To see the effect of the GPO changes in Active Directory, you need to export the GPO from the GP Repository. Before exporting a GPO into Active Directory, you can back up the Active Directory version of the GPO. GPOs are available for export only after they have been approved. Ensure that the GP Repository has been synchronized with the latest Active Directory structure before exporting GPOs.
You can preview whether a GPO is ready to export without causing errors. When you preview a GPO export, GPA performs a health check to detect common errors and offer potential solutions to detected errors, such as checking permissions in Active Directory or the GP Repository or checking whether specific features and services are enabled or running.
When you preview a GPO export, you see a report that details each item checked and the status of the check. You can also begin the export operation or schedule it for later from this window.
You have the option to back up Active Directory versions of GPOs before you export the GP Repository version of the GPO into Active Directory. If you configure the GP Repository to back up Active Directory GPOs prior to export, the GP Repository creates a backup copy of any Active Directory GPOs that it overwrites during an export and stores the backup copy in a system category called Backup. GPA creates this category the first time a GPO overwrite occurs during export. For more information about configuring the GP Repository to back up Active Directory GPOs, see GPO Backup Options.
To restore a GPO from the Backup category into Active Directory, you must approve the GPO and export it to Active Directory in the same manner as other GPOs in the GP Repository. You can only approve and export GPOs in the Backup category. You cannot check out or roll back GPOs in the Backup category. GPA maintains only the latest version of live GPOs in the Backup category.
By default, GPOs you create or modify in the GP Repository are unapproved and you need to approve these GPOs before you can export them to Active Directory. GPA users with GPO editing permissions can send GPOs for approval. GPA users with approval permissions can approve or reject GPOs for export. For more information about GPA security, see Section 4.1, Understanding the GPA User Security Model.
GPA users with approval permissions can also return approved GPOs to an unapproved status. Setting a GPO to a status of Unapproved prevents the GPO from being exported to Active Directory.
To manage a GPO export to an Active Directory domain:
Log on to a GPA Console computer with an account that has permissions to approve or unapprove GPOs.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository to the category level to the level of the GPO you want to approve or unapprove.
Select the GPO you want to approve or unapprove.
On the Action menu, choose one of the following options:
To send a GPO for approval, click Send for Approval.
To reject a GPO version, click Reject GPO.
To approve a GPO for export, click Approve Version.
To unapprove a GPO for export, click Unapprove Version.
To confirm the approval or unapproval, click Yes.
You can link GPOs in the GP Repository to Active Directory container objects such as sites, domains, and OUs. However, if you change the name or location of one of these Active Directory container objects or delete any, the export process no longer links the exported GPO from the GP Repository to Active Directory because the corresponding container object in the GP Repository retains the previous name. To correctly export a linked GPO from the GP Repository, you need to first synchronize the GP Repository with Active Directory.
To synchronize the GP Repository with Active Directory:
Log on to the GPA Console computer with an account that has GPA Security or GPO Editor permissions.
Start the GPA Console in the Group Policy Administrator program folder.
In the left pane, click Group Policy Administrator and select the domain.
On the Action menu, click Properties.
Click Sync with AD on the GPO Link Scope tab of the domain Properties dialog box.
NOTE:Clicking Sync with AD clears an OU if the OU is deleted from the Active Directory. This action removes the OU link from the GPOs present in the Repository.
Click OK.
Exporting GPOs is the process of moving GPOs from the GP Repository into your Active Directory environment. When you export a GPO into Active Directory, a copy remains in the GP Repository. You can export GPOs into Active Directory in both trusted and untrusted domains.
To export to an untrusted domain, you need to configure the GPA Console to use an Export Only account for that domain. You also need to ensure the domain controller name of the untrusted domain is in the DNS format. For example, if the domain controller name is corp001 and the untrusted domain name is mycompany.com, the DNS name should be corp001.mycompany.com. You also have the option to use an Export Only account for trusted domains. For more information about configuring domains to use an Export Only account, see Section 2.4.2, Creating the Export Only Account.
NOTE:If you did not add the Export Only account to the Domain Admins group and if you are exporting a GPO you created in the GP Repository, ensure you modify the GPO to grant the Export Only account all permissions except Apply Group Policy and All Extended Rights.
To export a GPO from the GP Repository into Active Directory:
Log on to the GPA Console computer with an account that has permissions to export GPOs and is a member of the local Administrators group.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository to the level of the GPO you want to export, and then select the GPO.
On the Action menu, click Export to AD.
Click Yes.
If the GPO already exists in Active Directory, click Yes to overwrite it.
Type a comment about the export, and then click OK.
On successful completion of the export operation, GPA creates the latest version of the GP Repository GPO in Active Directory. If the GP Repository GPO has links to Active Directory objects, the exported GPO has the same links to Active Directory objects, such as domains, OUs, and sites. The link order is exported, too, unless you configure GPA to use the Active Directory link order instead of the link order you configure in the GP Repository. The exported GPO also maintains the same security filters as those of the GPO in the GP Repository. The export increments the Active Directory revision number of the GPO by 1, or sets the version number to 1 if the GPO was not present in Active Directory previously. Exporting does not change the GP Repository GPO version number.
The Scheduled GPO Export wizard enables you to identify GPOs you want to export to Active Directory and schedule a Microsoft Windows task to perform the export at a specified time. This wizard is useful when you need to export a large number of GPOs at one time or export GPOs after normal business hours. For example, after running a GPO synchronization, you may determine that you have several GPOs you need to export to ensure the consistency of the GPO throughout your Active Directory environment. You can use the wizard to schedule these GPOs for export at a particular time. For more information about GPO synchronization, see Section 5.9, Synchronizing GPOs.
To schedule GPOs for export using the Scheduled GPO Export wizard:
Log on to a GPA Console computer with an account that has permissions to export GPOs.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository, and then select the GP Repository.
On the Action menu, select Schedule GPOs for Export.
Follow the instructions until you have finished scheduling GPOs for export.
NOTE:The Scheduled GPO Export wizard gives you the option to create an export batch file without creating a Microsoft Windows task to run the batch file. You can then run the batch file yourself at another time or return to the wizard and schedule a Microsoft Windows task to run the batch file when you are ready.
For more information about running the Export batch file, see The Export Batch File.