Importing Group Policy Objects
TridentStack Control can import Group Policy Objects (GPOs) exported from an on-premises Active Directory environment. The import converts the GPO's settings into a configuration policy that you can review, enable, and assign to endpoints, so you do not have to recreate existing policies by hand when migrating off on-prem Group Policy.
Step 1: Back up the GPO
On a machine with the Group Policy Management Console (GPMC):
- Open Group Policy Management.
- Right-click the GPO you want to export and choose Back Up.
- Choose an empty folder as the backup location and complete the wizard.
Or with PowerShell:
Backup-GPO -Name "Workstation Hardening" -Path C:\GPOBackup
The backup is a folder named with a GUID, containing Backup.xml and a DomainSysvol folder.
Step 2: Zip the backup
Compress the backup folder into a single zip file. You can zip either the GUID folder itself or the parent folder that contains it. The zip must be 20 MB or smaller.
Compress-Archive -Path C:\GPOBackup\* -DestinationPath C:\WorkstationHardening.zip
Step 3: Import
- In TridentStack Control, go to Configuration Policies.
- Select Import GPO and upload the zip file.
- Review the import preview.
What the preview shows
The preview groups the GPO's settings into three lists:
- Ready to import: settings that map directly to TridentStack Control's policy catalog, with their values carried over. This includes Administrative Template settings with configured options such as dropdown selections, text fields, and numeric values.
- Needs review after import: settings that were recognized, but where one or more values could not be converted automatically (for example, list-style policy entries, or options from administrative templates that are not part of Windows itself). These are imported with the values that could be converted and flagged in the setting notes so you can finish them in the policy editor.
- Not supported: anything TridentStack Control does not enforce, such as Group Policy Preferences, scripts, software installation, and folder redirection. These are listed so you know exactly what was left behind; they are never silently dropped. A typical GPO export produces only a handful of entries here.
You can deselect any setting you do not want to import, and edit the policy name before confirming.
What gets imported
| GPO area | Imported |
|---|---|
| Administrative Templates (Computer and User) | Yes |
| Security Settings: password and lockout policy, user rights, security options | Yes |
| Audit policy (classic and advanced) | Yes |
| System services startup configuration | Yes |
| Group Policy Preferences, scripts, software installation, folder redirection, firewall rules | No (listed as not supported) |
If the GPO contains both Computer Configuration and User Configuration settings, the import creates two policies: one machine-scoped and one user-scoped (named with a "(User)" suffix).
After the import
Imported policies are always created disabled and unassigned. Nothing is applied to any endpoint until you:
- Open the new policy and review its settings, especially any flagged for review.
- Enable the policy.
- Assign it to endpoints or tags.
Settings that need attention carry a note explaining what to check. The policy works like any other configuration policy from this point on, including version history and rollback.