Transfer Applocker policies to new domain

Saksham Garg 1 Reputation point
2021-01-21T13:57:04.58+00:00

Hi

On my test domain, I developed a GPO which also had AppLocker executable rules set for "Domain Users" group. Now I want to move this GPO to another test domain.

The problem is that the User/Group doesn't get migrated according to the new domain. The source domain group ("Domain Users") SID shows up in the user column when I look in the executable rules of the GPO. As you can see in the first image, the source domain shows proper group in the User column. But in the second image, which is of the target domain, doesn't show appropriate user and only displays SID.

Source Domain Applocker policies:
59174-source-domain-applocker-policies.png

Target Domain Applocker policies after the import:
59175-target-domain-applocker-policies.png

I tried this using 2 different ways:

  1. In the first method, I took a back up of the entire GPO and then imported this GPO in the new domain.
  2. In the second method, I exported just the Applocker policy into an XML file and imported this file into the new domain using "Set-AppLockerPolicy" powershell command.

"Domain Users" group exists in both the domains.
I am running both the domains on Windows2k16 Data Center OS on azure.

Can someone help me to transfer the Applocker policies to the new domain correctly.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,826 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,395 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,962 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Daisy Zhou 18,956 Reputation points Microsoft Vendor
    2021-01-22T09:50:45.64+00:00

    Hello @Saksham Garg

    Thank you for posting here.

    We can try to export the GPO in source domain ( such as an XML file), then change the target SID of Domain Users instead of source SID of Domain Users, after that, we can import the changed GPO to target domain.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou


  2. Daisy Zhou 18,956 Reputation points Microsoft Vendor
    2021-01-25T07:21:04.353+00:00

    Hello @Saksham Garg ,

    Thank you for your update.

    Based on "I have more than 100 different file applocker rules.", are the 100 different file applocker rules in one GPO or 100 GPOs?

    If they are in one GPO, we can export this GPO in one .XML file (such as GPO.XML), then change this .XML file to one .txt file (such as GPO.txt).

    Replace (Replace All) the domain users using the new SID in target domain, save the file as GPOnew.XML, import the GPOnew into new domain.
    60085-sid1.png

    Regarding the script, I am sorry, I am not an expert in this topic.

    If you must need some help through PowerShell script, we can post again by selecting PowerShell tag.

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou