One issue that we run into when copying or moving a GPO from one system to another is that when some GPOs are built, they are domain specific. Doing so can be a problem when the GPOs are moved to a system in another domain. This is where migration tables can help you out. Migration tables tell you how domain- specific settings should be treated when the GPO is moved from the domain in which it was created to another domain.
Migration tables are files that are used to map previous domain information (such as users and groups) to the new domain’s object- specific data. Migration tables have mapping entries that map the old data to the new data.
Migration tables store their mapping data in an XML format, and the migration tables have their own file extension, .migtable. If you want to create a migration table, you can use the Migration Table Editor (MTE). The MTE is an easy-t o- use utility for configuring or just viewing migration tables.
It does not matter if you decide to copy or import a GPO; migration tables apply to any of the settings within the GPO. However, if you copy a GPO instead of move it, you have the option of bringing the Discretionary Access Control List (DACL) option over with the copy.
If you are looking at using migration tables, there are three settings that you can configure:
Do Not Use A Migration Table If you choose this option, the GPO is copied over exactly as is. All security objects and UNC paths are copied over without any modification.
Summary
Use A Migration Table If you choose this option, the GPO has all of the options that can be in the migration table mapped.
Use A Migration Table Exclusively If you choose this option, all security principals and UNC path information in the GPO are chosen. If any of this information is not included in the migration table, the operation will fail.
To open the Migration Table Editor, perform the following steps:
- Open the Group Policy Management Console.
- In the console tree, right- click Group Policy Objects and choose Open Migration Table Editor.
Resetting the Default GPO
There may be a time when you need to reset the default GPO to its original settings. This is easy to do as long as you understand how to use the DCGPOFix command- line utility. This command- line utility does just what it spells— it fixes the domain controller’s GPO. To use this command, use the following syntax:
DCGPOFix [/ignoreschema] [/target: {Domain | DC | Both}] [/?]
Let’s take a look at the switches in the previous command. The /ignoreschema switch ignores the current version of the Active Directory schema. The reason you use this switch is because this command works only on the same schema version as the Windows version in which the command was shipped. By using this switch, you don’t need to worry about what schema you have on the system.
The next switch is [/target: {Domain | DC | Both}]. This switch specifies the
GPO you are going to restore. You have the ability to restore the Default Domain Policy GPO, the Default Domain Controllers GPO, or both. The final switch, /?, displays the help for this command.
Summary
In this chapter, you examined Active Directory’s solution to a common headache for many systems administrators: policy settings. Specifically, I discussed topics that covered Group Policy.
I covered the fundamentals of Group Policy, including its fundamental purpose. You can use Group Policy to enforce granular permissions for users in an Active Directory environment. Group Policies can restrict and modify the actions allowed for users and computers within the Active Directory environment.
Certain Group Policy settings may apply to users, computers, or both. Computer settings affect all users who access the machines to which the policy applies. User settings affect users regardless of the machines to which they log on.
You learned that you can link Group Policy objects to Active Directory sites, domains, or OUs. This link determines to which objects the policies apply. GPO links can interact through inheritance and filtering to result in an effective set of policies.
The chapter covered inheritance and how GPOs filter down. I showed you how to use the Enforced option on a GPO issued from a parent and how to block a GPO from a child.
You can also use administrative templates to simplify the creation of GPOs. There are some basic default templates that come with Windows Server 2022. In addition, you can delegate control over GPOs in order to distribute administrative responsibilities. Delegation is an important concept because it allows for distributed administration.
You can also deploy software using GPOs. This feature can save time and increase productivity throughout the entire software management life cycle by automating software installation and removal on client computers. The Windows Installer offers a more robust method for managing installation and removal, and applications that support it can take advantage of new Active Directory features. Make sure you are comfortable using the Windows Installer.
You learned about publishing applications via Active Directory and the difference between publishing and assigning applications. You can assign some applications to users and computers so that they are always available. You can also publish them to users so that the user can install them with minimal effort when required.
You also learned how to prepare for software deployment. Before your users can take advantage of automated software installation, you must set up an installation share and provide the appropriate permissions.
The final portion of the chapter covered the Resultant Set of Policy (RSoP) tool, which you can use in logging mode or planning mode to determine exactly which set of policies applies to users, computers, OUs, domains, and sites.
Exam Essentials
Understand the purpose of Group Policy. You use Group Policy to enforce granular permissions for users in an Active Directory environment.
Understand user and computer settings. Certain Group Policy settings may apply to users, computers, or both. Computer settings affect all users that access the machines to which the policy applies. User settings affect users, regardless of which machines they log on to.
Know the interactions between Group Policy Objects and Active Directory. GPOs can be linked to Active Directory objects. This link determines to which objects the policies apply.
Understand filtering and inheritance interactions between GPOs. For ease of
administration, GPOs can interact via inheritance and filtering. It is important to understand these interactions when you are implementing and troubleshooting Group Policy.
Exam Essentials
Know how Group Policy settings can affect script policies and network settings. You can use special sets of GPOs to manage network configuration settings.
Understand how delegation of administration can be used in an Active Directory environment. Delegation is an important concept because it allows for distributed administration.
Know how to use the Resultant Set of Policy (RSoP) tool to troubleshoot and plan Group Policy. Windows Server 2022 includes the RSoP feature, which you can run in logging mode or planning mode to determine exactly which set of policies applies to users, computers, OUs, domains, and sites.
Understand the difference between publishing and assigning applications. Some applications can be assigned to users and computers so that they are always available. Applications can be published to users so that the user may install the application with a minimal amount of effort when it is required.Know how to configure application settings using Active Directory and Group Policy. Using standard Windows Server 2016 administrative tools, you can create an application policy that meets your requirements. You can use automatic, on- demand installation of applications as well as many other features.