5.4 Importing GPOs

If you have already implemented Group Policy in Active Directory (AD), you may import a GPO from your domains into the GP Repository. If you have multiple GPOs to import into the GP Repository, use the Offline Mirror wizard. From the wizard, you can also synchronize the GPO link order between AD and the GP Repository.

From the Offline Mirror wizard, you can indicate that you want to import GPOs and also specify how the wizard creates new versions of GPOs in the GP Repository. You can specify for the wizard to skip any unlinked GPOs and skip any OUs that do not contain links, and you can indicate if you want the wizard to mimic the AD category structure in the GP Repository or import all GPOs into a specified single category. For more information on importing all GPOs from within the Offline Mirror wizard, see Section 5.4.2, Importing All GPOs Linked to Any AD Container in an AD Domain (Creating an Offline Mirror).

5.4.1 Importing an Active Directory GPO

Once you have GPOs in AD, GPA lets you import each GPO into the GP Repository. Ensure the account you plan to use to export GPOs has sufficient rights before you import the GPOs. For more information, see Section 2.4, Creating GPA Service Accounts.

To import a GPO from an Active Directory domain:

  1. Log on to a GPA Console computer with an account that has permissions to import GPOs.

  2. Start the GPA Console in the Group Policy Administrator program group.

  3. In the left pane, expand GP Repository and select the category where you want to import the GPO.

  4. On the Action menu, click All Tasks > Import GPO from AD.

  5. Browse for the GPO to import, and then click OK.

    NOTE:

    • If you attempt to import a GPO that already exists in the GP Repository, you receive a message that the GPO already exists in the GP Repository. You have the option to import the GPO and create a new version of the GPO in the GP Repository. Creating a new version increments the GPO version number by 1.

    • You can only import GPOs from the Active Directory domain corresponding to the domain you have selected in the GP Repository.

    • When you import a GPO from Active Directory, you do not import the block inheritance settings for the OU associated with the GPO.

5.4.2 Importing All GPOs Linked to Any AD Container in an AD Domain (Creating an Offline Mirror)

The Offline Mirror wizard lets you import all GPOs that are linked to any AD containers in an AD domain into the GP Repository and synchronize their link order. This is also called creating an offline mirror. The Offline Mirror wizard streamlines the process of importing all GPOs or GPOs linked to specific AD containers.

The Offline Mirror wizard lets you:

  • Select a GP Repository where you have added the domains from which you want to import GPOs

  • Select specific AD Containers for importing GPOs to the GP Repository

  • Specify the GP Repository category structure for importing the GPOs linked from the selected AD containers

  • Select whether to overwrite or replace the security permissions of the category with the corresponding AD OU.

  • Save your offline mirror settings as a template file for later use

  • Import an offline mirror template file to reuse previously saved settings

  • Select whether to sync GPO link order between AD and the GP Repository

  • View a summary of your offline mirror wizard selections

  • View the progress of your offline mirror operation

When you run the Offline Mirror wizard, GPA creates a category folder in the GP Repository with the name of the domain from which you are importing GPOs. GPA also creates category folders for each OU within the domain in which to place GPOs. You can configure the wizard to also overwrite or replace the security permissions of the category with the corresponding AD OU. Then, GPA imports all the GPOs into the corresponding category folders in the GP Repository, creating a mirror of the AD hierarchy. Alternatively, you can import all GPOs under a single category folder that you specify in the Offline Mirror wizard.

The Offline Mirror wizard also lets you choose whether to import GPOs that do not have links to any objects in Active Directory. When unlinked GPOs are imported to the GP Repository, they are placed in a category called Domain Name - Unlinked GPOs.

The Offline Mirror wizard places GPOs that are linked to a site in a category called DomainName - Site. Using the wizard, you can import new or updated GPOs from existing domains as well.

NOTE:You must add the domains in the GP Repository corresponding to the Active Directory domains before you run the Offline Mirror wizard.

As a part of the offline mirror process, the Offline Mirror wizard determines whether the GPO link order is not synchronized between AD and the GP Repository. From the wizard, you can choose to have the offline mirror process synchronize the link order based on AD or on the GP Repository. You can also choose to only perform the sync link order process. For information on synchronizing the link order between the GP Repository and AD, see Section 5.9, Synchronizing GPOs.

To import GPOs into the GP Repository using the Offline Mirror wizard:

  1. Log on to a GPA Console computer with an account that has the following roles and permissions:

    • GPO Importer role

    • GPO Editor role

    • Create Category

    • Paste GPO Category Link

  2. If the source domain does not exist, add a domain in the GP Repository that corresponds to the Active Directory domain you want to mirror. When adding a new domain name, specify the fully qualified domain name, such as mydomain.company.corp.

  3. Select the domain you created in the GP Repository and click Run Offline Mirror on the Action menu.

  4. Select the target repository, scope, import options, and link order options in the Offline Mirror wizard. If you choose, you can set the offline mirror options by importing an offline mirror template you created previously.

  5. If you plan to use the current Offline Mirror wizard settings for another GPO import, save a template of the settings from the Summary window.

  6. View the status of the offline mirror in progress or access a log of the progress from the Status window. Click Finish when the offline mirror process completes.

    NOTE:Depending on the number of GPOs and the complexity of your domain structure, importing all your GPOs can take some time. You can use the Offline Mirror command-line tool, NetIQ GPA Offline Mirror Wizard.exe (located in the \Bin folder under the product installation path), to run during off‑peak hours using a Microsoft Windows scheduled task. For more information about the Offline Mirror command-line tool, see Section A.8.11, Offline Mirror.

    HINT:If the Offline Mirror wizard fails to import all of the child OUs of a top-level OU in a domain, inspect the name of the top-level OU. If the name ends with a backslash (\), the wizard will only import the first child OU of that misnamed OU, and then it will skip all of its remaining child OUs and move on to the next top-level OU.

5.4.3 Importing a GPO from Backup

GPA enables you to import GPOs from the folder containing backed up GPOs. If you previously backed up GPOs from Active Directory, you can see the list of backed up GPOs.

To import a GPO from backup:

  1. Log on to a GPA Console computer with an account that has permissions to create GPOs.

  2. Start the GPA Console in the Group Policy Administrator program group.

  3. In the left pane, expand GP Repository to the category level and select the category to which you want to import the backed up GPO.

  4. On the Action menu, click Import GPO from Backup.

  5. On the Import GPO from Backup window, click Browse to select the folder that contains the backed up GPOs.

  6. Click OK.

  7. Select the GPO you want to import from the list of backed up GPOs, and then click OK.