Home | Services
| About Us | Reference Area
Splitting a GPO
I needed a way to split a large Group Policy Object (GPO) into 2 GPO's. After a ton of wasted time,
I found a solution that seems to be working fairly well.
Attempt this at your own risk! Testing in a non-production environment is strongly recommended!
Please consider yourself warned that this could possibly destroy and/or corrupt your Group Policy Objects,
requiring a restore of Active Directory System State from backup!
This is a rather quick throw-together of information. Comments about this topic can be sent
My post to a Microsoft TechNet Discussion Group explains the scenario well:
I have a couple different customers, running Windows Server 2003, with a very
large "Default Domain Policy", hundreds of entries for both Computers and
Users. I now need to split apart this GPO. For example, one customer has
about 100 non-Office97 settings (Windows interface, IE, etc.), and then
another 100 settings pertaining to Office97. I need to extract the
non-Office97 Users settings into a new policy. Additionally, there are other
settings that need to be weeded out from the "Default Domain Policy", as many
of these settings date back to the early days of Windows 2000 Server.
Obviously, it would be a stupid waste of time to re-enter all the
non-Office97 settings into a new GPO one at a time. But I can't find any way
to export/import using an editable format. I wasted 8 hours trying to
achieve this with Backup/Export function in Group Policy Management Console (GPMC), editing the xml and
registry.pol files, to no avail.
No viable solutions were offered, until I came across the mirkes.de site by Markus Stephany. Update
December, 2012: his site seems to be abandoned, so I have posted batch_tools.zip
to this site. Full props go to Markus Stephany! This is an awesome little tool for converting the
registry.pol file into something I can edit with a text editor.
It took me a little bit to figure out the syntax of the gpscript command, so here are my notes to myself
to make this work:
Sample session for taking an existing GPO, and quickly removing a large portion.
Example: take a large GPO and split into 2 GPO's, removing about half from each of the new copied GPO's.
I used GPMC to copy the existing GPO into 2 new GPO's, then edited the new GPO's. Note: care must be taken
if the GPO contains settings for folder redirection, Remote Install, or SecEdit.
Be aware that with gpscript Ver. 08-21-2005a, the intent of the tool was to edit a stand-alone machine policy,
so with every command execution the gpscript will remind you to force a policy refresh (which you can safely
ignore if you are working on a registry.pol file copied from SYSVOL). Also, be careful with syntax as it seems
the two 'special' filenames: MACHINE and USER, will directly and immediately edit the local machine policy.
I recommend fully pathing the registry.pol file you are working on, and NOT working directly on the live
registry.pol file in SYSVOL.
Dump the original registry.pol file into an editable text file:
C:\Program Files\mirkes.de\Batch Tools\gpscript G:\Temp\GPO\orig_registry.pol /DUMP > G:\Temp\GPO\orig_registry.txt
I chose to make a copy of the text file:
copy G:\Temp\GPO\orig_registry.txt G:\Temp\GPO\new_registry.txt
Edit and save the new_registry.txt file, removing desired settings:
I chose to make a copy of the orig_registry.pol file:
copy G:\Temp\GPO\orig_registry.pol G:\Temp\GPO\new_registry.pol
Clear the new_registry.pol file, so that it's empty, otherwise the next command will do a merge with existing:
C:\Program Files\mirkes.de\Batch Tools\gpscript G:\Temp\GPO\new_registry.pol /CLEAR
(copying an existing .pol and clearing it may have been an extra step, but this felt safest to me).
Import the new_registry.txt into the new_registry.pol:
C:\Program Files\mirkes.de\Batch Tools\gpscript G:\Temp\GPO\new_registry.pol /FILE:G:\Temp\GPO\new_registry.txt
Fun little side-note: in all my working with the command line since before 1990, this was the first time
ever that I received a syntax error message in German! To Mr. Stephany's credit, the error messages are in
both German and English!
Then finally used Windows Explorer to move the new_registry.pol into the correct SYSVOL folder. Just to be
safe (and for easy revert), I renamed the existing registry.pol to registry.bak before renaming the
new_registry.pol to registry.pol.
I then immediately opened the policy through GPMC to verify that the settings tab was able to generate a report
without error. If that went fine, I then opened the policy in editor to see if it would open without error. The
final piece was to make the GPT.ini Version counter was incremented, so I made a stupid little settings change
in editor to up the Version Counter by one in the GPT.ini file (otherwise replication may get confused with the
file timestamp change, without Version counter change). I did not experiment with just manually changing the
Version number in GPT.ini, but I think that would have worked also.
Be aware that this manual manipulation of SYSVOL files will replicate rather quickly to all Domain Controllers.
Using GPMC, it is very easy to create test GPO's, and link/un-link them to test Organizational Units (OU's).
Testing the policy on test OU's is strongly recommended, before linking the new GPO to an OU with a lot of
|Copyright © 1996-2017 Ohman Automation Corp. All rights reserved.