none
GPO creation from exported baseline fails. - ""The Data is invalid" RRS feed

  • Question

  • I am working in a multi-domain environment.  I have backed up GPOs from multiple domains and imported them into SCM for analysis.  BTW - Tool works great for comparing a large number of GPOs. 

    Scenario
    ======

    1. I export a GPO baseline that was originally imported from domain1 as a GPO Backup folder.

    2. In GPMC I create a new blank GPO with desired name.

    3. Right-click new GPO and select import settings and navigate to backp created folder in step 1.  I get the warning "the BAckup contains references to security principals...".  At Migrating References screen I select "Copying them Identically from Source".  The import status goes to about 90% then fails with "The Data is invalid" message.

    I have tried creating a migration table (from GPO backup) and I get the same results.

    I have tried to create the GPO by restoring a backup and pointing to the folder in step 1 and I get a message "No GPO backups found"

    So far I have this problem with three GPOs that contain a couple of hundred settings.   For each of these GPOs and export error was generated stating "the following settings were not included in export because they are not configured"

    I have successfully exported backups from other GPO baselines and created new GPOs using this method.

    Questions
    ========

    1. What is the best method to troubleshoot this issue?

    2. I have noticed the SCM backups do not have gpreport.xml file in the folder when exported.

    3. How can I determine which "data is invalid"

    

    


    "I need more cowbell!"

    Tuesday, October 16, 2012 6:36 PM

All replies

  • The first thing to look at are the settings not fully supported by SCM, it looks like your GPO includes some registry permission entries. You could try removing them and then importing the GPO.

    The next thing to look at would be the security principals used for the user rights, there’s one odd one that I don’t recognize: *S-1-5-21-834781646-4038171650-3847639893-1001, used for the Manage auditing and security log.

    The third thing I notice is that you have -1 assigned for Account Lockout Duration. I don’t think that’s a valid value, it has to be 0 to 9999 minutes.

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Wednesday, October 17, 2012 5:00 PM
    Moderator
  • DC, Were you able to find a solution to this. I am dealing with the exact same issue while trying to trim the GPO fat on several domains. I thought SCM could do this but unable to complete the import in gpmc. Any feedback is greatly apreciated.
    Thursday, January 2, 2014 9:58 PM