Steps to combine several GPOs into one GPO

Within Server 2016 is there any way of combining several different Group Policy Objects (GPOs) into one single GPO?

A previous IT admin has created several GPOs (see the screenshot).

All of these GPOs need to be used.

We would like to combine all of these GPOs into a single GPO without having to go through and manually recreate each GPO within the single GPO.

Are there any ways of performing such a combination or merge automatically? If so how can this be done?

Group Policy Objects
IT GuyNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try this and let me know what happens :

Use the updated script below for combining the group policies. This script will likely meet 80% or more of your requirements. Due to scripting limitations, only the group policy registry settings can be copied into a consolidated policy. Other setting that require manual migration are noted in the output from the script.

Reference :

# Help            
Help Get-GPLink -Full            
Help Get-GPUnlinked -Full            
Help Copy-GPRegistryValue -Full            
# Copy one GPO registry settings into another            
Copy-GPRegistryValue -Mode All -SourceGPO 'Client Settings' `
    -DestinationGPO 'New Merged GPO' -Verbose            
# Copy one GPO registry settings into another, just user settings            
Copy-GPRegistryValue -Mode User -SourceGPO 'Client Settings' `
    -DestinationGPO 'New Merged GPO' -Verbose            
# Copy one GPO registry settings into another, just computer settings            
Copy-GPRegistryValue -Mode Computer -SourceGPO 'Client Settings' `
    -DestinationGPO 'New Merged GPO' -Verbose            
# Copy multiple GPO registry settings into another            
Copy-GPRegistryValue -Mode All  -DestinationGPO "NewMergedGPO" `
    -SourceGPO "Firewall Policy", "Starter User", "Starter Computer" -Verbose            
# Copy all GPOs linked to one OU registry settings into another            
# Sort in reverse precedence order so that the highest precedence settings overwrite            
# any potential settings conflicts in lower precedence policies.            
$SourceGPOs = Get-GPLink -Path 'OU=PHB,OU=HR,DC=CohoVineyard,DC=com' |            
    Sort-Object Precedence -Descending |            
    Select-Object -ExpandProperty DisplayName            
Copy-GPRegistryValue -Mode All -SourceGPO $SourceGPOs `
    -DestinationGPO "NewMergedGPO" -Verbose            
# Log all GPO copy output (including verbose and warning)            
# Requires PowerShell v3.0+            
Copy-GPRegistryValue -Mode All -SourceGPO 'IE Test' `
    -DestinationGPO 'New Merged GPO' -Verbose *> GPOCopyLog.txt            
# Disable all GPOs linked to an OU            
Get-GPLink -Path 'OU=PHB,OU=HR,DC=CohoVineyard,DC=com' |            
    ForEach-Object {            
        Set-GPLink -Target $_.OUDN -GUID $_.GUID -LinkEnabled No -Confirm            
# Enable all GPOs linked to an OU            
Get-GPLink -Path 'OU=PHB,OU=HR,DC=CohoVineyard,DC=com' |            
    ForEach-Object {            
        Set-GPLink -Target $_.OUDN -GUID $_.GUID -LinkEnabled Yes -Confirm            
# Quick link status of all GPOs            
Get-GPUnlinked | Out-Gridview            
# Just the unlinked GPOs            
Get-GPUnlinked | Where-Object {!$_.Linked} | Out-GridView            
# Detailed GP link status for all GPOs with links            
Get-GPLink | Out-GridView            
# List of GPOs linked to a specific OU (or domain root)            
Get-GPLink -Path 'OU=PHB,OU=HR,DC=CohoVineyard,DC=com' |            
    Select-Object -ExpandProperty DisplayName            
# List of OUs (or domain root) where a specific GPO is linked            
Get-GPLink |            
    Where-Object {$_.DisplayName -eq 'Script And Delegation Test'} |            
    Select-Object -ExpandProperty OUDN    

Open in new window

Cliff GaliherCommented:
There is no official way to do this. I've seen scripts that can, but generally are not complete, and you are trusting someone else's scripting skills.

With that said, I'm looking at your screenshots and those seem completely reasonable to me.  I am a *VER Y STRONG* advocate for naming GPOs by task and keeping different tasks separate.   Combining a WSUS policy with a remote desktop policy, for example, is usually not recommended.   Yes, it may apply to all clients.  And yes, there is nothing that will break.  But from a perspective of "self describing policies" where a consultant or new hire can look at the list and know what a policy does and what settings might be set, that separation is very helpful.  Unless you have a very compelling reason to merge, I'd leave them alone.  Splitting up policies later is much harder than merging them now, and that can end up being a lot of labor.
IT GuyNetwork EngineerAuthor Commented:
An IT consultant has told me that having multiple GPOs will slow down the login process when users login to their Windows 10 computers and are authenticated by the Server 2016 domain controller.

Will it really cause that much of a delay?
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage


In this case I will agree with @Cliff, if you keep your GPO's separate, you can very see very easily and in a more granular nature what is applying and to whom..

If your LAN is setup properly, you should really see no delay in logins.
Well no more delay than you would see combined.
Cliff GaliherCommented:
The I.T. consultant probably studied for a Microsoft exam, because that response is straight from a windows 2000 textbook.  It was true then, and is technically true now though I haven't seen Microsoft say so in years.

Because group policy files are essentially read from file shares, yes...on a 10Mbit network over SMB1 on a large network with thousands of computers and tens of thousands of policies,'d see real delays.    On a modern gigabit network with SMB3 and 10 to 20 policies, it'd be negligible.

Textbook vs real world...and remembering "rules" that were written for global sized businesses.  YMMV.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DonNetwork AdministratorCommented:
Whether they are combined or separate, there will still be the same amount of policies. I also highly recommend as already stated to keep them separate. This will make managing GPO's much easier.
"Will it really cause that much of a delay? " - definitely not, but feel free to measure that in your test lab. Since these GPOs are not even changed every day, they are not even read - keep that in mind.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.