Group Policy migration, without the headache
Someone asked me recently if it was possible to import GPOs created in a laboratory into a production environment, which was obviously a completely different Active Directory forest/domain. The answer is of course, yes you can. With the Group Policy Management Console (GPMC) you can export a policy and then import it into a different domain surprisingly quickly and easily. The next question I was asked was how it handles the fact that the SIDs will be different between the users/groups of the domains if User Rights Assignments have been specified, and again I said that this is possible with the GPMC!
The functionality required is called "Migration Tables". Basically, a migration table is a simple table that specifies a mapping between a source value and a destination value and would look like this:
| Type | Source Value | Destination Value |
| Global Group | LabDomain\FinanceTestUsers | ProdDomain\FinanceUsers |
| User | LabDomain\ITDevUser | ProdDomain\ITDevUser |
| UNC Path | \\LABServer1\Finance | \\SRV_001\Finance$ |
The purpose of a Migration Tables is to convert values inside a GPO to new values that will work in the target environment during the copy or import operation so that you don't need to then edit the imported GPO afterwards in order for it to work.
Migration tables are saved as XML files and have the extension .migtable. GPMC includes an editor for creating and modifying migration table files, called the Migration Table Editor, so thankfully you don’t need to work directly with the XML to create the tables. If you want to see a sample file, take a look at the file %programfiles%\gpmc\scripts\SampleMigrationTable.migtable which was installed along with the GPMC.
It should look like this:
![clip_image002[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/doxley/WindowsLiveWriter/GPMCMigrationTables_14B3B/clip_image002%5B4%5D.jpg)
One cool feature is that the GPMC can auto-populate the relevant entries in your migration table from a set of GPOs or GPO backups. In the Migration Table Editor, simply click Tools, and then click Populate from GPO or Tools, and then click Populate from Backup to point to the GPOs or GPO backups you want to use. The security principals and UNC paths referenced in the selected GPOs or backups will be extracted and entered into the migration table. Once the initial set of entries is created in the table, you can go ahead and update the Destination Name field to reflect the appropriate values.
Note: when using either of these auto-populate options, you also have the option to scan the DACL on the GPO for security principals.
Migration Tables are an extremely useful feature of the GPMC, but they are often overlooked. Many times I have seen people editing manually the imported GPOs in order to reflect the correct user/group names for the new domain. Hopefully this post will save someone from this task!