none
GPO Backups - Import + Merge + Export problems RRS feed

  • Question

  • Hi guys,

    I've been having a weird issue with SCM that I hope you can shed some light on.

    Scenario:
    Via GPMC:
    * Backup Group Policy A to a folder.
    * Backup Group Policy B to a folder.

    Via SCM
    * Import Group Policy A.
    * Import Group Policy B.
    * Compare/Merge GPOA to GPOB.
    * Merge Baselines as "Group Policy A v2"
    * Export to GPO Backup (folder) "Group Policy A v2 (SCM Export)"
    - Successful, but some setting were dropped "as they are were not configured". eg: 

    Setting Name: NoChangingWallPaper , UI Path: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop , CCEID: 
    Setting Name: DisablePersonalDirChange , UI Path: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer , CCEID: 
    Setting Name: NoThemesTab , UI Path: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer , CCEID: 
    Setting Name: fEnableTimeZoneRedirection , UI Path: Software\Policies\Microsoft\Windows NT\Terminal Services , CCEID: 
    + a few more

    * Import GPO Backup "Group Policy A v2 (SCM Export)" (i.e. the same one that we just exported)
    * Compare/Merge "Group Policy A v2" to "Group Policy A v2 (SCM Export)"

    Result:
    - Settings that differ: 0
    - Settings that match: 43
    - Settings only in Baseline A: 28
    - Settings only in Baseline B: 39

    For some reason the exported GPO doesn't match the merged baseline GPO.

    Version Info:
    SCM v2.5.40
    Software Library: v1.5.21101

    I've emailed a copy of the GPMC Backups to secwish@microsoft.com, referencing this thread.

    Any thoughts about why the merged, exported then imported GPO doesn't match the merged baseline?

    Thanks & Regards,
    Tim

    Thursday, January 10, 2013 12:37 AM

Answers

  • Tim;

    I’m not certain about your specific situation, but in general terms there are two issues that are probably causing what you see:

    1. Settings that are “Not Defined\Not Configured” are included in the “unique setting” count, but are not included in an export GPO Backup (GPO Backups\GPOPacks do not include data for “Not Defined\Not Configured” settings). SCM (.cab) files will include all data that makes up a baseline (i.e. “Not Defined\Not Configured” settings are included).
    2. There are flaws in the design for GPO imports in SCM. Basically the consequence is that when you import a GPO and associate the new baseline with a product settings are not always correctly mapped to the library of settings in SCM. This causes settings to be dropped and discrepancies with the setting count.

    We apologize about this, we first realized their was a problem a few months ago, right after we published SCM 2.5, but initially we thought it was a problem in the setting data. After fixing those issues our internal testing showed their were more challenging problems with the code itself, and we didn't have enough time to fix it in SCM 3.0. Its somewhat better in SCM 3.0 because we’ve improved the data in the settings library, but fully resolving it requires extensive changes to the code in SCM. We don’t have a target date for resolving it.

    Regards,

    Kurt


    Kurt Dillard http://www.kurtdillard.com


    Friday, January 11, 2013 4:21 PM
    Moderator

All replies

  • Tim;

    I’m not certain about your specific situation, but in general terms there are two issues that are probably causing what you see:

    1. Settings that are “Not Defined\Not Configured” are included in the “unique setting” count, but are not included in an export GPO Backup (GPO Backups\GPOPacks do not include data for “Not Defined\Not Configured” settings). SCM (.cab) files will include all data that makes up a baseline (i.e. “Not Defined\Not Configured” settings are included).
    2. There are flaws in the design for GPO imports in SCM. Basically the consequence is that when you import a GPO and associate the new baseline with a product settings are not always correctly mapped to the library of settings in SCM. This causes settings to be dropped and discrepancies with the setting count.

    We apologize about this, we first realized their was a problem a few months ago, right after we published SCM 2.5, but initially we thought it was a problem in the setting data. After fixing those issues our internal testing showed their were more challenging problems with the code itself, and we didn't have enough time to fix it in SCM 3.0. Its somewhat better in SCM 3.0 because we’ve improved the data in the settings library, but fully resolving it requires extensive changes to the code in SCM. We don’t have a target date for resolving it.

    Regards,

    Kurt


    Kurt Dillard http://www.kurtdillard.com


    Friday, January 11, 2013 4:21 PM
    Moderator
  • Not sure why "check mark" if its a know without a work around. I'm running 4.0.0.1 and setting library 2.0.82001 and the problem is still there when an export is done. Any new info about this?
    Friday, November 11, 2016 2:54 PM
  • I can confirm that this is still an issue with SCM 4.0.0.1 for which at least I don't know any workaround. Therefore I doubt the "check mark". I import a GPO backup into SCM, then export it and import it again under a different name. Then I have some settings missing, i.e. settings not configured anymore in the SCM exported GPO and even some different settings. It is not much by any means but if you merge several GPOs with hundreds of settings it is nearly impossible to keep track of what is missing in the final export since it may well be that the import of SCM is flawed. 

    Another thing I observed are the different number of settings reported by SCM and the MS Policy Analyzer:

    https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/

    E.g.:

    Policy exported from DC: SCM reports 196 settings whereas Policy Analyzer reports 393

    Policy imported in SCM and then exported: SCM the reports 193 settings and Policy Analyzer 379 (3 or 14 missing?)

    To my knowledge, there is no other more reliable way to merge GPOs (please correct me if there is) other than the SCM, but looking at these results this is not yet a sufficient solution for my case.

    • Proposed as answer by pada454 Friday, October 6, 2017 2:14 AM
    Monday, January 23, 2017 2:55 PM