Steps to combine several GPOs into one GPO

Within Server 2016 is there any way of combining several different Group Policy Objects (GPOs) into one single GPO?

A previous IT admin has created several GPOs (see the screenshot).

All of these GPOs need to be used.

We would like to combine all of these GPOs into a single GPO without having to go through and manually recreate each GPO within the single GPO.

Are there any ways of performing such a combination or merge automatically? If so how can this be done?

Group Policy Objects
IT GuyNetwork EngineerAsked:
Who is Participating?
 
Cliff GaliherConnect With a Mentor Commented:
The I.T. consultant probably studied for a Microsoft exam, because that response is straight from a windows 2000 textbook.  It was true then, and is technically true now though I haven't seen Microsoft say so in years.

Because group policy files are essentially read from file shares, yes...on a 10Mbit network over SMB1 on a large network with thousands of computers and tens of thousands of policies, yes...you'd see real delays.    On a modern gigabit network with SMB3 and 10 to 20 policies, it'd be negligible.

Textbook vs real world...and remembering "rules" that were written for global sized businesses.  YMMV.
0
 
ITguy565Commented:
Try this and let me know what happens :


Use the updated script below for combining the group policies. This script will likely meet 80% or more of your requirements. Due to scripting limitations, only the group policy registry settings can be copied into a consolidated policy. Other setting that require manual migration are noted in the output from the script.

Reference :  https://blogs.technet.microsoft.com/ashleymcglone/2015/06/11/updated-copy-and-merge-group-policies-gpos-with-powershell/

# Help            
Help Get-GPLink -Full            
Help Get-GPUnlinked -Full            
Help Copy-GPRegistryValue -Full            
            
# Copy one GPO registry settings into another            
Copy-GPRegistryValue -Mode All -SourceGPO 'Client Settings' `
    -DestinationGPO 'New Merged GPO' -Verbose            
            
# Copy one GPO registry settings into another, just user settings            
Copy-GPRegistryValue -Mode User -SourceGPO 'Client Settings' `
    -DestinationGPO 'New Merged GPO' -Verbose            
            
# Copy one GPO registry settings into another, just computer settings            
Copy-GPRegistryValue -Mode Computer -SourceGPO 'Client Settings' `
    -DestinationGPO 'New Merged GPO' -Verbose            
            
# Copy multiple GPO registry settings into another            
Copy-GPRegistryValue -Mode All  -DestinationGPO "NewMergedGPO" `
    -SourceGPO "Firewall Policy", "Starter User", "Starter Computer" -Verbose            
            
# Copy all GPOs linked to one OU registry settings into another            
# Sort in reverse precedence order so that the highest precedence settings overwrite            
# any potential settings conflicts in lower precedence policies.            
$SourceGPOs = Get-GPLink -Path 'OU=PHB,OU=HR,DC=CohoVineyard,DC=com' |            
    Sort-Object Precedence -Descending |            
    Select-Object -ExpandProperty DisplayName            
Copy-GPRegistryValue -Mode All -SourceGPO $SourceGPOs `
    -DestinationGPO "NewMergedGPO" -Verbose            
            
# Log all GPO copy output (including verbose and warning)            
# Requires PowerShell v3.0+            
Copy-GPRegistryValue -Mode All -SourceGPO 'IE Test' `
    -DestinationGPO 'New Merged GPO' -Verbose *> GPOCopyLog.txt            
            
# Disable all GPOs linked to an OU            
Get-GPLink -Path 'OU=PHB,OU=HR,DC=CohoVineyard,DC=com' |            
    ForEach-Object {            
        Set-GPLink -Target $_.OUDN -GUID $_.GUID -LinkEnabled No -Confirm            
    }            
            
# Enable all GPOs linked to an OU            
Get-GPLink -Path 'OU=PHB,OU=HR,DC=CohoVineyard,DC=com' |            
    ForEach-Object {            
        Set-GPLink -Target $_.OUDN -GUID $_.GUID -LinkEnabled Yes -Confirm            
    }            
            
# Quick link status of all GPOs            
Get-GPUnlinked | Out-Gridview            
            
# Just the unlinked GPOs            
Get-GPUnlinked | Where-Object {!$_.Linked} | Out-GridView            
            
# Detailed GP link status for all GPOs with links            
Get-GPLink | Out-GridView            
            
# List of GPOs linked to a specific OU (or domain root)            
Get-GPLink -Path 'OU=PHB,OU=HR,DC=CohoVineyard,DC=com' |            
    Select-Object -ExpandProperty DisplayName            
            
# List of OUs (or domain root) where a specific GPO is linked            
Get-GPLink |            
    Where-Object {$_.DisplayName -eq 'Script And Delegation Test'} |            
    Select-Object -ExpandProperty OUDN    

Open in new window

0
 
Cliff GaliherConnect With a Mentor Commented:
There is no official way to do this. I've seen scripts that can, but generally are not complete, and you are trusting someone else's scripting skills.

With that said, I'm looking at your screenshots and those seem completely reasonable to me.  I am a *VER Y STRONG* advocate for naming GPOs by task and keeping different tasks separate.   Combining a WSUS policy with a remote desktop policy, for example, is usually not recommended.   Yes, it may apply to all clients.  And yes, there is nothing that will break.  But from a perspective of "self describing policies" where a consultant or new hire can look at the list and know what a policy does and what settings might be set, that separation is very helpful.  Unless you have a very compelling reason to merge, I'd leave them alone.  Splitting up policies later is much harder than merging them now, and that can end up being a lot of labor.
1
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
IT GuyNetwork EngineerAuthor Commented:
An IT consultant has told me that having multiple GPOs will slow down the login process when users login to their Windows 10 computers and are authenticated by the Server 2016 domain controller.

Will it really cause that much of a delay?
0
 
ITguy565Commented:
@IT GUY,

In this case I will agree with @Cliff, if you keep your GPO's separate, you can very see very easily and in a more granular nature what is applying and to whom..

If your LAN is setup properly, you should really see no delay in logins.
0
 
ITguy565Commented:
Well no more delay than you would see combined.
0
 
DonConnect With a Mentor Network AdministratorCommented:
Whether they are combined or separate, there will still be the same amount of policies. I also highly recommend as already stated to keep them separate. This will make managing GPO's much easier.
0
 
McKnifeConnect With a Mentor Commented:
"Will it really cause that much of a delay? " - definitely not, but feel free to measure that in your test lab. Since these GPOs are not even changed every day, they are not even read - keep that in mind.
0
All Courses

From novice to tech pro — start learning today.