Export Group Policy / Import on new (Untrusted) Forest 2

[djhawthorn]

Is there any way in a Windows 2000 native forest (note: no 2003) to export a group policy object (or objects), then import that policy object (or its configuration settings/policies basically) in a new, untrusted, unrelated forest?

I basically manage around 90 forests/domains, all seperate entities that never talk to one another, and at this stage, never will. However, they all have the same setup.

I am wanting to be able to configure one of those domains with some Group Policy objects, then export (or backup) the configuration of those ojects, and import (or restore) them to the other 89 domains. Manually (re)creating the objects is not an option - too many man-hours involved in a horrible nightmare of going through the less-than-fantastic GUI that comes with AD Users and Computers for 2000.

MCSE NT4/W2K

 

[aftertaf]

if you have an XP machine around, use it and get GPMC installed.

With this you can do a backup of GPOs and maybe this could work in order to do what you are trying to do.

horrible nightmare of going through the less-than-fantastic GUI that comes with AD Users and Computers for 2000

this is why GPMC is so outstanding... for a 2000 Admin, it is by far one of the most important tools around, worth having XP just for this
plus on XP you can install 2003 support tools, and they work with 2000!!!!


Aftertaf
__________________
squiggle squiggle

 

[djhawthorn]

aftertaf,

Thanks - I have downloaded and installed the GPMC and installed it on my XP laptop. My problem with it (at the moment) is there is no DNS resolution across the forests, and so when I try and connect to a remote forest, GPMC can't connect/find the domain controller.

I have tried adding entries into the HOSTS file to the main domain controller of one of the other forests, to no avail. GPMC still can't seem to find the remote domain (even though its pingable). I get the error "The specified domain either does not exist, or could not be contacted."

MCSE NT4/W2K

 

[djhawthorn]

For anyone who is reading this post wanting a similar solution:

I found Microsoft distribute something called "IntelliMirror Scenarios" (Installs as "Common Desktop Management Scenarios"), which is basically a set of GPO's that you can import into your system to "play" with.

The part that's useful though is a batch file they use to import the GPO into your domain (which can also be used to export GPO's). It's basically two batch files (loadpol.bat and savepol.bat) which you can edit to load and save your own GPO's. They call a main "gpbackup.bat" file, which in turn calls numerous .exe and .vbs files (either included in the package, or come on the Windows 2000 Server CD-ROM) to import/export GPO's.

From the readme:
4. KNOWN ISSUES
------------
1. The GPOs are created using hard coded Globally Unique Identifiers (GUIDs) and the script will fail if the GUID for any of the GPOs already exists. To successfully run the loadpol.bat file again, the existing policies must be deleted.

2. The security on the Group Policy template (located in the SysVol directory) may not be synchronized with the Group Policy container (located in Active Directory). It will inherit the default file system security for SysVol, which, if they have not been modified, should work as expected. To ensure they are synchronized, modify the security for the GPO (using either of the Active Directory snap-ins and the Group Policy snap-in) and the security will automatically be synchronized.


Check MS's web site for a download of this product.

MCSE NT4/W2K

 

[aftertaf]

nice find...
sounds like you've got your hands full..
90 domains ?
impressed

Aftertaf
__________________
squiggle squiggle