deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
b5101b1fbd75f538e7af22d78524ea3b5335c587
windows-itpro-docs/windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
Paolo Matarazzo c97fbd8ea8 resolved conflicts
2023-05-24 16:42:58 -04:00

2.5 KiB
Raw Blame History

title, description, ms.prod, ms.topic, ms.date
title description ms.prod ms.topic ms.date
Copy a GPO to Create a New GPO Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices. windows-client conceptual 09/07/2021

Copy a GPO to Create a New GPO

To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.

Administrative credentials

To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs.

To make a copy of a GPO

  1. Open the Group Policy Management console.

  2. In the navigation pane, expand Forest:YourForestName, expand Domains, expand YourDomainName, and then click Group Policy Objects.

  3. In the details pane, right-click the GPO you want to copy, and then click Copy.

  4. In the navigation pane, right-click Group Policy Objects again, and then click Paste.

    :::image type="content" alt-text="Screenshot that shows Copy Paste GPO." source="images/grouppolicy-paste.png":::

  5. In the Copy GPO dialog box, click Preserve the existing permissions, and then click OK. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler.

  6. After the copy is complete, click OK. The new GPO is named Copy of original GPO name.

  7. To rename it, right-click the GPO, and then click Rename.

  8. Type the new name, and then press ENTER.

  9. You must change the security filters to apply the policy to the correct group of devices. To change the security filters, click the Scope tab, and in the Security Filtering section, select the group that grants permissions to all members of the isolated domain, for example CG_DOMISO_IsolatedDomain, and then click Remove.

  10. In the confirmation dialog box, click OK.

  11. Click Add.

  12. Type the name of the group that contains members of the boundary zone, for example CG_DOMISO_Boundary, and then click OK.

  13. If necessary, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10 or Windows 11, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO.