W2K8R2 - A way to convert effecitve Group Policy settings to import on stand-alone machines for local policy?

If I have a relatively robust domain environment (e.g. 20 Security related Group Policy Objects) applying to my servers as a baseline set of policy settings and I have a stand-alone server that I want to apply those settings to, is there a way to either:

  • Convert the effective settings of a domain-joined computer to a security or POL file so that I can burn and import to a stand-alone machine?
  • Export Group Policy objects from the domain and import them into a stand-alone machine?

The end goal is to quickly and easily make the stand-alone machine tatoo'd with the security policy of the domain so that its secure(ish) in its stand-alone environment?


I don't think you're going to find a single off-the-shelf tool that will do what you're looking for. The research I've done on this leads me to believe that there are a patchwork of possible half-solutions but nothing that I think is comprehensive.

I'd look at Ashley McGlone's script to copy / merge GPOs as a possible starting point. It appears to only handle Administrative Templates (registry settings), though. The resulting GPO could be copied into the %SystemRoot%\System32\GroupPolicy directory on a standalone client and the Administrative Template portion, at least, will probably work.

You and use the secedit command-line tool to export a domain member computer's security policy. Then you could import it onto standalone machines.

Other Group Policy Client Side Extensions (CSEs), like the Group Policy Preferences tools, Internet Explorer, Scripts, etc, are going to be more difficult. They each had a different configuration file format and "boiling down" the Resultant Set of Policy into a single configuration file is probably going to be difficult.

If you're just looking at registry and security settings this is probably fairly feasible. The more you want to do, though, the harder it's going to be.