Solved

Copy Site to Zone Assignment List to new GPO

Posted on 2016-11-02
9
112 Views
Last Modified: 2016-11-05
We are about to change our Windows 7 client invironment to Windows 10. In that process we have to copy our Site to Zone Assignment List from a User Configuration GPO to a Computer Configuration GPO.

How can this be done in the best manner?

I've been looking at some Powershell solutions but I can't make it happen.

Any ideas?

Regards
Kasper K
0
Comment
Question by:Kasper Katzmann
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41869710
Basically you want to copy the user configuration settings from one GPO to the computer configuration settings on another GPO.  Is that correct?
0
 

Author Comment

by:Kasper Katzmann
ID: 41869749
That's correct.
The reason is that Windows 10 handles the Site to Zone Assignment List differently than in ealier versions.
0
 

Author Comment

by:Kasper Katzmann
ID: 41872055
Anyone?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 85

Expert Comment

by:oBdA
ID: 41873586
Okay, I'll bite.
This will set the target GPO's list to be identical to the source's; any former content of the target's list will be lost.
You can copy from user to computer any way you want, including inside the same GPO.
No safeguards or confirmation prompts.
Tested on Server 2012.
Copy-GPIESiteToZoneAssignment.ps1:
Param(
	[Parameter(Mandatory=$True, Position=0)][ValidateNotNull()]
	[string]$Source,
	[Parameter(Mandatory=$True, Position=1)][ValidateNotNull()]
	[string]$Target,
	[ValidateSet('User', 'Computer')]
	[string]$SourceConfiguration = 'User',
	[ValidateSet('User', 'Computer')]
	[string]$TargetConfiguration = 'Computer'
)
If (-not ($SourceGPO = Get-GPO -Name $Source -ErrorAction SilentlyContinue)) {
	Throw "Source GPO '$($Source)' not found."
}
If (-not ($TargetGPO = Get-GPO -Name $Target -ErrorAction SilentlyContinue)) {
	Throw "Target GPO '$($Target)' not found."
}
If (($SourceGPO.Id -eq $TargetGPO.Id) -and ($SourceConfiguration -eq $TargetConfiguration)) {
	Throw "I'm sorry, Dave. I'm afraid I can't do that."
}
$ZoneName = @{'0' = 'Computer'; '1' = 'Intranet'; '2' = 'Trusted'; '3' = 'Internet'; '4' = 'Restricted'}
$SourceHive = If ($SourceConfiguration -eq 'User') {'HKEY_CURRENT_USER'} Else {'HKEY_LOCAL_MACHINE'}
$TargetHive = If ($TargetConfiguration -eq 'User') {'HKEY_CURRENT_USER'} Else {'HKEY_LOCAL_MACHINE'}
$BaseKey = 'Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings'

Set-GPRegistryValue -Guid $TargetGPO.Id -Additive -Key "$($TargetHive)\$($BaseKey)" -ValueName 'ListBox_Support_ZoneMapKey' -Type DWord -Value 1 | Out-Null
Remove-GPRegistryValue -Guid $TargetGPO.Id -Key $TargetKey -ErrorAction SilentlyContinue | Out-Null

Get-GPRegistryValue -Guid $SourceGPO.Id -Key "$($SourceHive)\$($BaseKey)\ZoneMapKey" | ForEach-Object {
	"* '$($_.ValueName)': $($ZoneName[$_.Value])" | Write-Host
	Set-GPRegistryValue -Guid $TargetGPO.Id -Additive -Key "$($TargetHive)\$($BaseKey)\ZoneMapKey" -ValueName $_.ValueName -Type $_.Type -Value $_.Value | Out-Null
}

Open in new window

1
 

Author Comment

by:Kasper Katzmann
ID: 41873734
Wow - You're the best. Have just tested in our test invironment and it did it.
I got one error though...
Remove-GPRegistryValue : Cannot validate argument on parameter 'Key'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At line:27 char:49
+ Remove-GPRegistryValue -Guid $TargetGPO.Id -Key $TargetKey -ErrorAction Silently ...
+                                                 ~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Remove-GPRegistryValue], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.GroupPolicy.Commands.RemoveGPRegistryValueCommand

Open in new window

It seems that this line is coursing the error:
Remove-GPRegistryValue -Guid $TargetGPO.Id -Key $TargetKey -ErrorAction SilentlyContinue | Out-Null

Open in new window


Error message or not, it worked as it should, but can you explain what the line above does?

/Kasper
0
 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 41873752
Sorry, that line should clear the old list; here's the corrected version:
Param(
	[Parameter(Mandatory=$True, Position=0)][ValidateNotNull()]
	[string]$Source,
	[Parameter(Mandatory=$True, Position=1)][ValidateNotNull()]
	[string]$Target,
	[ValidateSet('User', 'Computer')]
	[string]$SourceConfiguration = 'User',
	[ValidateSet('User', 'Computer')]
	[string]$TargetConfiguration = 'Computer'
)
If (-not ($SourceGPO = Get-GPO -Name $Source -ErrorAction SilentlyContinue)) {
	Throw "Source GPO '$($Source)' not found."
}
If (-not ($TargetGPO = Get-GPO -Name $Target -ErrorAction SilentlyContinue)) {
	Throw "Target GPO '$($Target)' not found."
}
If (($SourceGPO.Id -eq $TargetGPO.Id) -and ($SourceConfiguration -eq $TargetConfiguration)) {
	Throw "I'm sorry, Dave. I'm afraid I can't do that."
}
$ZoneName = @{'0' = 'Computer'; '1' = 'Intranet'; '2' = 'Trusted'; '3' = 'Internet'; '4' = 'Restricted'}
$SourceHive = If ($SourceConfiguration -eq 'User') {'HKEY_CURRENT_USER'} Else {'HKEY_LOCAL_MACHINE'}
$TargetHive = If ($TargetConfiguration -eq 'User') {'HKEY_CURRENT_USER'} Else {'HKEY_LOCAL_MACHINE'}
$BaseKey = 'Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings'

Set-GPRegistryValue -Guid $TargetGPO.Id -Additive -Key "$($TargetHive)\$($BaseKey)" -ValueName 'ListBox_Support_ZoneMapKey' -Type DWord -Value 1 | Out-Null
Remove-GPRegistryValue -Guid $TargetGPO.Id -Key "$($TargetHive)\$($BaseKey)\ZoneMapKey" -ErrorAction SilentlyContinue | Out-Null

Get-GPRegistryValue -Guid $SourceGPO.Id -Key "$($SourceHive)\$($BaseKey)\ZoneMapKey" | ForEach-Object {
	"* '$($_.ValueName)': $($ZoneName[$_.Value])" | Write-Host
	Set-GPRegistryValue -Guid $TargetGPO.Id -Additive -Key "$($TargetHive)\$($BaseKey)\ZoneMapKey" -ValueName $_.ValueName -Type $_.Type -Value $_.Value | Out-Null
}

Open in new window

1
 

Author Comment

by:Kasper Katzmann
ID: 41874806
That was what I thought. I will comment that line out then, because for a while we will have both Windows 7 and 10.

Thank you so much for sharing
0
 
LVL 85

Expert Comment

by:oBdA
ID: 41874983
It doesn't clear the "old list" of the source; it clears (if it exists) the old zone map list of the target to make sure that the target has an exact copy of the source.
The source GPO remains unchanged through all of this.
1
 

Author Comment

by:Kasper Katzmann
ID: 41875204
Ok, thank for clearing things out
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question