You may sometimes find it necessary to copy Group Policy Objects (GPOs) from one Active Directory domain to another. This can be useful when you want to apply the same policy settings to groups of users or computers in different domains within a multi-domain forest, or when you are performing a migration from one domain to another.
GPOs can be backed up and restored using the Group Policy Management Console (GPMC), but a GPO backed up in one domain cannot be restored in another. However, the settings of the backed-up GPO can be imported into an existing GPO in the new domain. The GPO in the new domain should be empty, as its settings will be overwritten by those of the backed-up GPO during the import process.
There is one potential issue when importing settings from a GPO in another domain: the source GPO may contain domain-specific references, such as a UNC path to a server in the source domain, that will not be valid in the destination domain. If this is the case, a migration table must be used to convert those references to ones that are valid in the destination domain. Migration tables can either be created ahead of time or during the import process.
To import the settings of a GPO in one domain into a GPO in another domain, follow these steps:
- Back up the source GPO. Make sure the backup is accessible from a domain controller (DC) in the destination domain.
- Using the GPMC on a DC in the destination domain, create a new, blank GPO and give it an appropriate name.
- Right-click the new GPO and select Import Settings…
- Click Next on the welcome screen.
- Since you are importing into a blank GPO, it does not need to be backed up first. Click Next on the Backup GPO screen.
- Specify the location of the backed-up GPO and click Next.
- If the specified backup location contains multiple backed-up GPOs, select the correct one from the list. You can click View Settings to see the policy settings contained within the selected GPO if you wish. Click Next once you have selected a GPO to import.
- The wizard will then scan the GPO being imported to determine whether it contains domain-specific references, which may need to be modified in order for machines or user accounts in the new domain to function properly with the imported GPO. The wizard will report whether it finds such references. Click Next.
- If the wizard found domain-specific references, you have two options:
- To leave the references as-is, select Copying them identically from the source and click Next. The references will not be changed at all, which may cause problems in the new domain.
- To modify the references, select Using this migration table to map them in the destination GPO.
You can use the Browse button to locate a migration table not listed in the drop down list, or the New button to create a new one. You may also click the Edit button to modify an existing migration table before using it. Click Next when you have chosen a migration table.
- Review the summary and click Finish. The GPO will be imported.
- Click OK when the import completes.