Migrate Group Policy Between Active Directory Domains & Forests Using PowerShell

Have you ever wanted to copy all of your production Group Policy Objects (GPOs) into a lab for testing? Do you have to copy GPOs between domains or forests? Do you need to migrate them to another environment due to an acquisition, merger, or divestiture? Read on.

GPOMigration.zip
 
 
 
 
 
4.7 Star
(10)
6,996 times
Add to favorites
Group Policy
8/8/2014
E-mail Twitter del.icio.us Digg Facebook
  • PC
    1 Posts | Last post March 12, 2020
    • Migration Tables have limitations:
      
      1) If there are no domain names or similar found in the backup then the migration table is normally not applied. A work-around to this is to include the assigning of a MSI file.
      
      2) I have many preferences where targeting uses group names. The groups names don't get changed &,even worse, the rules actually rely upon the SID.
      
      3) The groups used in AppLocker also fail to update.
      
      Any suggestions short of editing the values in the XML backup files.
      
      999 GPOs on the DC, 999 GPOs
      You take one down, pass it around
      You got 998 GPOs on the DC.
      
  • Single Domain Forest to Multi-Domain w/Empty Root Migration Issus
    1 Posts | Last post March 06, 2020
    • Everything works really well.  The one issue that is hardcoded in your script in the New-GPOMigrationTable function is that there is no way to map Enterprise wide groups in the GPO Migration table.  Currently, you only support Domain and UNC path object times when you generate the migration table.
      
      Would you please include functionality to allow the CSV file to map out groups as well?
      
      Your script does this:
      Source Name
      Enterise Admins@domain.local
      Type
      Universal Group
      Target Name
      Enteripse Admins @domain.emptyroot.local
      
      Example in the NEEDED migration table:
      Source Name
      Enterise Admins@domain.local
      Type
      Universal Group
      Target Name
      Enteripse Admins @emptyroot.local
      
      
      In an Empty Root domain structure, there is no way to tell your script to create a migration table that would map the source group to the root domains target group.
      
      Thanks in advance!
  • GpLinks
    1 Posts | Last post October 16, 2019
    • Hello, 
      Let me start by saying, this script/module is absolutely brilliant and works wonderfully.
      I do have a question about the GPLinks. How can I tell the function Import-GPLink which OU the GP's should be linked in? I have tried variations of SOM,SOMPATH and OU in the CSV file, but no luck. Still complains about "gPlink path does not exist".
  • non trusted domain.
    1 Posts | Last post July 19, 2019
    • We have loads of GPOs to migrate to a new domain and I was wondering if this would work on a destination domain that not trusted with source domain? does it matter? 
  • type every single GPO name?
    2 Posts | Last post May 14, 2019
    • "edit the Where-Object line to query the GPO(s) you want to migrate"  >>>  So, if we have 50 GPOs, we have to type in 50 names?
    • remove where-Object if you like to export all GPOs
  • New issue
    2 Posts | Last post May 14, 2019
    • I'm having the following error now on a different server
      
      PSMessageDetails      : 
      Exception             : System.UnauthorizedAccessException: Access is denied. 
                              (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
                                 at Microsoft.GroupPolicy.IGPMDomain2.CreateGPO()
                                 at Microsoft.GroupPolicy.GPDomain.CreateGpo(String 
                              gpoDisplayName)
                                 at Microsoft.GroupPolicy.Commands.ImportGpoCommand.GetGpoO
                              bject()
                                 at Microsoft.GroupPolicy.Commands.ImportGpoCommand.Process
                              Record()
                                 at 
                              System.Management.Automation.CommandProcessor.ProcessRecord()
      
      Not sure what it might be. Please help.
    • you are probably running the scripts on Domain Controllers. i had the same error but when i ran the script on Member server worked prefectly
  • Bug or what?
    2 Posts | Last post June 11, 2018
    • I have tried to export all GPOs.
      Export folder was created and some GPOs were exported, but not all.
      No warnings, no errors. I don't see big differences between exported and skipped GPOs.
      
      Is it possible to do something with that?
      
      Thanks in advance for any advice!
    • "Run as Administrator" was missed. It's OK now.
  • Works in my Lab environment but not on a productions server?
    2 Posts | Last post June 05, 2018
    • I went through this process several times on my hypervisor running Server 2016 and Server 2012. The import worked seamlessly. Both servers were configured as 2 separate domains. When I go to just import from one of my Lab servers into a production server i get no error but the script does not work.
      
      This is the output I get when I run it in PowerShell ISE (So i could see the output:
      
      PS D:\GPOMigration_Audit_Policy> D:\GPOMigration_Audit_Policy\Call-GPOImport.ps1
      WARNING: No WMI filters to import.
      No WMI Filter for GPO 'Audit-Account-Password Policy'.
      
      PS D:\GPOMigration_Audit_Policy> 
      
      My test server displays the reteival and import output.
      
      Not sure what the issue is but it seems like the solution is simple I just don't know where to look.
    • I figured it out.
      
      I changed the name of the GPOMigration folder to GPO_Migration_Audit_Policy
      
      This disrupts this part of the script Import-Module ".\GPOMigration" -Force
  • Github?
    2 Posts | Last post June 01, 2017
    • Great tool helped me a lot in a recent project! I had made some adjustments and included new functionalities to make it fit to my use case. I think I am not the only one who is doing this and therefore I ask if it is possible to put this project on Github?
    • Done. https://github.com/GoateePFE/GPOMigration
  • The object of type "Microsoft.PowerShell.Commands.Internal.Format.FormatStartData" is not valid or not in the correct sequence.
    2 Posts | Last post January 29, 2016
    • I've got an error: The object of type "Microsoft.PowerShell.Commands.Internal.Format.FormatStartData" is not valid or not in the correct sequence. Which I don't understand because in the script there is nothing written about "format"...
      
      Can someone help?
    • Problem is solved, there was a wrong file in the folder.
1 - 10 of 11 Items