There's a couple of points here. First, if you're using a
3rd party tool to create/restore the GPO and they are using a different
mechanism other than just a GPMC backup/import APIs, then you should check with
that vendor to figure out what they did wrong (if anything). In this case, if
its one of Quest's products, I would suggest contacting our support org...they
are nice people. :-)
Second point, regardless of the mechanism, when a GPO is
"restored", a groupPolicyContainer object should be created in AD and then a set
of folders and files should get created in SYSVOL. If you're doing a restore or
a import of a backed up GPO, what I would expect would happen is that the
versionNumber restored within the gpt.ini file in the SYSVOL portion of the
GPO is also restored to the versionNumber attribute on the GPC object in
AD. If SYSVOL was restored correctly, then that is where the actual settings in
the GPO are stored (assuming its normal policy like Admin. template or IE
maintenance or security) and that is what GPMC will report on in the settings
report. It could be that because the AD versionNumber is 0, that GPMC just
ignores what it finds in SYSVOL and just says that no settings could be in that
GPO so it reports no settings. If this is a test environment that you feel
comfortable mucking around in, I would suggest using ADSIEdit or your favorite
LDAP editor to change the versionNumber attribute of the GPC object under
domain\system\policies to match the one found in the SYSVOL portion of that GPO
and see if that makes a difference.
Darren
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Monday, December 12, 2005 4:03 PM
To: [email protected]
Subject: Re: [ActiveDir] gpmc
I know about the migration tables.
What i'm curious about is, even if someone screwed up and just copied all
the perms over, wouldn't there still be something in the settings?
according to gpmc, the sysvol has a change number of 51 snd AD has 0.
also, under details, there are no settings under user or computer.
it seems like only the gpt was "migrated", not the gpc in AD.
however with ldp, i can see the polices in the system container.
i'm wondering how this could occur?
just trying to track down what went wrong.
thanks a lot guys!
On 12/12/05, Mylo
<[EMAIL PROTECTED]> wrote:
Tom,
You can use createxmlfromenvironment.wsf to export out of test and then
bring into production with createenvironmentfromxml.wsf .. .they're
under the GPMC\Scripts folder... bear in mind that this doesn't
'pick-up' everything... ipsec springs to mind and there's a couple of
others which escape me at the moment :-)
If you need migrate 'settings' such as user rights assignments then
you'll need to use migration tables.
Regards,
Mylo
Tom Kern wrote:
> Import/export is the process.
> It was imported/exported between 2 Forests
>
> Thanks
>
>
> On 12/12/05, *Mark Parris* <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED] >> wrote:
>
> Inter forest - you import and export, as far as I am aware you can
> only copy within a domain. Not meant to be pedantic - but is this
> the procedure that has been completed ?
>
> Mark
> -----Original Message-----
> From: Tom Kern <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> Date: Mon, 12 Dec 2005 14:39:27
> To:activedirectory < [email protected]
> <mailto: [email protected]>>
> Subject: [ActiveDir] gpmc
>
> I had an admin(consultant) copy gpo's from one Forest to another
> using Quest.
>
> However, when i open up the GPMC and focus on the policy, it has
> no settings defined.
> Under details, it has 1 change for the user config under sysvol
> but 0 under AD.
>
> Does this mean something went wrong with the copy?
>
> The AD part is not in sync with the Sysvol part it seems.
> Also, when i run GPOTOOL, it just lists the default domain and
> domain controllers policies.
> The one's coppied over do not come up.
>
> The only thing they have in common is that the Sysvol portition is
> updated but the AD portion is at 0.
>
> Does Quest only copy the sysvol files and not the GPC in AD? Or
> did they just screw up?
>
> Thanks a lot!!
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> < http://www.activedir.org/ListFAQ.aspx>
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>------------------------------------------------------------------------
>
>Internal Virus Database is out-of-date.
>Checked by AVG Free Edition.
>Version: 7.1.362 / Virus Database: 267.13.12/192 - Release Date: 05/12/2005
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
