Recipe 9.3 Copying a GPO

9.3.1 Problem

You want to copy the properties and settings of a GPO to another GPO.

9.3.2 Solution Using a graphical user interface
  1. Open the GPMC snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the source GPO, and expand the Group Policy Objects container.

  3. Right-click on the source GPO and select Copy.

  4. Right-click on the Group Policy Objects container and select Paste.

  5. Select whether you want to use the default permissions or preserve the existing permissions, and click OK.

  6. A status window will pop up that will indicate whether the copy was successful. Click OK to close.

  7. Rename the new GPO by right-clicking it in the left pane and selecting Rename. Using a command-line interface
> copygpo.wsf <SourceGPOName> <TargetGPOName> Using VBScript
' This code copies a source GPO to a new GPO
strSourceGPO  = "<SourceGPOName>"  ' e.g. SalesGPO
strNewGPO     = "<NewGPOName>"     ' e.g. Marketing GPO
strDomain     = "<DomainDNSName>"  ' e.g.
' ------ END CONFIGURATION ---------

set objGPM = CreateObject("GPMgmt.GPM")
set objGPMConstants = objGPM.GetConstants( )
' Initialize the Domain object
set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)

' Find the source GPO
set objGPMSearchCriteria = objGPM.CreateSearchCriteria
objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _
                         objGPMConstants.SearchOpEquals, cstr(strSourceGPO)
set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria)
if objGPOList.Count = 0 then
   WScript.Echo "Did not find GPO: " & strGPO
   WScript.Echo "Exiting."
elseif objGPOList.Count > 1 then
   WScript.Echo "Found more than one matching GPO. Count: " & _
   WScript.Echo "Exiting."
   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName
End if

' Copy from source GPO to target GPO
set objGPMResult = objGPOList.Item(1).CopyTo(0, objGPMDomain, strNewGPO)

' This will throw an exception if there were any errors
' during the actual operation.
on error resume next
objGPMResult.OverallStatus( )
if objGPMResult.Status.Count > 0 then
   WScript.Echo "Status message(s): " & objGPMResult.Status.Count
   for i = 1 to objGPMResult.Status.Count
      WScript.Echo objGPMResult.Status.Item(i).Message
   WScript.Echo vbCrLf
end if

' Display the results
if Err.Number <> 0 then
   WScript.Echo "Error copying GPO."
   WScript.Echo "Error: " & Err.Description
   WScript.Echo "Copy successful to " & strNewGPO & "."
end if

9.3.3 Discussion

Prior to the GPMC tool, one of the big problems with managing GPOs in large environments is migrating them from one forest to another. It is common to have a test forest where GPOs are initially created, configured, and tested before moving them into production. The problem is that once you have the GPO the way you want it in the test forest, there is no easy way to move it to the production forest.

With the GPMC you can simply copy GPOs between domains and even forests. Copying GPOs between forests requires a trust to be in place between the two target domains (or a forest trust between the two forests). If this is not possible, you can import GPOs, which is similar to a copy except that a trust is not needed. A GPO import uses a back up of the source GPO in order to create the new GPO. See Recipe 9.7 for more information on importing a GPO.

Some properties of GPOs, such as security group filters or UNC paths, may vary slightly from domain to domain. In that case, you can use a GPMC migration table to help facilitate the transfer of those types of references to the target domain. For more information on migration tables, see the GPMC help file. Using VBScript

To copy a GPO, I have to first find the source GPO. To do this, I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If zero was returned or more than one are returned, I have to abort the script.

Now that I have a GPMGPO object, I'm ready to copy the GPO using the GPMGPO.CopyTo method. The first parameter to CopyTo is a flag that indicates how permissions in the source GPO should be handled when copying them to the new GPO. I specified 0 to use the default setting (see the GPMC help file for the other values). The second parameter is a GPMDomain object of the domain the GPO should be copied to. The last parameter is the display name of the new GPO.

9.3.4 See Also

Recipe 9.7 for importing a GPO and MSDN: GPMGPO.CopyTo

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List