1
00:00:00,120 --> 00:00:00,600
Okay.

2
00:00:00,750 --> 00:00:04,320
I'm going to look at two scenarios that use the import feature.

3
00:00:05,310 --> 00:00:08,670
The first is the scenario of the deleted GPO.

4
00:00:09,590 --> 00:00:15,320
You'll remember from earlier in this module, I created this kiosk user settings GPO.

5
00:00:16,200 --> 00:00:21,300
And made a back up of it and showed you how you can use backup and restore to roll back the settings

6
00:00:21,300 --> 00:00:23,130
in the GPO once they've changed.

7
00:00:24,120 --> 00:00:26,790
I'm going to go ahead and delete the GPO now.

8
00:00:26,910 --> 00:00:29,790
So kiosk user settings is going to go away.

9
00:00:30,720 --> 00:00:36,570
And I'm going to come back in here and I'm going to create a new GPO because, hey, I really want kiosk

10
00:00:36,570 --> 00:00:38,520
users settings back in my domain.

11
00:00:39,510 --> 00:00:44,940
So I'm going to go ahead and create a new GPO called Kiosk User Settings, and I'm going to click.

12
00:00:44,940 --> 00:00:45,510
Okay.

13
00:00:46,420 --> 00:00:51,670
And now that that new GPO is there, you'll see it's got no version number, which means there's no

14
00:00:51,670 --> 00:00:52,930
settings in it at all.

15
00:00:53,920 --> 00:00:56,770
I'm going to go ahead and say import settings.

16
00:00:57,740 --> 00:01:00,350
And I'm going to run through the import wizard.

17
00:01:01,290 --> 00:01:05,040
And it lets me, if I want to, I can back up this GPL.

18
00:01:05,950 --> 00:01:12,190
Because essentially what import is going to do is completely wipe out the existing GPO and rewrite it

19
00:01:12,190 --> 00:01:14,140
with the settings that are in the backup.

20
00:01:15,090 --> 00:01:20,700
Well, since there's no settings in this GPO because I just created it, I don't need to back it up.

21
00:01:21,660 --> 00:01:25,080
I can tell it the backup folder where my backup exists.

22
00:01:26,060 --> 00:01:29,960
And if I go into the backup folder, I'll see all of my backups.

23
00:01:30,940 --> 00:01:33,790
And here's my kiosk user settings back up.

24
00:01:34,770 --> 00:01:37,470
So now I'm going to go ahead and click next.

25
00:01:37,470 --> 00:01:40,410
And lo and behold, my GPO is now restored.

26
00:01:41,380 --> 00:01:45,310
You'll notice the user version and the computer version increment.

27
00:01:46,370 --> 00:01:50,180
So I've got I can prove that my GPO has been restored.

28
00:01:51,150 --> 00:01:57,660
What's interesting is that I don't get the original grid of the GPO or unique ID of the GPO back.

29
00:01:58,640 --> 00:02:01,130
I still have the good of the new GPO.

30
00:02:02,090 --> 00:02:05,390
The other thing to note is that when you delete a GPO.

31
00:02:06,290 --> 00:02:12,650
Any containers or use domains or sites that that GPO is linked to, those links are removed.

32
00:02:13,630 --> 00:02:19,690
So even though I've recreated the GPO and restored it from a backup using import, none of the links

33
00:02:19,690 --> 00:02:22,120
that were in place for this GPO are there.

34
00:02:23,100 --> 00:02:26,340
So you're going to have to recreate those links manually.

35
00:02:27,310 --> 00:02:30,250
But let's go in and look at the settings report.

36
00:02:31,190 --> 00:02:32,150
And you'll see that.

37
00:02:32,270 --> 00:02:38,090
Sure enough, all of my settings that were in that original kiosk user settings, GPO are back.

38
00:02:39,080 --> 00:02:42,830
So I've essentially used import to recreate this policy.

39
00:02:43,780 --> 00:02:46,660
And that's a key feature of the import function.

40
00:02:47,610 --> 00:02:53,370
Now what I want to do is show you the use of an import for bringing a GPO from one domain to the other.

41
00:02:54,360 --> 00:02:59,670
So I'm going to go ahead and create a new GPO and I'm going to call it user rights policy.

42
00:03:00,600 --> 00:03:02,490
And I'll show you why in a second.

43
00:03:03,470 --> 00:03:06,650
This user rights policy is going to get created.

44
00:03:07,630 --> 00:03:13,750
Now what I want to do is I want to go up to the group policy objects container right click and say Open

45
00:03:13,750 --> 00:03:15,250
Migration Table Editor.

46
00:03:16,190 --> 00:03:18,590
And now I've got a new migration table.

47
00:03:19,550 --> 00:03:26,180
Remember I talked about migration tables as the thing that you can use to map basically security principles

48
00:03:26,180 --> 00:03:27,560
and USC paths.

49
00:03:28,540 --> 00:03:29,540
From a backup.

50
00:03:29,560 --> 00:03:34,180
A GPIO backup or even a life GPIO from one domain to the other.

51
00:03:35,120 --> 00:03:39,050
And what I'm going to do is I'm going to say populate from back up.

52
00:03:39,990 --> 00:03:44,010
And I'm going to point out that a GPO that I've got from a foreign domain.

53
00:03:44,950 --> 00:03:48,280
We'll call this my test domain at sea panel icon.

54
00:03:49,220 --> 00:03:52,130
I'm going to go ahead and point at that GPO.

55
00:03:53,010 --> 00:03:54,270
And I'm going to say.

56
00:03:54,300 --> 00:03:54,930
Okay.

57
00:03:55,830 --> 00:04:02,520
And now what it does is it identifies all of the security principles in that source GPO and lets me

58
00:04:02,520 --> 00:04:03,060
not them.

59
00:04:03,940 --> 00:04:07,300
And actually what I want to do is I want to do that again.

60
00:04:07,450 --> 00:04:09,430
And I want to show you some other option.

61
00:04:10,380 --> 00:04:16,170
You'll see this option down here that says during scan includes security principles from the decal on

62
00:04:16,170 --> 00:04:17,070
the GPO.

63
00:04:17,970 --> 00:04:21,660
The decal is the security filter on the GPO.

64
00:04:22,560 --> 00:04:26,190
So that's the delegation that's in place on that GPO.

65
00:04:27,070 --> 00:04:30,970
And you can translate or migrate those security principles.

66
00:04:31,970 --> 00:04:38,210
Just as easily as those groups or security principles that exist within settings inside the GPO.

67
00:04:39,110 --> 00:04:41,780
So I'm going to go ahead and include those.

68
00:04:42,740 --> 00:04:45,920
And you'll notice that my list suddenly got a lot longer.

69
00:04:46,930 --> 00:04:52,030
So when you'll notice that now groups like Enterprise and Domain Admins, GPO admins.

70
00:04:53,020 --> 00:04:55,930
All have come across as being part of that backup.

71
00:04:56,890 --> 00:05:01,720
Now what I want to do is I want to map these for the destination domain.

72
00:05:02,650 --> 00:05:06,210
So I'm going to right click in this destination domain cell.

73
00:05:06,220 --> 00:05:07,660
And I have three options.

74
00:05:08,630 --> 00:05:12,280
I can either say no destination, which means that it's not.

75
00:05:12,290 --> 00:05:14,990
It's just going to drop that security principle.

76
00:05:15,970 --> 00:05:19,930
Wherever it exists when it's bringing the GPO back up over.

77
00:05:20,960 --> 00:05:25,040
Not by relative name, which means leave out the domain part of that.

78
00:05:25,990 --> 00:05:29,710
And just translate from in this case, enterprise admins at C Pond.

79
00:05:29,860 --> 00:05:34,960
Welcome to enterprise admins that are to test TLD, which is what I'm going to do.

80
00:05:35,830 --> 00:05:36,730
And I can do that.

81
00:05:36,730 --> 00:05:41,440
The same for the Domain Admins group because it exists in my destination domain.

82
00:05:42,350 --> 00:05:44,570
And same as sauce for everyone.

83
00:05:45,530 --> 00:05:46,820
For marketing users.

84
00:05:46,820 --> 00:05:52,220
I'm going to go ahead and say map by relative name because I'll have a marketing user's name and my

85
00:05:52,220 --> 00:05:53,450
destination domain.

86
00:05:54,410 --> 00:06:00,830
Now I don't have a GPO admins group in my destination domain, so I'm going to say no destination.

87
00:06:01,750 --> 00:06:06,040
In other words, drop that group from the GPO as I bring it over.

88
00:06:07,020 --> 00:06:09,420
Administrators, same as source.

89
00:06:10,450 --> 00:06:16,480
Sales users, I'm going to say map by relative name and authenticated users, same as source.

90
00:06:17,510 --> 00:06:19,850
So now I've got my migration table.

91
00:06:20,860 --> 00:06:23,860
I'm going to go ahead and save that migration table.

92
00:06:24,800 --> 00:06:30,640
And I'll go ahead and save it as user rights and it gets saved with a dot m i g table extension.

93
00:06:30,650 --> 00:06:32,510
Saved it in my documents folder.

94
00:06:33,480 --> 00:06:37,530
And now let's go back to that user rights GPO that I just created.

95
00:06:38,450 --> 00:06:40,280
And I'm going to say import.

96
00:06:41,270 --> 00:06:42,080
Click next.

97
00:06:42,230 --> 00:06:43,730
Click next again.

98
00:06:43,850 --> 00:06:45,560
Click next into the back up.

99
00:06:46,460 --> 00:06:48,950
And go down to my user rights back up.

100
00:06:49,880 --> 00:06:54,860
And I can, you know, view settings on this to see what settings are in this GPO.

101
00:06:55,780 --> 00:07:00,850
And you'll notice I have a bunch of user rights assignments and there are those groups that you saw

102
00:07:00,850 --> 00:07:02,740
the migration table pick up on.

103
00:07:03,610 --> 00:07:09,490
And if I go into delegation, you'll see this is why it picked up on domain admins, enterprise admins,

104
00:07:09,580 --> 00:07:11,620
GPO admins, etc..

105
00:07:12,630 --> 00:07:16,530
So I've got that GPO, that backup that I'm interested in.

106
00:07:17,470 --> 00:07:19,030
I'm going to click next.

107
00:07:19,990 --> 00:07:23,050
And it's going to scan for security principles.

108
00:07:24,050 --> 00:07:30,470
And you'll get it, says the backup references to security principals and or USC paths specify how they

109
00:07:30,480 --> 00:07:31,430
should transfer.

110
00:07:32,440 --> 00:07:36,850
So I'm going to click next and I'm going to say, use the migration table.

111
00:07:37,800 --> 00:07:39,810
And it found my migration table.

112
00:07:39,810 --> 00:07:41,010
But I just created.

113
00:07:41,980 --> 00:07:44,430
You can browse to another one if you want.

114
00:07:45,420 --> 00:07:49,770
It also gives you the option to say use the migration table exclusively.

115
00:07:50,740 --> 00:07:56,950
So if any security principles or U.N. paths are not found in the migration table, do not perform the

116
00:07:56,950 --> 00:07:57,460
import.

117
00:07:58,440 --> 00:08:01,020
In other words, just stop the import.

118
00:08:02,020 --> 00:08:03,250
We don't want to do that.

119
00:08:03,400 --> 00:08:07,200
We're just going to go ahead and drop those principles that we don't map.

120
00:08:08,130 --> 00:08:10,650
And I'm going to go ahead and click Finish.

121
00:08:11,620 --> 00:08:17,620
And it succeeded in bringing in that new GPO or that backup from my other domain into the user rights

122
00:08:17,620 --> 00:08:18,310
policy.

123
00:08:19,240 --> 00:08:21,640
And now you'll see under local rights.

124
00:08:22,640 --> 00:08:28,970
User local policies, user rights assignment that had mapped the C panel marketing users and C panel

125
00:08:28,970 --> 00:08:31,400
sales users to the user to test domain.

126
00:08:32,370 --> 00:08:33,930
So it made that change.

127
00:08:34,870 --> 00:08:40,990
And if I look at delegation, you'll see that it picked up domain admins and enterprise admins and authenticated

128
00:08:40,990 --> 00:08:42,850
users just fine as well.

129
00:08:43,850 --> 00:08:49,880
So all of the security principles have essentially been migrated from the test domain to this new production

130
00:08:49,880 --> 00:08:50,450
domain.