Preparing for Deployment to Production
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Once you are satisfied that your changes to Group Policy have been thoroughly tested in the staging environment, you are almost ready to deploy the new or changed GPOs in your production environment. Before you can do that, however, you need to assess whether you will need to map security principals or UNC paths contained in your GPOs to different values as part of the migration. This step is illustrated in Figure 3.8.
Figure 3.8 Preparing for Deployment to Production
Determining Your Migration Mapping Requirements
Your staging environment might be a test domain in production, a separate but trusted test forest, or a separate test forest that is not trusted. In each case, you will probably have to create and use a migration table as you deploy new or changed GPOs in your production environment. Migration tables satisfy three different types of mapping requirements:
You need to map an Access Control Entry (ACE) on one or more GPOs to different security principals as you migrate the GPOs to the production environment. The ACEs on a GPO describe which users, computers and computer groups will process that GPO, and which users or user groups can view and edit settings in or delete the GPO.
You need to map security principals within security policy settings or Folder Redirection settings defined in one or more GPOs. Specifically, policies such as User Rights Assignment, Restricted Groups, File System, Registry, or System Services allow you to specify particular users or groups who can access or configure those resources. The Security Identifier (SID) for that user or group is stored in the GPO and must be modified to reflect production domain users or groups when the GPO is migrated.
You need to map UNC paths when you have defined software installation policy, folder redirection or scripts policies that reference UNC paths. For example, you might have a GPO that references a script stored in an external path, such as the Netlogon share on a remote server. This path might need to be mapped to a different path when the GPO is migrated. UNC paths are usually specific to a given environment, and might need to be changed when you migrate the GPO to your production environment.
If any of these three conditions above is true, you will need to create a migration table that can be used to map the values in your test GPOs to the correct values in the production domain when they are migrated