Can I export OUs with associated Group Policy?

[Pat Coghlan]

I finally got the LDIFDE syntax figured out and am ready to move our
user accounts from domain A to domain B. However, this morning I
noticed that the users are in different OUs, each of which has a number
of custom policy settings which I'd like to preserve (disable internet
connection wizard etc.).

Can I export the OUs and their associated group policies using LDIFDE?
If I just create the OUs on domain B before I do the import, I'll lose
the settings which existed in domain A.

Thanks in advance.

-Pat

 

[Cary Shultz [A.D. MVP]]

Pat,

ldifde does have a rather unforgiving syntax. And that is a good thing! It
scares away those who might not yet have everything under control yet. I
would like to introduce ADModify to you. ADModify is a great little utility
that will allow you to do a whole lot of things. For example, if you need
to make sure that every one of the user account objects in your environment
has the company Address you can do this in ADModify. It would take all of a
few seconds ( which is really nice - you do not need the DN: of every user
account object to use ADModify ). Please take a look at the following link:

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify/

There are two versions: 1.6 and 2.0 ( aka .NET ). Version 1.6 is good if
you do not have the .NET Framework installed and ADModify.NET is really good
if you do!

Now, to your question: no!

You can export all of the user account objects with ldifde ( and with
ADModify as well! ). In your new environment, however, you would need to
make sure that the OUs exist already before you were to import them.
meaning, the same 'structure' would need to exist.

In order to 'export' the GPOs you might want to look at the Group Policy
Management Console ( GPMC ). I have just started playing with this tool (
and everyone should really consider watching the Webcasts on Group Policy on
Wednesday - it is Part 4 already!!!!! ) so I am not all that familiar with
it. I want to say that you can. But I have not yet tried so.....

HTH,

Cary

 

[Pat Coghlan]

I guess one thing I could do is create the OU and GPO on the new DC, and
edit the GP to have all the same settings as in the original domain
(disable internet connection wizard etc.). Then, if I import all the
users (after ensuring that the OU paths etc. exist), they should inherit
the group policy settings I just configured, no?.

The number of GP parameters that need to be set is small (<25).

 

[Cary Shultz [A.D. MVP]]

Pat,

As long as you link the GPOs to the same containers ( in your case, it
sounds like Organizational Units ) and the user account objects are in the
same place, then YES. I do not know that I would use the word 'inherit',
though. They would be under the Scope of Management.

HTH,

Cary