locked
How to merge different GPO settings into a single GPO RRS feed

  • Question

  • Hello,

    As part of Windows 7 migration, we are planning to merge existing computer GPO settings which are scattered across different GPO into a single GPO. Is there a way to do this? Using GPMC tool, I tried to export one GPO settings and imported into another GPO but import operation is overwriting existing GPO settings.

    -Chandu
    Thursday, January 7, 2010 10:28 AM

Answers

  • No, this is not possible.
    All registry based settings are stored in "Registry.pol" files on SYSVOL. You canot merge these binary files.
    Not officially supported and even I don't see a dirty trick here.
    Merging always needs conflict checking and stuff like this.

    I only see a chance for GPP items:
    If you already use GP Preferences you can export these items as XML and import it to another GPO.

    My advise for merging or consolidating is:
    - Document your existing GPOs well.
    - Detect and eliminate conflicts.
    - Design your new GPO.
    - Create a documentation for your new GPO with all the settings you need.
    - Create the new GPO based on your documentation.
    Patrick
    • Marked as answer by Bruce-Liu Wednesday, January 13, 2010 7:06 AM
    Thursday, January 7, 2010 11:54 AM
  • Hi Chandu,

     

    The GPMC import facility always overrides what's there. Usually, if you need to merge GPO, you may make changes to a policy in a test environment, verify all is well and then import into the live environment. Therefore replace, as opposed to merge, is what we can do. Thanks for your understanding.

     

    Regards,

    Bruce

    • Marked as answer by Bruce-Liu Wednesday, January 13, 2010 7:06 AM
    Friday, January 8, 2010 7:36 AM

All replies

  • No, this is not possible.
    All registry based settings are stored in "Registry.pol" files on SYSVOL. You canot merge these binary files.
    Not officially supported and even I don't see a dirty trick here.
    Merging always needs conflict checking and stuff like this.

    I only see a chance for GPP items:
    If you already use GP Preferences you can export these items as XML and import it to another GPO.

    My advise for merging or consolidating is:
    - Document your existing GPOs well.
    - Detect and eliminate conflicts.
    - Design your new GPO.
    - Create a documentation for your new GPO with all the settings you need.
    - Create the new GPO based on your documentation.
    Patrick
    • Marked as answer by Bruce-Liu Wednesday, January 13, 2010 7:06 AM
    Thursday, January 7, 2010 11:54 AM
  • Hi Chandu,

     

    The GPMC import facility always overrides what's there. Usually, if you need to merge GPO, you may make changes to a policy in a test environment, verify all is well and then import into the live environment. Therefore replace, as opposed to merge, is what we can do. Thanks for your understanding.

     

    Regards,

    Bruce

    • Marked as answer by Bruce-Liu Wednesday, January 13, 2010 7:06 AM
    Friday, January 8, 2010 7:36 AM
  • I am sure you will understand if we in the user community hate that answer...
    Monday, January 3, 2011 1:57 PM
  • I despise that answer! If you show me a third party company that comes along that can merge multiple GPO's into a single GPO, I'll show you a company set to make a lot of money!

     

    Thursday, August 11, 2011 2:09 PM
  • Even though this is a rather old thread, let me point you to this blogpost, where at least the bigger part of your request is fulfilled.

    Kind Regards


    Christoph Schmidt || Consultant @ Microsoft My Blog || LinkedIn || XING
    Monday, September 5, 2011 11:15 AM
  • The Microsoft Security Compliance Manager has a merge feature that can take imported GPOs and merge settings. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16776
    • Proposed as answer by Lucas L Thursday, January 26, 2012 11:42 PM
    • Edited by Lucas L Thursday, January 26, 2012 11:43 PM
    Thursday, January 26, 2012 11:42 PM
  • Here's something that may also be helpful using PowerShell:
    Finally! Copy and merge GPOs! PowerShell saves the day!...
    http://blogs.technet.com/b/ashleymcglone/archive/2011/01/19/finally-copy-and-merge-gpos-powershell-saves-the-day.aspx
    • Proposed as answer by In The Round Friday, March 29, 2013 2:15 PM
    Friday, March 29, 2013 2:14 PM
  • Keep in mind that that TechNet article only covers a very small subset of GP settings--Admin Templates and GP Preferences registry settings. Anything outside of that and you're out of luck. That said, we've been supporting the ability to read/write GP settings from PowerShell across most policy areas since 2007:

    http://sdmsoftware.com/group-policy-management-products/group-policy-automation-engine/

    Darren


    Darren Mar-Elia MS-MVP, Group Policy
    www.gpoguy.com
    www.sdmsoftware.com - "The Group Policy Experts"

    Friday, March 29, 2013 2:58 PM
  • Am 29.03.2013 15:14, schrieb In The Round:
    > Here's something that may also be helpful using PowerShell:
    > Finally! Copy and merge GPOs! PowerShell saves the day!...
     I fully agree with Darren. Not only that the post you mention is more
    than two years old - PowerShell support (or VBS or whatever language)
    for GPOs hasn't really evolved in the last years.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, March 29, 2013 11:35 PM
  • The Microsoft Security Compliance Manager has a merge feature that can take imported GPOs and merge settings. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16776

    SCM is by far the best tool to accomplish this task (glad to see Lucas already provided this answer but I'd like to emphasize it). It will allow you to merge two GPOs and provides option for side by side comparison and merging of a new GPO. In other words you'll see a display of each value in GPO A, the value in GPO B, and be given an option to choose A or B for a new GPO C.

    To use the tool, simply export the GPO from the domain using Group Policy Management Console (GPMC.msc) as a backup and import into the SCM tool. If the policy is local rather than domain, you can use the LocalGPO tool provided with SCM to export and import policies from a system's local GPO (gpedit.msc does not provide a backup/export feature that I'm aware of).

    LocalGPO is amazing on it's own as it provides the ability to create "GPO Packs" which are essentially a copy of the GPO backup with some included scripts to run the GPO import on a system without having to install either the SCM or LocalGPO tool. This effectively means you can apply local GPO via script: using domain GPO to ensure everything is consistent, during system compliance checks, backup and recovery scenarios, or any other time you might want to manage local group policy.

    The GPO Packs are also an integral component of the Microsoft Deployment Toolkit which allows you to build system images and deployment toolkits. Most enterprises and OEMs use the MDT (or the SCCM/SCOM equivalent tools) to deploy systems as it natively handles system deployment without the additional cost of tools like Symantec Ghost or Altiris.

    Wednesday, October 28, 2015 6:45 PM
  • This thread is ancient, but still pointed me in the right direction for MSCM.
    However, the original link above is only for Win 7 and 8.

    The NEW v4.0 is good up to Win10 and Svr2016 here:
    https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx?f=255&MSPPError=-2147217396
    Hmmm that link looks goofy so if it doesn't work, here's the download page with more info
    https://www.microsoft.com/en-us/download/details.aspx?id=53353

    Thanks for posting this

    Wednesday, January 31, 2018 2:06 AM