Importing and Exporting with AGPM

  • Article

Thanks for tuning in this lovely Friday! Time for a glimpse into the advanced side of Group Policy, with Advanced Group Policy Management. This awesome product comes as part of MDOP (Microsoft Desktop Optimization Pack), which you can get easily if you have SA. Read more about it here on TechNet. The following article on how to migrate between Controlled and Uncontrolled GPO’s is by Deepak Vishwanathan, a hardworking developer on the Group Policy team.

- superLilia

Now, say your enterprise is using AGPM and has a mixed environment of controlled and uncontrolled GPOs. Let’s say you want to export the settings from your controlled GPO “Sales” and import them into an uncontrolled GPO “Mobile Sales”.

You try, but you fail. Why?

To import settings, the GPMC (Group Policy Management Console) is expecting a GPMC backup. But the AGPM export output is not a GPMC backup.The output of AGPM export operation is a cabinet file, whereas the output of GPMC backup operation is a GPO backup directory tree. So, we need a mechanism to convert the AGPM cabinet file into a GPO backup directory tree, so it can be imported by the GPMC.

The same problem happens in the reverse: if you want to import settings of an uncontrolled GPO into an AGPM-controlled GPO. The input to the AGPM import operation is a cabinet file, whereas the output of GPMC backup operation is a GPO backup directory tree. Again, we need to convert from GPO backup directory tree to AGPM import cabinet file.

No problem!!! Welcome Microsoft Cabinet SDK :) The Microsoft Cabinet SDK is publicly available for download at https://support.microsoft.com/kb/310618. This SDK contains compression / decompression utilities that help to work with cabinet files. In order to accomplish our task, Cabarc utility will come handy. To read more about Cabarc utility, refer to https://technet.microsoft.com/en-us/library/cc781787(WS.10).aspx

So, let’s consider the following 2 generic scenarios:

1. Import controlled GPO to uncontrolled environment

(1) Export a controlled GPO using AGPM export operation.

The output of export operation is a cabinet file containing the compressed GPO backup.

(2) Decompress the exported cabinet file using Cabarc utility.

Let’s say the exported GPO’s cabinet file path is d:controlledGPObackupscontrolled.cab.

Let’s make the backup directory for uncontrolled GPOs d:uncontrolledGPObackups and we want to use that directory as the target directory for the decompression command.

Run this command:

Cabarc.exe -p X d:controlledGPObackupscontrolled.cab d:uncontrolledGPObackups

Note:

· X is the command for decompressing a cabinet file.

· The back slash trailing the target directory is mandatory.

· While decompressing, we need to ensure that the filepaths for the compressed files are retained. To ensure this, we use the –p (path preserve) option.

Once the command is executed, the decompressed GPO Backup root directory would be d:uncontrolledGPObackups{3D92F8A6-21DD-4BF9-B153-0CD5FF5539C9} (assuming, {3D92F8A6-21DD-4BF9-B153-0CD5FF5539C9} is the exported GPO’s backupId).

(3) Import the decompressed GPO backup into uncontrolled GPO using GPMC import utility.

2. Import uncontrolled GPO to controlled environment

(1) Backup the selected uncontrolled GPO using GPMC backup utility.

(2) Create an AGPM import compliant cabinet file using cabarc utility.

Let us consider that the uncontrolled GPO’s backup directory path is d:uncontrolledGPObackups{3D92F8A6-21DD-4BF9-B153-0CD5FF5539C9}.

Use the following command to generate the cabinet file d:compressedGPOsuncontrolledGPO.cab.

Cabarc.exe -P uncontrolledGPObackups -p -r N d:compressedGPOsuncontrolledGPO.cab d:uncontrolledGPObackups{3D92F8A6-21DD-4BF9-B153-0CD5FF5539C9}*

NOTE:

· N is the command for creating new cabinet file.

· Since we need to retain only {3D92F8A6-21DD-4BF9-B153-0CD5FF5539C9} portion of the filepaths for the files that need to be added to the cabinet file, we use the –P (Path stripping) option.

· We also need to use –p (path preserve) option, so that the added files have file names starting with {3D92F8A6-21DD-4BF9-B153-0CD5FF5539C9}.

· We also need to use –r (recurse into subdirectories while adding files) option.

(3) Check out the controlled GPO using AGPM checkout operation, if the GPO is not already checked out.

(4) Import the cabinet file into the existing checked out GPO using the AGPM import operation.

The moral of the story? Control all of your GPO’s if you are using AGPM! Even if you don’t, there are ways to work with controlled and uncontrolled GPOs.

Hope this helps!

Deepak