Copy using GPMC
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
A copy operation allows you to transfer settings from an existing Group Policy object (GPO) in Active Directory directly into a new GPO. The new GPO created during the copy operation is given a new globally unique identifier (GUID) and is unlinked. You can use a copy operation to transfer settings to a new GPO in the same domain, another domain in the same forest, or a domain in another forest. Because a copy operation uses an existing GPO in Active Directory as its source, trust is required between the source and destination domains. Copy operations are suited for moving Group Policy between production environments, and for migrating Group Policy that has been tested in a test domain or forest to a production environment, as long as there is trust between the source and destination domains.
For step-by-step instructions, see Copy a Group Policy object using GPMC.
Copying is similar to a backing up followed by importing, but there is no intermediate file system step, and a new GPO is created as part of the copy operation. For information about backup, see Backup using GPMC.
The import operation, by contrast with the copy operation, does not require trust. For information about the import operation, see Import using GPMC.
Specifying the discretionary access control list (DACL) on the new GPO
You have two options for specifying the DACL to use on the new GPO:
Use the default permissions that are used when creating new GPOs.
Preserve the DACL from the source GPO. For this option, you can specify a migration table, used to facilitate the transfer of references to security groups, users, computers, and UNC paths in the source GPO to new values in the destination GPO. If you specify a migration table for the copy operation, and you choose the option to preserve the DACL from the source GPO, the migration table will apply to any security principals in the DACL. For information on migration tables, see Migration tables.
Copying within a domain compared with copying to another domain
Copying a GPO to another domain is slightly different from copying it to the same domain:
When copying a GPO within the same domain, you have a simple choice of two options, just described, for choosing the DACL. However, for copy operations to another domain, GPMC presents a wizard to facilitate the operation. The wizard guides you through the following choices:
Choice of DACL for the new GPO, as described earlier.
Specification of migration table, if applicable. A migration table allows you to facilitate the transfer of references to security groups, users, computers, and UNC paths in the source GPO to new values in the destination GPO. For more details, see Migration tables.
When copying a GPO within the same domain, any link to a WMI filter is preserved. However, when copying a GPO to a new domain, the link is dropped because WMI filters can only be linked to GPOs within the same domain.