Announcement

Collapse
No announcement yet.

Copy Windows 7 Standalone GPO to another PC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Copy Windows 7 Standalone GPO to another PC

    The title says it all.

    I have 15 computers that are all standalone not connected to any domain. They are in 15 different locations if it matters. I spent much time configuring a local computer and local "administrator" and "non-administrator" GPO for one of the computers, and now I'd like to copy it over to the other 14 computers. Is there an easy or good way to do this?

    On the same topic, when I started out I was using the regedits instead of the GPO's so I have all my users with registry edits pushed to them (for example the "NoDrives" D-Word restricting them from accessing the A, B, C and D drives). My question is once I deploy the GPO, will it automatically overwrite the regedits? What takes precendence...a regedit or a GPO?

    Lastly, I made the dumb mistake of pushing these regedits to the DefaultUser registry hive which is the base for all new accounts. So now if I create a new user account and I make him an administrator, he receives by default all of the restrictions that I put in there. How can I get rid of all those registry entries I made and restore it to the default reghive for the DefaultUser?

    Thanks. I love this forum you guys are awesome.

  • #2
    Re: Copy Windows 7 Standalone GPO to another PC

    To answer your first query, see if this helps:
    http://www.frickelsoft.net/blog/?p=31
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Copy Windows 7 Standalone GPO to another PC

      Originally posted by L4ndy View Post
      To answer your first query, see if this helps:
      http://www.frickelsoft.net/blog/?p=31
      Thanks, however that only copies the local computer and user policy over. I don't have anything in there, I only have a group policy which applies to "administrators" and "non-administrators" and specific users, and I don't know where those are stored.

      Any other ideas?

      Comment


      • #4
        Re: Copy Windows 7 Standalone GPO to another PC

        You know what's interesting? No where on the internet can I find info on transferring/exporting a specific user policy from a standalone machine. It's not like anyone asks about it. Everyone wants to know about the local policy which is non-specific to users and there the answer is as you mentioned above.

        Either way, if anyone can think of anything or if anyone has an answer to the other questions, I would greatly appreciate it.

        Comment


        • #5
          Re: Copy Windows 7 Standalone GPO to another PC

          Since the policies are user specific I think the problem with transferring them is that the SIDs on the other computer will be different and the policies won't apply. I could be wrong but I think your best bet is to recreate them... or get a domain.
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: Copy Windows 7 Standalone GPO to another PC

            Originally posted by JeremyW View Post
            Since the policies are user specific I think the problem with transferring them is that the SIDs on the other computer will be different and the policies won't apply. I could be wrong but I think your best bet is to recreate them... or get a domain.
            Ok, I am having someone go through manually to all 15 computers and apply the settings I want. Now back to my original question. What takes precedence...the registry edit or the GPO?

            Also how can I revert the "DefaultUser" registry hive to default?

            Thanks

            Comment


            • #7
              Re: Copy Windows 7 Standalone GPO to another PC

              To reset the default user hive you either need to undo the reg changes you made or, from a vanilla Windows install, export the default user reg and import it to the other workstations.

              As for precedence, the local policy will override the registry setting. Note that they won't overwrite them since policy settings are loaded to a different location in the registry.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: Copy Windows 7 Standalone GPO to another PC

                Hello everyone, thanks for your help so far.

                My colleague has successfully found the solution to this issue. Again, the question was how to move local policy's from one Windows 7 PC to another, and my question specifically was how to move the "Non-Administrator" and "Administrator" policy. The issue of moving actual user policies can be resolved with this as well. It's a semi-manual process but at least it does not involve manually changing every single policy you had configured.

                The steps are quite simple. Once you know which directory in the %windir%\system32\grouppolicyusers folder you need, you can just copy all the contents of that folder from one PC to the next. For example, the Administrators policy is in the folder s-1-5-32-544\ and the Non-Administrators policy is in the folder s-1-5-32-544\. To find a specific users policy folder, simply open mmc.exe, add a snap-in with that users GPO, and go to logon scripts and click "Show Files". You will then see the folder for that users policy. Once you are done moving it, just run gpupdate /force and you will see everything reflected when you re-open mmc and the GPO. You *may* need to first create the GPO for admins and non-admins in order for the folders to be created, but once the folder are there you can copy and paste the files from one PC to another.

                Note: I don't know if this copies security settings as I've seen in other places there is another way to do that, but I know it copies all the Administrative Settings for sure, and also seems to copy the IE settings as well.

                For some reason, I can't figure out how to assign a GPO to a group of users (searching for "Windows 7 group GPO" of course brings up everything because the word "group" is in "Group Policy"). If anyone knows how to make a "group" group policy in Windows 7 standalone machines, please let me know.

                If anyone has any questions I can try to help.

                Comment


                • #9
                  Re: Copy Windows 7 Standalone GPO to another PC

                  Originally posted by kingbear2 View Post
                  You *may* need to first create the GPO for admins and non-admins in order for the folders to be created, but once the folder are there you can copy and paste the files from one PC to another.
                  Yes, that is a requirement since the folders will be associated with the SID generated for the specific user.

                  Originally posted by kingbear2 View Post
                  For some reason, I can't figure out how to assign a GPO to a group of users
                  Unfortunately you can't apply it to groups. It's a one-to-one association for the the local user policies.

                  Thanks for posting your solution!
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment


                  • #10
                    Re: Copy Windows 7 Standalone GPO to another PC

                    Originally posted by JeremyW View Post
                    Yes, that is a requirement since the folders will be associated with the SID generated for the specific user.
                    Yes, that is true for the specific users, but is it also true for the "admin" and "non-admin" groups for which the SID is always the same?


                    Originally posted by JeremyW View Post
                    Unfortunately you can't apply it to groups. It's a one-to-one association for the the local user policies.
                    Thanks for clarifying. It would have been perfect had I been able to create groups and redirect desktop and start menu items, but you're saying that group GPO's are not possible on Windows 7 standalone and I'm pretty sure that redirecting folders such as desktop and start menu is also not possible using GPO's in Win 7 standalone.

                    Originally posted by JeremyW View Post
                    Thanks for posting your solution!
                    It was my colleague who came up with it, but you're welcome for posting it! I haven't found this anywhere else on the web (at least not with minimal digging and searching).

                    Comment


                    • #11
                      Re: Copy Windows 7 Standalone GPO to another PC

                      Originally posted by kingbear2 View Post
                      Yes, that is true for the specific users, but is it also true for the "admin" and "non-admin" groups for which the SID is always the same?
                      You should be able to copy the admin and non-admin policies over since their folders don't change from machine to machine.

                      Originally posted by kingbear2 View Post
                      ... I'm pretty sure that redirecting folders such as desktop and start menu is also not possible using GPO's in Win 7 standalone.
                      Correct but you can use the registry to do it though.
                      Regards,
                      Jeremy

                      Network Consultant/Engineer
                      Baltimore - Washington area and beyond
                      www.gma-cpa.com

                      Comment

                      Working...
                      X