none
Making use of 3rd Party Policy Objects?

    Question

  • Hello,

    I have been managing a small Active Directory structure for a little while now, and I am familiar with how to make, link, and push policy objects out to servers, users, and workstations in my environment.  So far, I have only relied on creating my own policies that fit our operational requirements.

    Recently, my team was tasked with migrating to Windows 10, using a pre-built image created by another team.  Their documentation indicates that the policies we require to have in place are set up in the Local Policy settings, so if it is installed as a stand-alone environment they will already be good to go.  However, if joining AD, policies can be overwritten - and they've provided the objects so we can have those same policies in place with our GMPC.  I'll be looking to preserve extant policy objects, and adding these to our repertoire.

    Unfortunately, I am familiar with the filetype provided - it just looks like a bunch of GUIDs.  For example, {692LC67F-5AMD-4B25-A73G-294B4CR4C44C}.

    Inside these GUID folders are a number of other files and folders - some .pol, some .xml.  Opening these XML files gets me what looks like genuine policy-related information.

    Some time back, I backed up and moved policy between two different ADs using the backup feature, but that produced a different file type than the ones we have obtained from the other team.  Additionally, I have imported ADM / ADMX files for creating policies for something not built into Windows, but that's also not what I have here.

    It seems to me like this is what I would see in the Domain sysvol that is shared between our two Domain Controllers.  It's almost like they're intended to be dropped in with the other GUID folders.  The path I'm referring to here is \\DOMAINNAME\SYSVOL\FULLYQUALIFIEDDOMAINNAME\Policies.

    However, I am hesitant to jump to conclusions, especially for something that can impact my Active Directory environment - too many bad experiences!

    Am I able to make use of these files directly in some way, or is there something else required?  This would be the first time I've been given these sorts of arrangements, and I'm actually not certain the keywords I would have to use to dig up the information - looking into "Importing Policies" seems to get me articles based on restoring backups or using Migration Tables to move between Active Directory environments.

    How do I move forward from here?

    Thanks!

    Monday, December 05, 2016 4:37 PM

Answers

  • Hi,
    If I understand correctly, what you want is to export local group policy into domain group policy, am I right?
    If that is the case, you could export administrative templates, grab the local
    user\registry.pol and machine\registry.pol file, create a new GPO in GPMC with enabled settings in administrative templates and then overwrite the sysvol registry.pol file with the local one. As the registry.pol content is identical for local or domain policies.
    And you could use LocalGPO tool in SCM working for that. Please see details from:
    LGPO.exe – Local Group Policy Object Utility, v1.0
    https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/
    Here is a similar question which is discussing in the following thread, you could also take a look and use for reference:
    Windows 2008 R2 local group policy export to W2K8 R2 Domain Group Policy
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/f3262aa7-377e-48ab-aac6-5b335bb04a42/windows-2008-r2-local-group-policy-export-to-w2k8-r2-domain-group-policy?forum=winserverGP
    In addition, I always suggest to test firstly in a test lab which might avoid the damage for AD in the production.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by MEversbergII Tuesday, December 06, 2016 5:17 PM
    Tuesday, December 06, 2016 7:01 AM
    Moderator
  • > 3) Go to our Domain Sysvol policies folder
     
    No. Simply in gpmc, right click your GPO -> "import settings"...
     
    • Marked as answer by MEversbergII Tuesday, December 06, 2016 5:17 PM
    Tuesday, December 06, 2016 2:58 PM
  • > Evidently I will need a migration table for one object because it references UNCs or other items that require a migration table.
     
    Migtables are only required if you need to translate security principals from the source domain. Builtin accounts don't need this translation, but the import wizard anyway detects that principals are present :)
     
    > "Service", "Network Service", "Guests", "Administrators", "Users", "Local Service".
     
    Then you are fine without a migtable.
     
    • Marked as answer by MEversbergII Tuesday, December 06, 2016 5:18 PM
    Tuesday, December 06, 2016 4:54 PM

All replies

  • Hi,
    If I understand correctly, what you want is to export local group policy into domain group policy, am I right?
    If that is the case, you could export administrative templates, grab the local
    user\registry.pol and machine\registry.pol file, create a new GPO in GPMC with enabled settings in administrative templates and then overwrite the sysvol registry.pol file with the local one. As the registry.pol content is identical for local or domain policies.
    And you could use LocalGPO tool in SCM working for that. Please see details from:
    LGPO.exe – Local Group Policy Object Utility, v1.0
    https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/
    Here is a similar question which is discussing in the following thread, you could also take a look and use for reference:
    Windows 2008 R2 local group policy export to W2K8 R2 Domain Group Policy
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/f3262aa7-377e-48ab-aac6-5b335bb04a42/windows-2008-r2-local-group-policy-export-to-w2k8-r2-domain-group-policy?forum=winserverGP
    In addition, I always suggest to test firstly in a test lab which might avoid the damage for AD in the production.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by MEversbergII Tuesday, December 06, 2016 5:17 PM
    Tuesday, December 06, 2016 7:01 AM
    Moderator
  • Hello,

    If I am reading properly, one option would be to do this:

    1) Open our Domain GPMC

    2) Create some policy with some name

    3) Go to our Domain Sysvol policies folder

    4) Find the policy I just made (get the GUID out of GMPC's console)

    5) Copy the Machine and User folder from the foreign GPO folder into the new one

    6) Refresh our new policy and I should see the settings "migrated"?

    Unfortunately, we don't really have a test environment operational at the moment!

    Thanks!

    Tuesday, December 06, 2016 2:28 PM
  • > 3) Go to our Domain Sysvol policies folder
     
    No. Simply in gpmc, right click your GPO -> "import settings"...
     
    • Marked as answer by MEversbergII Tuesday, December 06, 2016 5:17 PM
    Tuesday, December 06, 2016 2:58 PM
  • AH!  For some reason when I tried that yesterday, nothing would display on the Import.  I may have done something wrong then, because the policies do show today!

    I have imported all the object settings they have provided (though none are yet linked as they'll need further review, testing, etc). 

    Evidently I will need a migration table for one object because it references UNCs or other items that require a migration table.  I'm using the MT editor to create it by loading the references directly from the imported object (which was given instruction to import references directly).  However, it seems like the "Source Names" are all generic - "Service", "Network Service", "Guests", "Administrators", "Users", "Local Service".  These aren't things we renamed - those are just the generic Windows names for those groups and Principals.  Unless I'm missing something terrible?

    Having done some coursework on server management, I do remember the basics of migration tables in concept, but I've not actually had an opportunity to perform the tasks - this is my guide:  https://technet.microsoft.com/en-us/library/cc753786(v=ws.11).aspx

    I'm not missing something, am I?


    Thanks!

    Tuesday, December 06, 2016 4:01 PM
  • > Evidently I will need a migration table for one object because it references UNCs or other items that require a migration table.
     
    Migtables are only required if you need to translate security principals from the source domain. Builtin accounts don't need this translation, but the import wizard anyway detects that principals are present :)
     
    > "Service", "Network Service", "Guests", "Administrators", "Users", "Local Service".
     
    Then you are fine without a migtable.
     
    • Marked as answer by MEversbergII Tuesday, December 06, 2016 5:18 PM
    Tuesday, December 06, 2016 4:54 PM
  • Fantastic - looks like everything is set, then!

    Thanks again!

    Tuesday, December 06, 2016 5:18 PM