Re: Exporting GPOs from Active Directory

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 07/23/02


From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "Brad Judy" <judy@colorado.edu>, "'David Vincent'" <david.vincent@mightyoaks.com>, "'Focus-Ms (E-mail)'" <focus-ms@securityfocus.com>, "Scott Ehrlich" <scott@ai.mit.edu>
Date: Tue, 23 Jul 2002 11:43:28 -0400

Unfortunately, the reduced-functionality version does not do GPO exports,
IIRC. You'll need the full version for that.

Laura
----- Original Message -----
From: "Scott Ehrlich" <scott@ai.mit.edu>
To: "Laura A. Robinson" <larobins@bellatlantic.net>; "Brad Judy"
<judy@colorado.edu>; "'David Vincent'" <david.vincent@mightyoaks.com>;
"'Focus-Ms (E-mail)'" <focus-ms@securityfocus.com>
Sent: Tuesday, July 23, 2002 11:41 AM
Subject: Re: Exporting GPOs from Active Directory

> I think I've found it at:
>
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/fazam200
0-o.asp
>
> At 11:01 AM 7/23/2002 -0400, Laura A. Robinson wrote:
> >Yes, it is based on licensed pieces of FAZAM, as, IIRC, is RSOP
(Resultant
> >Set of Policy)
> >
> >Laura
> >----- Original Message -----
> >From: "Brad Judy" <judy@colorado.edu>
> >To: "'Laura A. Robinson'" <larobins@bellatlantic.net>; "'David Vincent'"
> ><david.vincent@mightyoaks.com>; "'Focus-Ms (E-mail)'"
> ><focus-ms@securityfocus.com>
> >Sent: Tuesday, July 23, 2002 10:50 AM
> >Subject: RE: Exporting GPOs from Active Directory
> >
> >
> > > Microsoft will be releasing a "Group Policy Management Console" add-on
> > > that will allow for export/import of GPOs in addition to a large
number
> > > of other features including a lot of scripting functions. It will
have
> > > to be run on a .Net machine, but will work with a Windows 2000 based
> > > Active Directory. I think it is based on licensed pieces of FAZAM,
but
> > > I do not know for sure.
> > >
> > > Unfortunately since it must run on .Net Server it will not be released
> > > for download until after the release of .Net Server.
> > >
> > > It was demoed in a session at the MS TechEd conference in April and
they
> > > even demonstrated exporting everything from a test domain and then
> > > importing it into a new production domain.
> > >
> > > It doesn't help you now, but you can look forward to better GPO tools
in
> > > the future.
> > >
> > > Brad Judy
> > >
> > > Information Technology Services
> > > University of Colorado at Boulder
> > >
> > > -----Original Message-----
> > > From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
> > > Sent: Monday, July 22, 2002 1:41 PM
> > > To: David Vincent; Focus-Ms (E-mail)
> > > Subject: Re: Exporting GPOs from Active Directory
> > >
> > >
> > > Doh! Read "GPOs" as "OUs"! Sorry folks!
> > >
> > > With that said, secedit does not export Group Policy Objects. It
allows
> > > you to export the security settings from that section of the machine's
> > > policy, but it does not export GPOs.
> > >
> > > There is no officially supported method for exporting GPOs. However,
> > > there are a couple of ways to do it:
> > >
> > > 1. Purchase FAZAM (http://www.fullarmor.com)
> > > 2. Read these links:
> > >
> > > http://www.jsifaq.com/SUBK/tip5300/rh5320.htm
> > > http://www.mike-tech.com/article.php?gif=win2k&article=147
> > >
> > > Laura
> > > ----- Original Message -----
> > > From: "David Vincent" <david.vincent@mightyoaks.com>
> > > To: "'Laura A. Robinson'" <larobins@bellatlantic.net>; "Focus-Ms
> > > (E-mail)" <focus-ms@securityfocus.com>
> > > Sent: Monday, July 22, 2002 1:16 PM
> > > Subject: RE: Exporting GPOs from Active Directory
> > >
> > >
> > > > sorry laura, but i do believe you are confused.
> > > >
> > > > you want to use 'secedit' to export GPOs, LDFIDE exports lists of AD
> > > objects
> > > > in Line Delimited format, it is the partner to CSVIDE which exports
AD
> > >
> > > > contents into Comma Seperated Values.
> > > >
> > > > check the help for more info on 'secedit' or the usual 'c:\secedit
/?'
> > > >
> > > >
> > > >
> > > >
> > > > David Vincent CNA/MCSE
> > > > Network Administrator
> > > >
> > > > www.mightyOaks.com
> > > > david.vincent@mightyoaks.com
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
> > > > Sent: July 22, 2002 9:58 AM
> > > > To: hbcsc502@csun.edu; focus-ms@securityfocus.com
> > > > Subject: Re: Exporting GPOs from Active Directory
> > > >
> > > >
> > > > You can use LDIFDE to do this. LDIFDE (LDIF Directory Export, IIRC)
is
> > >
> > > > a command-line utility installed on Windows 2000 server boxes that
> > > > allows
> > > you
> > > > to import/export/modify LDAP directories using text files. The
utility
> > >
> > > > is not installed on Win2K pro boxes even with adminpak, but it
should
> > > > be on
> > > any
> > > > of your server installations.
> > > >
> > > > If you're running it from a DC, you would just open a command prompt
> > > > and type
> > > >
> > > > ldifde -f <name of file to export to>
> > > >
> > > > There'd be other options you would have to type depending on the
> > > credentials
> > > > you want to use to connect and how much you want to export, but the
> > > utility
> > > > is relatively self-explanatory.
> > > >
> > > > Some additional info:
> > > >
> > >
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/b
> > > ulks
> > > > teps.asp
> > > > http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q263991&
> > > >
> > > > Laura
> > > > ----- Original Message -----
> > > > From: "Phydeaux" <hbcsc502@csun.edu>
> > > > To: <focus-ms@securityfocus.com>
> > > > Sent: Monday, July 22, 2002 1:55 AM
> > > > Subject: Exporting GPOs from Active Directory
> > > >
> > > >
> > > > > Hello all,
> > > > >
> > > > > Does anyone know how to export GPOs in an Active Directory to the
> > > > > .inf files? I am looking for a native utility from Microsoft ore
> > > > > another
> > > free
> > > > > tool. Also on the flip side, how do I import settings into a GPO?
> > > > >
> > > > > Brian
> > > > >
> > > >
> > >
>