You can create GPOs in the GP Repository in the following ways:
Create a new GPO directly in the GP Repository
Import a GPO in an AD domain into the GP Repository
Import all GPOs linked to any AD container in an AD domain into the GP Repository (also called creating an Offline Mirror)
Import a GPO from backup
Copy and paste an existing GP Repository GPO
You can create GPOs in any category or sub‑category in the GP Repository.
NOTE:If you use the Export Only account to export GPOs and you did not add the Export Only account to the Domain Admins group, every time you create a GPO in the GP Repository you must modify the GPO to grant the Export Only account all permissions except Apply Group Policy and All Extended Rights.
To create a GPO:
Log on to a GPA Console computer with an account that has permissions to create GPOs.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository and select the category where you want to create the GPO.
On the Action menu, click New > GPO.
Specify the name of the new GPO, and then click OK.
The new GPO has the following attributes:
It has a new Globally Unique ID (GUID)
None of the policy settings are defined
The GPO revision number is set to 0 for both Computer and User
The GP Repository version number of the GPO is set to 1
The GPO is not linked to any Active Directory domain, OU, or site
The security filters on the GPO are the same default accounts and permissions set for GPOs you create in Active Directory
To view a report on the GPO settings of the newly created GPO, click the Settings tab in the right pane. To view a report on the status of security and integrity checks of the GPO, click the Health Check tab in the right pane.
You can create a new GPO from an existing GP Repository GPO by using the copy and paste feature. The GP Repository offers several ways to copy and paste a GPO based on the location where you initiate the paste operation:
Copy and paste a GPO from a category.
Copy and paste a GPO link.
When you perform a copy and paste operation on a category, GPA pastes the settings in the latest version of the copied GPO into a newly‑created GPO. The new GPO has the same name, GPO settings, security filters, and links to the same Active Directory objects as the original GPO. However, it has a different GUID and its GP Repository version number is always set to 1, irrespective of the version number of the copied GPO.
The same GPO can exist under more than one category in the GP Repository. The GPO appears in multiple categories because it is linked to those locations. Linking GPOs is useful when organizations have developed exceptionally large GPOs containing functionality that needs to be classified under more than one category.
Copying a GPO link is similar to copying a GPO. However, when you paste a GPO link, only one copy of the GPO exists in the GP Repository.
To copy and paste a GPO from a category or GPO link:
Log on to a GPA Console computer with an account that has permissions to create GPOs.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository to the category level and select the GPO you want to copy.
On the Action menu, click Copy.
Select the category under which you would like to create a copy of this GPO.
On the Action menu, click Paste as New GPO or All Tasks > Paste GPO Link.
Click OK.
GPA creates the new GPO with the same name under the selected category. Even though the two GPOs have the same name, they have different GUIDs and version numbers. To change the name of the new GPO you need to first check it out of the GP Repository. For more information, see Section 5.5, Modifying GPOs.
When you import GPOs from Active Directory into the GP Repository, you do not import the link order. If you import a linked GPO to a GP Repository that already contains a set of GPOs linked to the same site, domain, or OU, GPA lists the imported GPO at the bottom of the offline link order list. GPA does not change the existing link order of GPOs in the GP Repository. For more information about importing a GPO into the GP Repository, see Section 5.4.1, Importing an Active Directory GPO.
GPA lets you update GPO link order from several places:
When you import all GPOs into the GP Repository
When modifying links in GPOs already in the GP Repository
When exporting GPOs to Active Directory
When modifying links in Active Directory GPOs
When you import all GPOs from Active Directory into a fresh installation of the GP Repository using the Offline Mirror wizard, GPA imports GPOs linked to the domain, site, or OU in Active Directory. If you choose the Sync Link Order option, the wizard synchronizes GPO link order in the GP Repository. You can tell the wizard to use AD or the existing GP Repository link order as the basis for ordering links. For more information about importing all GPOs from Active Directory and synchronizing link order using the Offline Mirror wizard, see Section 5.4.2, Importing All GPOs Linked to Any AD Container in an AD Domain (Creating an Offline Mirror).
When you export GPOs to Active Directory, the resulting link order depends on whether you configure GPA to retain the existing link order in Active Directory or overwrite it with the link order you defined in the GP Repository.
If you configure Group Policy Administrator to retain the Active Directory link order by enabling the Retain Existing AD Link Order upon Export and for RSoP Reports option on the GP Repository Custom Options property window, and then export a GPO, Group Policy Administrator applies the link order specified in Active Directory to the GPO. If no link order is specified in Active Directory, Group Policy Administrator creates a link for the GPO and moves it to the bottom of the list (lowest precedence).
By default, Group Policy Administrator is not configured to retain the existing Active Directory link order. If you use the default setting, and then export a GPO, Group Policy Administrator overwrites the link order in Active Directory with the link order in the GP Repository according to the scenarios illustrated in the following table.
|
Export Scenario |
Description |
|
Same GPO to Active Directory |
When you export a GPO from the GP Repository to Active Directory, if Active Directory already contains the same GPO, the GPO link order you have defined in the GP Repository overrides the GPO link order in Active Directory. |
|
New GPO to Active Directory |
When you export a new GPO from the GP Repository to Active Directory, Active Directory lists the exported GPO at the top of the link order. You may have a scenario where one set of GPOs in Active Directory are linked to a site, domain, or OU and a different set of GPOs in the GP Repository are linked to the same site, domain, or OU. When you export a GPO, Active Directory lists the exported GPO at the top of the link order even if there are GPOs in the GP Repository that are at a higher link order than the exported GPO. For example, suppose there are three GPOs in the GP Repository (A, B, and C) that are linked to an OU (Z) and three GPOs (D, E, and F) in Active Directory that are linked to the same OU (Z). If you export GPO C from the GP Repository to Active Directory, Active Directory lists GPO C at the top of the link order. |
|
GPO with lower link order to Active Directory |
You may have a scenario where one or more GPOs in both the GP Repository and Active Directory are linked to the same site, domain, or OU. If you export any GPO other than the first GPO in the link order list, Active Directory lists the exported GPO above all GPOs in Active Directory that do not exist in the GP Repository. For example, suppose there are three GPOs in the GP Repository (A, B, and C) that share the same link order as three GPOs (D, E, and F) in Active Directory. When you export GPO B from the GP Repository to Active Directory, Active Directory lists GPO B before GPO D. If you export GPO C to Active Directory, Active Directory lists GPO C after GPO B and before GPO D. |
|
GPO with higher link order to Active Directory |
You may have a scenario where one or more GPOs in both the GP Repository and Active Directory are linked to the same site, domain, or OU. If you export any GPO that has a higher link order than GPOs that exist in both the GP Repository and in Active Directory, Active Directory lists the exported GPO above these GPOs in the link order. For example, suppose there are three GPOs (A, B, and C) in the GP Repository that share the same link order as three GPOs (D, E, and F) in Active Directory. When you export GPO B from the GP Repository to Active Directory, Active Directory lists GPO B at the top of the Active Directory link order. If you then export GPO A from the GP Repository to Active Directory, Active Directory lists GPO A above GPO B in the link order. |
For more information about exporting a GPO from the GP Repository, see Section 5.8.5, Exporting GPOs to AD Domains.
GPA allows you to use the GP Repository to define the link order of GPOs for sites, domains, and OUs.
HINT:You do not need to check out the GPO before editing its link order.
Also, to ensure that the GP Repository link order is included with GPOs upon export and in RSoP reports, do not configure GPA to retain the existing Active Directory link order. For more information, see Section 5.3.3, Managing GPO Link Order.
To modify the GPO link order:
Log on to a GPA Console computer with an account that has permissions to modify GPO settings.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository to the category level and select the GPO you want to modify.
On the Action menu in the Group Policy Administrator Console, click Properties.
On the AD Links tab select the site, domain, or OU for which you want to modify the link order.
Click Edit.
In the Link Options window, select the GPO and click Up or Down to change the order of the GPO in the link order list.
Click OK.