryValue -Guid $TargetGPO.Id -Additive -Key "$($TargetHive)\$($BaseKey)\ZoneMapKey" -ValueName $_.ValueName -Type $_.Type -Value $_.Value | Out-Null
}

Open in new window

1
 
Kasper KatzmannSeniorkonsulentAuthor Commented:
Wow - You're the best. Have just tested in our test invironment and it did it.
I got one error though...
Remove-GPRegistryValue : Cannot validate argument on parameter 'Key'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At line:27 char:49
+ Remove-GPRegistryValue -Guid $TargetGPO.Id -Key $TargetKey -ErrorAction Silently ...
+                                                 ~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Remove-GPRegistryValue], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.GroupPolicy.Commands.RemoveGPRegistryValueCommand

Open in new window

It seems that this line is coursing the error:
Remove-GPRegistryValue -Guid $TargetGPO.Id -Key $TargetKey -ErrorAction SilentlyContinue | Out-Null

Open in new window


Error message or not, it worked as it should, but can you explain what the line above does?

/Kasper
0
 
Kasper KatzmannSeniorkonsulentAuthor Commented:
That was what I thought. I will comment that line out then, because for a while we will have both Windows 7 and 10.

Thank you so much for sharing
0
 
oBdACommented:
It doesn't clear the "old list" of the source; it clears (if it exists) the old zone map list of the target to make sure that the target has an exact copy of the source.
The source GPO remains unchanged through all of this.
1
 
Kasper KatzmannSeniorkonsulentAuthor Commented:
Ok, thank for clearing things out
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.