PowerShell: Copy-GPO failing with HRESULT: 0x8007000D

4

While trying to run the Copy-GPO cmdlet to copy a Group Policy Object using a predefined Migration Table I am receiving this exception:

System.Runtime.InteropServices.COMException (0x8007000D): The data is invalid. (Exception from
HRESULT: 0x8007000D)
   at Microsoft.GroupPolicy.GPMResultClass.OverallStatus()
   at Microsoft.GroupPolicy.Gpo.CopyTo(GPDomain targetDomain, String newDisplayName, Boolean copyAcl, GPMigrationTable
migrationTable, GPStatusMessageCollection& statusMessages)
   at Microsoft.GroupPolicy.Commands.CopyGpoCommand.ProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
At C:\Users\djedig\Documents\OUCopy.ps1:335 char:2
+     NewGPOsFromTemplate "OU=$sSubDomain,OU=$sDivision,$sBaseRessourcenDN" $sTmplBas ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,NewGPOsFromTemplate

This blog article suggests it would be due to unresolvable destination account data within the migration table but I seem unable to figure out the "correct" format of the migtable data. Indeed the GPO copies just fine when running Copy-GPO without the -MigrationTable parameter.

My command is:

Copy-GPO -SourceName $sTemplateGPOName -TargetName $sNewGPOName -MigrationTable $sMigrationTableFile

and the migration table contains a handful entries of these two types:

<?xml version="1.0" encoding="utf-16"?>
<MigrationTable xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/MigrationTable">
  <Mapping>
    <Type>LocalGroup</Type>
    <Source>Template-allow-logon@ad.syneticon.net</Source>
    <Destination>RA-K17-DE-allow-logon@ad.syneticon.net</Destination>
  </Mapping>
[...]
  <Mapping>
    <Type>Unknown</Type>
    <Source>Administrators</Source>
    <DestinationSameAsSource />
  </Mapping>
</MigrationTable>

The RA-K17-DE-allow-logon security group is present as a local domain group and the sAMAccountName attribute is indeed set to the very same value.

What's puzzling me to no end is the fact that the CopyGPO.wsf script from the GPMC scripting samples collection is perfectly able to create a GPO copy using the very same migration table like this:

cscript "//NoLogo" "${env:ProgramFiles(x86)}\Microsoft Group Policy\GPMC Sample Scripts\CopyGPO.wsf" $sTemplateGPOName $sNewGPOName "/MigrationTable:`"$sMigrationTableFile`"" | Out-Null

So what is going wrong here?

Edit:

The source GPO object just defines Restricted Groups and User Rights Assignments. All of the security principals used in those policies are included in the migtable file.

windows-server-2008-r2
powershell
asked on Server Fault Mar 26, 2013 by the-wabbit • edited Jun 11, 2020 by Community

2 Answers

0

I've spent all of 60 seconds looking at this, so this is a shot in the dark, but is this PowerShell object name spelled properly in your script? $sBaseRessourcenDN The double 's' in Resource seems out of place, not to mention the random 'n'.

answered on Server Fault Apr 25, 2014 by pk.
0

This is no longer an issue in more recent Powershell versions. I've tested basically the same syntax in Powershell 5 and 5.1 (after installing the appropriate WMF version on Server 2008 R2) and it works flawlessly. So this appears to be a bug in Powershell 2.

answered on Server Fault Sep 12, 2018 by the-wabbit

User contributions licensed under CC BY-SA 3.0