This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 37%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Hi
On my test domain, I developed a GPO which also had AppLocker executable rules set for "Domain Users" group. Now I want to move this GPO to another test domain.
The problem is that the User/Group doesn't get migrated according to the new domain. The source domain group ("Domain Users") SID shows up in the user column when I look in the executable rules of the GPO. As you can see in the first image, the source domain shows proper group in the User column. But in the second image, which is of the target domain, doesn't show appropriate user and only displays SID.
Source Domain Applocker policies:
Target Domain Applocker policies after the import:
I tried this using 2 different ways:
"Domain Users" group exists in both the domains.
I am running both the domains on Windows2k16 Data Center OS on azure.
Can someone help me to transfer the Applocker policies to the new domain correctly.
I know the post is old but did you ever find a solution to this ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Saksham Garg ,
Thank you for posting here.
We can try to export the GPO in source domain ( such as an XML file), then change the target SID of Domain Users instead of source SID of Domain Users, after that, we can import the changed GPO to target domain.
Hope the information above is helpful.
Best Regards,
Daisy Zhou
Hello @Daisy Zhou
This solution would work but sounds like there would be some amount of work to be done.
First of all, I want to do this migration through some PowerShell script. Secondly, I have more than 100 different file applocker rules. If I want to change the SID for each rule, then it would take quite some time. Isn't there any Microsoft utility, either through PowerShell script or if possible through Ansible script, to migrate this gracefully?
Hello @Saksham Garg ,
Thank you for your update.
Based on "I have more than 100 different file applocker rules.", are the 100 different file applocker rules in one GPO or 100 GPOs?
If they are in one GPO, we can export this GPO in one .XML file (such as GPO.XML), then change this .XML file to one .txt file (such as GPO.txt).
Replace (Replace All) the domain users using the new SID in target domain, save the file as GPOnew.XML, import the GPOnew into new domain.
Regarding the script, I am sorry, I am not an expert in this topic.
If you must need some help through PowerShell script, we can post again by selecting PowerShell tag.
Hope the information above is helpful. If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou
Hello @Daisy Zhou .
I have 1 GPO with 100 different applocker rules. I understood your answer and it is useful if I am doing it manually. But I am looking more towards an automatic process, even if I have to write some PowerShell script to accomplish it.
Your answer is completely acceptable, but I was looking for some help that could accomplish this using powershell script. I have updated the tags as you suggested.
Hello @Saksham Garg ,
Thank you for your update.
I am so glad that the information I provided is helpful.
Hope you could accomplish this using powershell script.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Tip:--Please don't forget to Accept as answer if my reply above is helpful--
Best Regards,
Daisy Zhou