Using Powershell to generate Group Policies migration table

Hello World,

A few months ago, we explained how to migrate GPOs between domains. If you remember, when you are performing a migration between domains and you want to migrate Group policies between them, you generally needs to generate a “migration table”. This migration table can be used to translate specific domain information such as user account, computer account or UNC path into equivalent or updated values in the target domain.

The Migration Table

Using the GPMC tool, it’s quite easy to generate the migration table. You open the GPMC Console and locate the node “Group Policy Objects”. If you right-click on the node, you can then see the option open Migration Table Editor

The Migrate table editor will open and you see an empty table. You need to populate your table with information. To populate your table, you click on the Tools menu and you select the option that best fits your needs (populate from GPOs or populate from backup).

After clicking on the Populate option, a dialog box listing all the group policies objects that can be migrated will be displayed. Select the one you want to migrate (or all) and ensure that you have ticked the checkbox at the bottom that will scan the ACL of the GPO’s.

After you’ve completed all these steps, you will have generated a migration table. However, your work is not completed yet. You have indeed to update the table in order to reflect the changes you want to bring. You will most probably need to update the destination column with the value of the target domain.

The process is not complex but requires a lot of small manipulations that can be time consuming or can lead to some errors (typos).

GPO Automation using Powershell

In one of the project I was working on, we needed to migrate more than 1.000 GPO’s. I needed a way to automate the process. The answer came from Powershell.

Using Powershell cmdlet and script, you can easily perform the Backup/Restore of the Group policies. You open a powershell command prompt, load the Grouppolicy module and use the appropriate cmdlet. The backup script would look like this

Import-module GroupPolicy
backup-GPO – All – Path C:\Backup_Of_GPOS

With Powershell cmdlet, you can do a lot of things. The only thing that’s not possible natively with version 2.0 is to generate the migration table. There are no cmdlet or specific parameters for that (or I’vn’t search correctly). The only way I’ve found to automate (using powershell) this task was to call the GPMGMT com object.

Note : There are vbs script that can be used to automate GPO operations. These scripts can be used against a Windows 2008 R2 server. However, I wanted to use exclusevily Powershell scripting language.

I never used the gpmgmt com object. I needed to search for quite a long time before finding some useful information about how to use the object. Finally, I’ve found some information on here (MSDN reference for gpmgmt object) and here (Scripting guy web site)

After some trial and errors, I’ve been able to write a script that would generate the migration table. In order to have the script running, you will need to ensure that

Powershell 2.0 is installed on your computer
GPMC tool is installed on your computer
you have the rights to manage the group policies
you have to be logged into the domain from where you want to generate the migration table.

The Powershell Script

The following powershell script will generate the migration table. It will query the domain and retrieve a list of GPO’s. This script mimics the populate from GPO option available from the GUI. That’s why you need to be logged into the domain.

Here is the script !

Download Script

Download the script

Final Notes

And voila ! Now, you can generate a migration table using a nice little powershell script as long as you have access to the domain. In the coming post, we will demonstrate how you could create a migration table from the backup file. This can be handy in situation where you receive only the GPO backup folder from you customer with no migration table. In a final script, we might want to see if we can also quickly use powershell to update the migration table in order to fit your needs.

Till Next Time

See ya

4 thoughts on “Using Powershell to generate Group Policies migration table”

Chris says:

October 2, 2012 at 3:17 pm

That’s really cool! That would be really useful for something I’m working on. Can you provide the script in clear text rather than a screenshot?
Griffon says:

October 3, 2012 at 6:58 pm

Hello Chris,

I forgot to add the “download link” to the script…I’ll update the post this week and provide the script file

Till next time
See ya
Ron says:

April 25, 2016 at 3:00 pm

Thanks this is GREAT but i am confused on something. How can i restore the GPOs in the test domain with my migration table. Thanks
Griffon says:

April 25, 2016 at 10:17 pm

Hello There,

You simply use import-gpo powershell command and you use the migrationtable option. Obviously, you need to issue the command to loop through all the gpos you have backed up

Hope this help
Till next time
see ya

Griffon's IT Library

Simple IT Library for the rest of us