Polyhedral Sets

There are three aspects to migration that a GPO Administrator will need to be aware of:

  Migration of system policies to group policies

  Migration of a GPO created within a test environment to be imported into a live environment

  Migrating ADM templates and ADMX files

6.4.1 System Policy Migration

Prior to the introduction of Group Policy in Windows 2000, system policies were used to provide an element of control over the desktop estate. These system policies, whilst fairly basic and limited in their use, did provide configuration options that are still part of most organisations requirements. As such, Microsoft provides the Group Policy Migration utility to specifically migrate Windows NT 4.0 System Policy settings to either Windows 2000 or Windows Server 2003.

The Group Policy Migration utility (Gpolmig.exe) is available as part of the Windows 2000 Resource Kit. This utility translates current System Policy settings into Group Policy settings and maps the necessary registry settings to the registry settings for Windows 2000 or Windows XP.

Note

The location of the registry settings that implement software policy has changed in Windows 2000 from those in Windows NT 4.0, and the migration may therefore not have an effect on some applications and components.

A Microsoft Knowledge Base article titled How to use the Group Policy Migration utility to migrate Windows NT System Policy settings to Windows 2000 or Windows Server 2003⁷² exists that details the usage of this utility, and most importantly, the troubleshooting points which details some

common scenarios of issues that are experienced.

6.4.2 GPO Migration Table

A migration table assists a GPO Administrator in copying and importing GPOs from one domain to another. This is typically useful when creating a GPO within a test environment and rather than creating it from scratch within the live environment, it can be exported and subsequently imported instead.

An issue arises when the GPO contains domain specific information as part of the configuration settings. This domain specific information could include:

  Users

  Groups (Domain Local, Domain Global, and Universal)   Computers

  UNC paths

  Free Text or Security Identifier (SID)

As such, a migration table can be created and is used to amend such settings appropriately.

72 How to use the Group Policy Migration utility to migrate Windows NT System Policy settings to Windows 2000 or Windows

Page 70

The migration table is created using the Migration Table Editor (MTE), provided as part of the GPMC. A migration table consists of one or more mapping entries. Each mapping entry consists of a type, source reference, and destination reference. If you specify a migration table when

performing an import or copy, each reference to the source entry will be replaced with the destination entry when writing the settings into the destination GPO.

The migration table will apply to any references in the settings within a GPO, whether you are performing an import or copy operation. In addition, during a copy operation, if you choose the option to preserve the discretionary access control list (DACL) on the GPO, the migration table will also apply to both the DACL on the GPO and the DACLs on any software installation settings in the GPO.

Migration tables are specified when performing import and copy operations. There are three options for using migration tables with import and copy:

  Do not use a migration table – This option copies the GPO exactly as it is. All references to security principals and UNC paths are copied identically.

  Use a migration table – This option maps any references in the GPO that are in the migration table. References that are not contained in the migration table are copied as is.

  Use a migration table exclusively – This option requires that all references to security principals and UNC paths that are referenced in the source GPO be specified in the migration table. If a security principal or UNC path is referenced in the source GPO and is not included in the migration table, the import or copy operation fails.

In addition, cross-domain copy operations will apply the migration table to the DACL on the GPO (and any software installation settings) if you choose the option to ‘Preserve or migrate the existing permissions’.

When performing a copy or import, the wizard scans the source GPO to determine if there are any references to security principals or UNC paths in the GPO. If there are, you have the opportunity to specify a migration table. During across-domain copy operation, if the option to ‘Preserve or migrate the permissions on the GPO’ is specified, the wizard will always present the opportunity to specify a migration table because a DACL, by definition, contains security principals.

The whitepaper Migrating GPOs Across Domains with GPMC⁷³ is available from Microsoft to download which details extensively the operation of migrating GPOs from one domain to another.

6.4.3 ADMX Migrator

The ADMX Migrator enables GPO Administrators to convert ADM templates to the ADMX file format and take advantage of the additional capabilities that it provides.

Recommendation

The ADMX Migrator should only be used to migrate custom ADM Templates. Do not use the ADMX Migrator to migrate the default ADM Templates that are included as part of the Windows operating system. For example, the INETRES.ADM template is provided with the operating system and, as such, should not be migrated. However, the OFFICE12.ADM template does not come with the operating system and, as such, can be migrated using the ADMX Migrator.

The ADMX Migrator allows multiple ADM templates to be converted at a time. The ADMX Migrator creates a unique namespace which can be renamed and will display a warning if a collision is detected due to duplicate names. Also, any items that cannot be validated against the ADMX schema are preserved in an Unsupported section. ADMX Migrator is also available through a Command Window and is recommended that this is used for multiple ADM Template conversions.

73 Migrating GPOs Across Domains with GPMC {R26}: http://www.microsoft.com/windowsserver2003/gpmc/migrgpo.mspx

Note

Any annotations that exist in ADM templates are removed during the conversion process.

The ADMX Migrator can be downloaded⁷⁴ and can be installed on a Windows Server or Windows Client machine. For installation on:

  A server – a minimum of Windows Server 2003 Service Pack 1 is required with MMC version 3.0⁷⁵ installed

  A client – a minimum of Windows XP Service Pack 2 is required with MMC version 3.0⁷⁶ installed

Note

Windows Vista includes MMC version 3.0 and, as such, already meets the minimum installation requirements.

For instructions on the installation of the ADMX Migrator, see APPENDIX B.

Recommendation

Prior to migrating any ADM Templates using the ADMX Migrator, it is recommended that the ADM Templates are copied to a local folder by the GPO Administrator. When migrating the ADM Templates, use the local copy. This ensures that the migration cannot affect the production copy of the ADM Templates.

To migrate a custom ADM Template to an ADMX file:

1. Open ADMX Migrator, (click Start or the Windows Button , point to All Programs, point to FullArmor, point to FullArmor ADMX Migrator, and then click ADMX Migrator).

74 ADMX Migrator {R27}: http://go.microsoft.com/fwlink/?LinkId=77409

75 Microsoft Management Console 3.0 for Windows Server 2003 (KB907265) {R28}:

http://www.microsoft.com/downloads/details.aspx?FamilyID=4c84f80b-908d-4b5d-8aa8-27b962566d9f&DisplayLang=en

76 Microsoft Management Console 3.0 for Windows XP (KB907265) {R29}:

2. Within the ADMX Migrator MMC snap-in, click Generate ADMX from ADM… from the right hand Actions pane (as circled in the figure below).

3. In the Open dialog box, navigate to the folder containing the ADM Template, click the file and click Open.

Page 72

Once the ADM Template has been migrated, the following dialog box displays:

4. Click Yes to load the ADMX Template into the ADMX Editor.

Additionally, the ADMX Migrator provides an ADMX Editor with a graphical user interface for creating and editing Administrative Templates. This allows the selection of settings from menus rather than entering them manually in a text file, speeding up the template creation process and reducing the chance for error.

Figure 12 below shows the imported ADM Template in the ADMX Migrator in editing mode. The imported CADWarning AMDX file contents have been expanded in the left hand pane and shows the settings contained within it. Below the settings pane are a number of tabs to select from. These options assist a GPO Administrator in ensuring the ADMX file is being created in the correct format.

Figure 12: ADMX Migrator Template Editor View