GPMC Staging Technology Background

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

GPMC is a new tool for managing Group Policy. It includes several features for creating and maintaining Group Policy, including the Group Policy Modeling Wizard for planning Group Policy deployments, the Group Policy Results Wizard for viewing GPO interaction and for troubleshooting, and the ability to use a single MMC interface to manage Group Policy across your organization, including importing and exporting, copying and backing up and restoring GPOs. For detailed information about GPMC features and capabilities, see Help in GPMC, and see Designing a Group Policy Infrastructure in this book. For staging Group Policy, the most important GPMC tools are those that allow you to stage and migrate GPOs between forests and domains.

Backup and Import

GPMC provides the ability to back up one or more GPOs. These backups can then be used to restore an individual GPO to its previous state (using the restore option), or backups can be imported into an existing GPO, overwriting any previous policy settings. The restore operation is used only to restore a GPO into the same domain from which it was backed up. By contrast, the import operation is used in cases where the backup was made from any GPO in the same domain, a different domain or even in a different untrusted forest, such as a test forest isolated from the production forest. Note that while both restore and import operate on previously backed-up GPOs, restore has some additional capabilities that are specific to a restore operation. You will use the backup and import operations and the copy operation to stage and migrate GPOs into your production environment. Figure 3.2 illustrates the import operation. In this case, GPO X in a test forest contains a number of security principals who are assigned the Log on locally user right. This GPO is backed up and then imported into the production forest. During the import operation, the original security principals are mapped to new ones that exist in the production domain.

Figure 3.2   GPO Import Operation Across Forests

Copy

Using the copy capability in GPMC, you can right-click a GPO, copy it from one domain, and paste it into a new domain. In a copy operation, when you copy a GPO into a new domain, a new GPO is created. This differs from the import operation, which erases and then overwrites an existing GPO. Copy operations require that the destination domain is trusted by the source domain. In addition, the administrator performing the copy operation must have rights to read the source GPO in order for the copy operation to succeed. With both import and copy operations, GPMC supports the ability to perform security principal and UNC mapping between references to those objects in the source and destination GPOs. Figure 3.3 illustrates a copy operation. In this case a GPO is migrated from Domain B to Domain C and some of its associated security principals are mapped to new principals on Domain C.

Figure 3.3   Copy Operation Between Domains in a Production Forest

Migration Tables

GPOs can contain references to security principals and UNC paths as part of a policy setting. For example, within security settings policies, you can control who can start and stop a particular Windows service by using the Group Policy Object Editor to specify a user or user group for that policy. Figure 3.4 illustrates the security settings that can be applied to the Messenger service. In this case, these security settings can be mapped from security principals in the staging environment to security principals in a production environment by using migration tables.

Figure 3.4   Security Principals on the Messenger Service

In addition, a GPO itself has an associated Discretionary Access Control List (DACL) that is used to control which computers, users, or groups process a GPO and which users can create, modify, and edit the GPO. The security principals associated with the DACL on a GPO can also be taken into consideration when the GPO is deployed from one domain to another.

Migration tables also support mapping of UNC paths, which might exist in Software Installation, Folder Redirection, or Scripts policy. To deal with any differences in these paths between the test and production environments, you can use migration tables to replace server and share names as you migrate Group Policy.

If a GPO created in another domain or forest is migrated to your production environment, you need a way of modifying the associated security principal references to reflect the references found in the production domain. GPMC provides a Migration Table Editor (MTE) that you can use to create a mapping file for security principals and UNC paths. MTE creates an XML format file with a .migtable extension; this file specifies the source and destination security principals or UNC paths for a GPO migration. For more information about MTE, see Creating Migration Tables later in this chapter.