Home | Services | About Us | Reference Area

Splitting a GPO

I needed a way to split a large Group Policy Object (GPO) into 2 GPO's. After a ton of wasted time, I found a solution that seems to be working fairly well.

Attempt this at your own risk! Testing in a non-production environment is strongly recommended! Please consider yourself warned that this could possibly destroy and/or corrupt your Group Policy Objects, requiring a restore of Active Directory System State from backup!

This is a rather quick throw-together of information. Comments about this topic can be sent to: jayro/at/OhmanCorp.com

My post to a Microsoft TechNet Discussion Group explains the scenario well:
I have a couple different customers, running Windows Server 2003, with a very large "Default Domain Policy", hundreds of entries for both Computers and Users. I now need to split apart this GPO. For example, one customer has about 100 non-Office97 settings (Windows interface, IE, etc.), and then another 100 settings pertaining to Office97. I need to extract the non-Office97 Users settings into a new policy. Additionally, there are other settings that need to be weeded out from the "Default Domain Policy", as many of these settings date back to the early days of Windows 2000 Server. Obviously, it would be a stupid waste of time to re-enter all the non-Office97 settings into a new GPO one at a time. But I can't find any way to export/import using an editable format. I wasted 8 hours trying to achieve this with Backup/Export function in Group Policy Management Console (GPMC), editing the xml and registry.pol files, to no avail.

No viable solutions were offered, until I came across the mirkes.de site by Markus Stephany. Update December, 2012: his site seems to be abandoned, so I have posted batch_tools.zip to this site. Full props go to Markus Stephany! This is an awesome little tool for converting the registry.pol file into something I can edit with a text editor.

It took me a little bit to figure out the syntax of the gpscript command, so here are my notes to myself to make this work:
Sample session for taking an existing GPO, and quickly removing a large portion.

Example: take a large GPO and split into 2 GPO's, removing about half from each of the new copied GPO's.
I used GPMC to copy the existing GPO into 2 new GPO's, then edited the new GPO's. Note: care must be taken if the GPO contains settings for folder redirection, Remote Install, or SecEdit.

Be aware that with gpscript Ver. 08-21-2005a, the intent of the tool was to edit a stand-alone machine policy, so with every command execution the gpscript will remind you to force a policy refresh (which you can safely ignore if you are working on a registry.pol file copied from SYSVOL). Also, be careful with syntax as it seems the two 'special' filenames: MACHINE and USER, will directly and immediately edit the local machine policy. I recommend fully pathing the registry.pol file you are working on, and NOT working directly on the live registry.pol file in SYSVOL.

Dump the original registry.pol file into an editable text file:
C:\Program Files\mirkes.de\Batch Tools\gpscript G:\Temp\GPO\orig_registry.pol /DUMP > G:\Temp\GPO\orig_registry.txt

I chose to make a copy of the text file:
copy G:\Temp\GPO\orig_registry.txt G:\Temp\GPO\new_registry.txt

Edit and save the new_registry.txt file, removing desired settings:
notepad G:\Temp\GPO\new_registry.txt

I chose to make a copy of the orig_registry.pol file:
copy G:\Temp\GPO\orig_registry.pol G:\Temp\GPO\new_registry.pol

Clear the new_registry.pol file, so that it's empty, otherwise the next command will do a merge with existing:
C:\Program Files\mirkes.de\Batch Tools\gpscript G:\Temp\GPO\new_registry.pol /CLEAR
(copying an existing .pol and clearing it may have been an extra step, but this felt safest to me).

Import the new_registry.txt into the new_registry.pol:
C:\Program Files\mirkes.de\Batch Tools\gpscript G:\Temp\GPO\new_registry.pol /FILE:G:\Temp\GPO\new_registry.txt

Fun little side-note: in all my working with the command line since before 1990, this was the first time ever that I received a syntax error message in German! To Mr. Stephany's credit, the error messages are in both German and English!

Then finally used Windows Explorer to move the new_registry.pol into the correct SYSVOL folder. Just to be safe (and for easy revert), I renamed the existing registry.pol to registry.bak before renaming the new_registry.pol to registry.pol.

I then immediately opened the policy through GPMC to verify that the settings tab was able to generate a report without error. If that went fine, I then opened the policy in editor to see if it would open without error. The final piece was to make the GPT.ini Version counter was incremented, so I made a stupid little settings change in editor to up the Version Counter by one in the GPT.ini file (otherwise replication may get confused with the file timestamp change, without Version counter change). I did not experiment with just manually changing the Version number in GPT.ini, but I think that would have worked also.

Be aware that this manual manipulation of SYSVOL files will replicate rather quickly to all Domain Controllers. Using GPMC, it is very easy to create test GPO's, and link/un-link them to test Organizational Units (OU's). Testing the policy on test OU's is strongly recommended, before linking the new GPO to an OU with a lot of members.