Udostępnij za pośrednictwem


Migrating GPO Links between Domains with PowerShell

By popular demand, I recently completed a script to migrate links between two domains. Like every script I write, it probably won't be without its bugs due to corner cases, but it will hopefully save everyone some time when it does work. That being said, please run tests before going to your production environment with it.

 

This script is fairly straightforward and uses the Active Directory module for PowerShell. Here are some gotchas I came across during the creation and testing of this script:

 

1. The OU structure and Site names must be the same between the source and destination domains. By default, the script logs an error at C:\GPOLinksLog.txt if a particular OU or Site does not exist. There are probably plenty of scripts in Internet land that can be used to duplicate OU structures and sites, so happy searching!

2. The script overwrites the "gPLink" attribute during the Import process. That means any already existing links on the particular OU or Site will be overwritten. For more information about the gPLink attribute and gpLinkOptions, see https://msdn.microsoft.com/en-us/library/cc232505.aspx

3. By now, you should have already completed the steps in my previous blog post: Bulk Import of Group Policy Objects between Different Domains with PowerShell. If GPO's with the same name between the source and destination domain do not exist, the script will not be very effective. You may also want the old WMI filters linked. Scripts for that process are located here (for Exporting) and here (for Importing).

4. If the Input option is used and a particular GPO does not exist, an error is logged in the LogFile location, but the script still links the other GPO's that do exist on particular object. If none of the GPO's linked to an object exist, no action is taken on that object, and an error is logged.

Now, let's see how easy the script is to use. There are three switches:

-OutputFile: This switch is used to export GPO Links from the source domain. The full path to the desired file should be specified (e.g. -OutputFile C:\temp\migratelinks.txt) otherwise a relative path to the file specified is used.

-InputFile: This switch is used to import GPO Links to the destination domain. The full path to the desired file should be specified (e.g. -InputFile C:\temp\migratelinks.txt) otherwise a relative path to the file specified is used.

-LogFile: This optional switch is used to specify a log file (e.g. -LogFile C:\temp\LogFile.txt). The default value is C:\GPOLinksLog.txt.

When specifying OutputFile or InputFile, at least one and only one of the two switches must be specified. Helpful reminders of this rule will be displayed if both or neither value is specified.

Here's an example of how to use the script as a defined process:

1. On a source Domain Controller, run "Import-and-Export_GPO_Links.ps1 -OutputFile C:\temp\migration.txt"

2. Move "migration.txt" to a destination Domain Controller and put it into the "C:\temp" folder.

3. On the destination Domain Controller, run "Import-and-Export_GPO_Links.ps1 -InputFile C:\temp\migration.txt"

4. Review the log file for any errors.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .

Import-and-Export_GPO_Links_Final.zip

Comments

  • Anonymous
    November 15, 2013
    I ran the script in input mode, no error was reported but links were not created.

  • Anonymous
    November 15, 2013
    John, What is in the log file? Can you post a sample?