Hi All -
I haven't found a solution or official MS resource that describes whether or not the following is supported:
ISSUE:
When copying a GPO from one production (child) domain to another (child) domain using Copy-GPO and a migration table, certain DACLs are not transformed and no errors are present.
HOW TO REPRODUCE:
1. On Child Domain DEATHSTAR, there is a "EMET Settings" GPO that contains specific EMET configuration settings that need to be present on all the child domains in the forest. Additionally, the EMET Settings GPO security (Delegation tab) shows all Group Policy default permissions plus one additional item: DEATHSTAR\EMET Collector Server = Allow - Read and Deny - Apply Group Policy. The reason is because the GPO is linked to an OU where all the settings need to be applied to all member computers EXCEPT the EMET Collector Server.
2. Using PowerShell (version 2.0) from a DEATHSTAR Domain Controller, I type the following:
Copy-GPO -SourceName "EMET Settings" -SourceDomain deathstar.empire.local -TargetName "EMET Settings" -TargetDomain coruscant.empire.local -MigrationTable "c:\users\vader\desktop\emet-collector.migtable" -SourceDomainController deathstar-dc01 -TargetDomainController coruscant-dc01
Outside of the default GPO permissions (such as ENTERPRISE DOMAIN CONTROLLERS, Enterprise Admins, etc. that don't requrie a domain-specific migration path), there are only two items that are in the migration table:
a) DEATHSTAR\Domain Admins is mapped to CORUSCANT\Domain Admins
b) DEATHSTAR\EMET Collector Server (which is a Global Security Group containing the computer object of the EMET collector server) is supposed to be mapped to CORUSCANT\EMET Collector Server (which contains the EMET collector server in that domain)
RESULT:
DEATHSTAR\Domain Admins is properly "migrated" to CORUSCANT\Domain Admins, but DEATHSTAR\EMET Collector Server is not migrated and doesn't even appear on the target domain GPO.
OTHER MIGITATIONS:
1. The Migration Table was made from GPMC.
2. I also attempted to run the Copy-GPO cmdlet with a combination of the following arguments:
-CopyAcl and -MigrationTable = No change (results identical to above)
-CopyAcl only = Copies the source domain DACLs (including the DEATHSTAT\EMET Collector Server permission) to the target domain and no migration is performed (expected result)
3. Same result with other GPOs and other items in a migration table
4. Using GPMC, I can copy the GPO and the migration table is "honored" meaning that both objects that I'm attempting to "transform" are migrated properly from the source domain to the target domain. I'm really hoping to script
the action with PoSH instead of going through the GPMC copy wizard over-and-over.
Is that "expected" behavior for the copy-gpo cmdlet, is it a possible bug, is there another (supported) way to accomplish the same result with PoSH, and/or should this question be in the PowerShell forum instead?
Thanks!
S. Oxford MCT, MCSE, MCSA (Security + Exchange), MCP (SMS 2003), CCNP, CCNA, Security+, Server+, Network+, A+