PowerShell: Copy-GPO failing with HRESULT: 0x8007000D

powershellwindows-server-2008-r2

While trying to run the Copy-GPO cmdlet to copy a Group Policy Object using a predefined Migration Table I am receiving this exception:

System.Runtime.InteropServices.COMException (0x8007000D): The data is invalid. (Exception from
HRESULT: 0x8007000D)
   at Microsoft.GroupPolicy.GPMResultClass.OverallStatus()
   at Microsoft.GroupPolicy.Gpo.CopyTo(GPDomain targetDomain, String newDisplayName, Boolean copyAcl, GPMigrationTable
migrationTable, GPStatusMessageCollection& statusMessages)
   at Microsoft.GroupPolicy.Commands.CopyGpoCommand.ProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
At C:\Users\djedig\Documents\OUCopy.ps1:335 char:2
+     NewGPOsFromTemplate "OU=$sSubDomain,OU=$sDivision,$sBaseRessourcenDN" $sTmplBas ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,NewGPOsFromTemplate

This blog article suggests it would be due to unresolvable destination account data within the migration table but I seem unable to figure out the "correct" format of the migtable data. Indeed the GPO copies just fine when running Copy-GPO without the -MigrationTable parameter.

My command is:

Copy-GPO -SourceName $sTemplateGPOName -TargetName $sNewGPOName -MigrationTable $sMigrationTableFile

and the migration table contains a handful entries of these two types:

<?xml version="1.0" encoding="utf-16"?>
<MigrationTable xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/MigrationTable">
  <Mapping>
    <Type>LocalGroup</Type>
    <Source>Template-allow-logon@ad.syneticon.net</Source>
    <Destination>RA-K17-DE-allow-logon@ad.syneticon.net</Destination>
  </Mapping>
[...]
  <Mapping>
    <Type>Unknown</Type>
    <Source>Administrators</Source>
    <DestinationSameAsSource />
  </Mapping>
</MigrationTable>

The RA-K17-DE-allow-logon security group is present as a local domain group and the sAMAccountName attribute is indeed set to the very same value.

What's puzzling me to no end is the fact that the CopyGPO.wsf script from the GPMC scripting samples collection is perfectly able to create a GPO copy using the very same migration table like this:

cscript "//NoLogo" "${env:ProgramFiles(x86)}\Microsoft Group Policy\GPMC Sample Scripts\CopyGPO.wsf" $sTemplateGPOName $sNewGPOName "/MigrationTable:`"$sMigrationTableFile`"" | Out-Null

So what is going wrong here?

Edit:

The source GPO object just defines Restricted Groups and User Rights Assignments. All of the security principals used in those policies are included in the migtable file.

Best Answer

I've spent all of 60 seconds looking at this, so this is a shot in the dark, but is this PowerShell object name spelled properly in your script? $sBaseRessourcenDN The double 's' in Resource seems out of place, not to mention the random 'n'.

Related Topic