Related features:

Related Powershell Guides:

How to import GPOs

Last updated on:

An administrator may need to restore a deleted policy, replicate baseline security settings in a new domain, or migrate existing Group Policy settings to another domain. In each of these scenarios, importing a Group Policy Object (GPO) becomes necessary.

Rebuilding complex policies manually is time-consuming and increases the risk of configuration inconsistencies. Importing a GPO allows administrators to reuse tested configurations, maintain consistency across domains, and accelerate deployment without starting from scratch.

Prerequisites

Before importing any GPO, ensure:

  • You have domain admin or delegated GPO permissions.
  • A valid GPO backup exists.
  • Target domain references (users, groups, and UNC paths) are verified.
  • You understand whether you are importing settings into an existing GPO or creating a new one.
Note: Importing does not automatically link the GPO to an OU or domain. Linking must be done separately after import.
  • GPMC
  • PowerShell
  • Intune
  • XML
  • ADManager Plus
  • Troubleshooting Tips
  • Best Practices
  • FAQs
 

How to import a GPO from backup using the GPMC

The most common method for importing a GPO is through the Group Policy Management Console (GPMC).

  1. Open Group Policy Management (gpmc.msc).
  2. Expand your domain.
  3. Right-click Group Policy Objects.
  4. Select Manage Backups.
  5. Browse to the folder containing the GPO backup.
  6. Select the required GPO.
  7. Click Restore to recover the GPO.
A comprehensive image showing how to import a GPO from backup using the GPMC

How to import GPO settings into an existing GPO using the GPMC

  1. Open Group Policy Management (gpmc.msc).
  2. Expand your domain.
  3. Right-click Group Policy Objects.
  4. Right-click the target GPO.
  5. Select Import Settings.
  6. Follow the Import Settings Wizard.
  7. Choose the backup location.
  8. Select the required backup.
  9. Complete the wizard.
A comprehensive image showing how to import GPO settings into an existing GPO

How to import a GPO from another domain using the GPMC

Importing a GPO across domains requires a backup from the source domain and, in most cases, a migration table to map security principals correctly.

Step 1: Back up the GPO in the source domain

  1. Open Group Policy Management (gpmc.msc) in the source domain.
  2. Expand the domain.
  3. Click Group Policy Objects.
  4. Right-click the GPO you want to transfer.
  5. Select Back Up.
  6. Choose a secure backup location.
  7. Click Back Up.

Step 2: Copy the backup to the target domain

  1. Copy the entire backup folder (including its GUID folder structure).
  2. Paste it into a location accessible from the target domain controller or management server.
Note: Do not modify the backup folder structure.

Step 3: Create or select a target GPO in the destination domain

  1. Open Group Policy Management in the target domain.
  2. Right-click Group Policy Objects.
  3. Select New to create a new GPO or select an existing GPO if you want to overwrite its settings.

Step 4: Import the GPO settings

  1. Right-click the target GPO.
  2. Select Import Settings.
  3. Click Next in the Import Wizard.
  4. Browse to the backup folder.
  5. Select the required backup.
  6. If prompted, choose a migration table (recommended for cross-domain imports).
  7. Complete the wizard.
  1. Right-click the required OU, domain, or site.
  2. Select Link an Existing GPO.
  3. Choose the imported GPO.
A comprehensive image showing how to import a GPO from another domain

How to import a GPO using a migration table in the GPMC

A GPO migration table (.migtable) maps:

  • Users
  • Groups
  • UNC paths
  • Security identifiers (SIDs)

This ensures that references from the source domain are replaced correctly in the target domain. Without a migration table, imported GPOs may contain broken security references.

  1. Open the GPMC.
  2. Right-click your domain.
  3. Select Open Migration Table Editor.
  4. Create a new migration table.
  5. Map source references to target equivalents.
  6. During import, select the migration table when prompted.
A comprehensive image showing how to import a GPO using a migration table editor

How to import a GPO from backup using PowerShell

List available backups:

Get-GPOBackup -Path "C:\GPOBackups"

Import the backup into a new GPO:

Import-GPO -BackupId "<BackupID>" `
-TargetName "New GPO Name" `
-Path "C:\GPOBackups"

How to import settings into an existing GPO using PowerShell

Import-GPO -BackupId "<BackupID>" `
-TargetName "Existing GPO Name" `
-Path "C:\GPOBackups"

Alternatively, use the GUID of the target GPO:

Import-GPO -BackupId "<BackupID>" ` -TargetGuid "<Target-GPO-GUID>" ` -Path "C:\GPOBackups"

How to import a GPO from another domain using PowerShell

To import a GPO from another domain, first create a backup in the source domain, then copy it to the target domain.

Step 1: Back up in source domain

Backup-GPO -Name "Source GPO Name" -Path "C:\GPOBackups"

Copy the backup folder to the target domain.

Step 2: Import in target domain

Import-GPO -BackupId "<BackupID>" ` -TargetName "New GPO Name" ` -Path "C:\GPOBackups"
Note: If security principals differ between domains, use a migration table.

How to import a GPO using PowerShell with a migration table

A migration table is required when importing across domains where users, groups, or paths differ.

After creating a .migtable file in the GPMC, use it during import.

Using PowerShell with a migration table

Import-GPO -BackupId "<BackupID>" `
-TargetName "New GPO Name" `
-Path "C:\GPOBackups" `
-MigrationTable "C:\MigrationTables\mapping.migtable"

How to copy GPOs using PowerShell

When both domains are in the same forest, you can copy a GPO directly using the Copy-GPO cmdlet from the GroupPolicy module.

Prerequisites

Before copying:

  • Both domains must be in the same forest.
  • A two-way trust must exist (automatic within the same forest).
  • You must have permissions in both source and target domains.
  • The GPMC feature must be installed.
  • Run PowerShell as an account with Domain Admin or delegated GPO rights.

Step 1: Import the GroupPolicy module

Open PowerShell as an administrator and run:

Import-Module GroupPolicy

Verify the module is available:

Get-Command -Module GroupPolicy

Step 2: Identify the source GPO

List GPOs in the source domain:

Get-GPO -All -Domain source.domain.com

Identify the exact GPO name you want to copy.

Step 3: Copy the GPO to the target domain

This creates a new GPO in the target domain with the copied settings.

Use the Copy-GPO cmdlet:

Copy-GPO -SourceName "SourceGPOName" `
-SourceDomain "source.domain.com" `
-TargetDomain "target.domain.com" `
-TargetName "NewGPOName"

Step 4: Use a migration table

This ensures references resolve correctly in the target domain. If security groups, SIDs, or UNC paths differ between domains, use a migration table:

Copy-GPO -SourceName "SourceGPOName" `
-SourceDomain "source.domain.com" `
-TargetDomain "target.domain.com" `
-TargetName "NewGPOName" `
-MigrationTable "C:\MigrationTable.migtable"

Step 5: Verify the copied GPO

List GPOs in the target domain:

Get-GPO -All -Domain target.domain.com

Generate a report to confirm settings:

Get-GPOReport -Name "NewGPOName" -Domain target.domain.com -ReportType HTML -Path "C:\CopiedGPO.html"

Review the report to validate settings and permissions.

Copying a GPO does not automatically link it.

Link it manually using the GPMC or PowerShell:

New-GPLink -Name "NewGPOName" -Target "OU=Users,DC=target,DC=domain,DC=com"

How to import GPO settings into Intune

On-premises GPOs cannot be directly imported into Intune.

Instead:

  • Use Group Policy Analytics in Microsoft Intune.
  • Export the GPO as a backup.
  • Upload into Intune for analysis.
  • Review supported settings.
  • Convert compatible policies to configuration profiles.
A comprehensive image showing how to import GPO settings into Intune

How to import a GPO using XML

Active Directory does not support direct GPO import from an XML file. XML files generated from the GPMC are read-only reports and cannot be imported back into the domain.

A valid GPO import requires a GPO backup folder, not an XML report. A proper GPO backup contains the full Group Policy structure, including:

  • Group Policy template (GPT) files
  • Registry.pol files
  • Security settings
  • Metadata and version information
  • Folder structure required by SYSVOL

An XML report only provides a snapshot of policy settings in report format. It does not contain the underlying files or configuration structure needed for restoration.

Because of this, XML reports are useful for documentation and auditing—not for direct import.

If you do not have a GPO backup and only have an XML report, you must manually recreate the policy.

Below are the recommended steps.

Method 1: Manually recreating a GPO from XML

Step 1: Review the XML report

Open the XML file in a browser or text editor and identify all configured settings under:

  • Computer Configuration
  • User Configuration
  • Administrative Templates
  • Security Settings
  • Registry Settings

Take note of enabled, disabled, and configured values.

Step 2: Create a new GPO

  1. Open Group Policy Management (gpmc.msc).
  2. Right-click the domain or appropriate OU.
  3. Select New.
  4. Enter a name for the new GPO.
  5. Click OK.

Step 3: Reconfigure settings manually

  1. Right-click the newly created GPO.
  2. Select Edit.
  3. Navigate to each setting listed in the XML report.
  4. Configure each policy to match the original values.

Work systematically through each section to avoid missing configurations.

Step 4: Configure security filtering and delegation

After recreating policy settings:

  • Review security filtering.
  • Adjust delegation permissions.
  • Reapply WMI filters if applicable.

These elements are not automatically restored from XML.

  1. Right-click the target OU.
  2. Select Link an Existing GPO.
  3. Choose the recreated GPO.

Step 6: Validate the recreated GPO

On a test machine, run:

gpresult /r

You can also export the recreated GPO:

Get-GPOReport -Name "NewGPOName" -ReportType XML -Path "C:\NewGPO.xml"

Compare the new XML file with the original report to confirm alignment.

Method 2: Compare an XML report with an existing GPO

If a similar GPO already exists and you want to validate it against the XML:

Step 1: Export the live GPO

Get-GPOReport -Name "ExistingGPO" -ReportType XML -Path "C:\LiveGPO.xml"

Step 2: Compare the files

Use a comparison tool such as:

  • Notepad++
  • Visual Studio Code
  • WinMerge

Review differences in:

  • Enabled and disabled settings
  • Policy values
  • Security filtering
  • WMI filters

Step 3: Adjust as required

If discrepancies are found:

  1. Edit the GPO in the GPMC.
  2. Correct the settings.
  3. Re-export and revalidate.

How to import and copy GPOs from another domain using ADManager Plus

  1. Log in to ADManager Plus.
  2. Navigate to the Management tab.
  3. In the left panel, select GPO Management.
  4. Click Copy GPO(s).
  5. Under Source Settings, select:
    • The source domain
    • The GPO to be copied
  6. Under Destination Settings, select the target destination domain.
  7. Under Conflict Settings, choose how name conflicts should be handled.
  8. Click Copy Settings to configure additional options.
  9. Link it to the same OU location as the source GPO, or link it to a different OU or domain location.
  10. If required, retain delegated permissions and apply a migration table to map security principals between domains correctly.
  11. Click Copy to complete the process.
A comprehensive image showing how to import GPOs from another domain using ADManager Plus
Start your free trial

Troubleshooting Tips

Error: The Directory is not empty

Solution: Temporarily pause or refresh DFSR replication before attempting the import. Run dfsrdiag PollAD on the domain controller to force Active Directory polling, and ensure staging folders (such as MachineStaging or UserStaging) are not interfering with the replication process.

Error: No backups found

Solution: Confirm that the backup folder contains the required files, including GPT.ini and GPO.xml, and that the complete backup structure has been copied correctly. Instead of manually placing files under SYSVOL\Policies\{GUID}, use GPMC's Import Settings option to restore the backup properly.

Error: The process cannot access the file because it is being used by another process

Solution: Specify a less busy domain controller using the -TargetDomainController parameter in the Import-GPO command. Avoid targeting the PDC Emulator during peak activity, and wait for any ongoing Group Policy refresh or SYSVOL replication to complete before retrying.

Error: The system cannot find the file specified

Solution: Local Group Policy exports cannot be directly imported into domain GPOs using the GPMC. Recreate the policy settings manually in a domain GPO, or use a compatible backup and migration method designed for domain-level policies.

Error: Import-GPO "Operation not valid" or cmdlet not recognized

Solution: Run the command in Windows PowerShell (version 5.1) rather than PowerShell 7 or later. Ensure the GroupPolicy module is loaded using Import-Module GroupPolicy, and verify that the backup path and GPO name parameters are specified correctly.

Best practices for importing a GPO

1. Back up before importing

Always create a backup of the target GPO before importing. This allows you to quickly restore the previous configuration if settings merge incorrectly or cause unexpected behavior.

2. Test in a non-production environment

Import and validate the GPO in a staging domain or test OU before applying it in production. This helps identify conflicts, security filtering issues, or unintended policy impact.

3. Use a migration table for cross-domain imports

When importing across domains or forests, use a migration table to map SIDs, groups, and UNC paths. Without it, permissions and references may break due to mismatched identifiers.

4. Choose the correct import method

Use Import-GPO for restoring from backups or cross-domain moves and Copy-GPO for duplicating policies within the same domain. Selecting the wrong method can result in missing links or configuration gaps.

Importing a GPO does not recreate OU or site links automatically. After import, review security filtering, delegation, and manually link the GPO where required.

6. Validate the imported GPO

Use gpresult or Get-GPOReport to confirm the policy is applied as expected. Comparing reports ensures no settings were lost or altered during import.

7. Avoid overwriting unless necessary

Only select Overwrite existing settings if you intend to replace all configurations in the target GPO. Overwriting without review can remove critical existing settings.

8. Document the change

Record the source, target, backup reference, and date of import. Proper documentation simplifies troubleshooting and supports audit requirements.

GPO management and reporting using ADManager Plus

Native methods typically require backing up GPOs, transferring backup folders, using migration tables, and carefully validating security mappings.

In addition to native tools, ADManager Plus provides centralized GPO management and reporting capabilities that simplify administration across domains.

Centralized GPO reporting

Generate detailed reports on GPO settings, linked OUs, disabled policies, and modification history to assess existing configurations before performing imports or migrations.

Cross-domain GPO migration

Copy and migrate GPOs directly between domains without relying solely on manual backup and restore workflows.

Delegated GPO management

Assign specific GPO management tasks to administrators without granting full domain-level privileges, ensuring controlled and role-based access.

Automation of Active Directory operations

Schedule and automate routine Active Directory tasks to reduce manual errors during large-scale migrations or restructuring projects.

Risk exposure management

Identify over-permissive configurations and review access regularly to maintain governance and reduce privilege-related risks.

Start your free trial

FAQs

DISA STIG GPOs are usually provided as policy backups or administrative templates. The method depends on the format you downloaded.

If DISA provides a GPO backup folder:

  1. Extract the STIG package.
  2. Open Group Policy Management (gpmc.msc).
  3. Right-click Group Policy Objects > Select Manage Backups.
  4. Browse to the extracted backup folder.
  5. Select the STIG GPO.
  6. Click Restore (to restore the original) or create a new GPO and use Import Settings.
  7. Link the GPO to the required OU.

If DISA provides an administrative template (.admx or .adml files):

STIG templates must be reviewed before broad deployment, as they enforce strict security baselines.

  1. Copy .admx files to: C:\Windows\PolicyDefinitions or the central store: \\domain\SYSVOL\domain\Policies\PolicyDefinitions
  2. Reopen Group Policy Management.
  3. Create or edit a GPO.
  4. Configure settings under Administrative Templates.
  1. Create or select a GPO in Group Policy Management.
  2. Link the GPO to the OU containing the computer object.
  3. On the computer, run:
    gpupdate /force
  4. Verify applied policies using:
    gpresult /r

If you're importing a security template (.inf file):

  1. Open Group Policy Management.
  2. Create or edit a GPO.
  3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings.
  4. Right-click Security Settings.
  5. Select Import Policy.
  6. Browse and select the .inf template file.

For ADMX templates, follow the administrative template method:

  1. Copy .admx files to: C:\Windows\PolicyDefinitions or the central store: \\domain\SYSVOL\domain\Policies\PolicyDefinitions
  2. Reopen Group Policy Management.
  3. Create or edit a GPO.
  4. Configure settings under Administrative Templates.

No, importing a GPO through the GPMC either creates a new GPO or merges settings into an existing one. It will not overwrite configurations unless you specifically select Overwrite existing settings during the import process.

To avoid unintended changes, back up the target GPO before importing. If using PowerShell, the Import-GPO cmdlet with the -BackupGpoName parameter provides more controlled and predictable results.

Yes, provided the source and target domain functional levels are compatible. For example, importing from Windows Server 2016 to 2022 is generally supported.

Minor version differences typically work without issue, but newer policy settings or security features may not apply correctly in older environments. In cross-version scenarios, testing in a non-production environment is recommended. If migrating across domains, use a migration table to resolve SID and UNC path differences.

No, importing a GPO transfers the policy settings and permissions only. It does not recreate links to OUs, sites, or domains.

After importing, you must manually link the GPO in the GPMC. This design prevents policies from being unintentionally applied in the new environment.

Import-GPO imports settings from a backup into a new or existing GPO. It is commonly used for cross-domain migrations or restoring from backup.

Copy-GPO, on the other hand, duplicates a GPO within the same domain. It preserves links and permissions but is not designed for backup restoration or cross-domain transfers.

Use Copy-GPO for intra-domain duplication. Use Import-GPO when working with backups or migrating between domains.

The GPMC does not provide a built-in bulk import option. However, you can automate the process using PowerShell by scripting multiple Import-GPO commands in a loop.

For large environments, third-party tools such as ManageEngine ADManager Plus support bulk GPO imports and template-based deployments, making large-scale operations more efficient.

A migration table is an XML file that maps SIDs, security groups, and UNC paths from the source environment to the target environment during GPO import.

It is required when importing GPOs across domains or forests where object identifiers differ. Without a migration table, permissions and file paths may break due to unresolved references.

You can create a migration table using the GPMC or PowerShell (New-GPMMigrationTable).

After importing, validate the GPO using both reporting and client-side checks.

On a test machine, run:

gpresult /r /scope computer

or

gpresult /r /scope user

In the GPMC, generate an HTML or XML report and compare it with the source GPO report. You can also use PowerShell:

Get-GPOReport -Name "GPOName" -ReportType HTML

Additionally, review the Event Viewer logs for relevant Group Policy processing events to confirm successful application.

Take the complexity out of GPO management using ADManager Plus

Try it now for free
The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link Email the ADManager Plus download link