Copy a GPO to Create a New GPO

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

To create the GPO for the boundary zone computers, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and Computers MMC snap-in.

Administrative credentials

To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs.

To make a copy of a GPO

  1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, expand **Forest:**YourForestName, expand Domains, expand YourDomainName, and then click Group Policy Objects.

  4. In the details pane, right-click the GPO you want to copy, and then click Copy.

  5. In the navigation pane, right-click Group Policy Objects again, and then click Paste.

  6. In the Copy GPO dialog box, click Preserve the existing permissions, and then click OK. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler.

  7. After the copy is complete, click OK. The new GPO is named Copy of original GPO name.

  8. To rename it, right-click the GPO, and then click Rename.

  9. Type the new name, and then press ENTER.

  10. You must change the security filters to apply the policy to the correct group of computers. To do this, click the Scope tab, and in the Security Filtering section, select the group that grants permissions to all members of the isolated domain, for example CG_DOMISO_IsolatedDomain, and then click Remove.

  11. In the confirmation dialog box, click OK.

  12. Click Add.

  13. Type the name of the group that contains members of the boundary zone, for example CG_DOMISO_Boundary, and then click OK.

  14. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client computers running Windows 7, and the new boundary zone GPO is for computers running Windows Server 2008 R2, then select a WMI filter that allows only those computers to read and apply the GPO.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.