Q&A: Synchronization of Group Policies (GPOs) with the UCS AD Connector

Question

Are Group Policy Objects (GPOs), including their SYSVOL contents, synchronized between a UCS domain and a Microsoft Active Directory (AD) domain when using the Univention UCS AD Connector?

Answer

No. The Univention UCS AD Connector does not synchronize Group Policy Objects (GPOs) or any contents of the SYSVOL share. Synchronization is strictly limited to directory objects such as user accounts, groups, computers, containers, and organizational units.

Details by Operation Mode

Read Mode (AD → UCS)

• In one-way synchronization mode (from AD to UCS), only LDAP directory objects are transferred into the UCS OpenLDAP.

• Not synchronized:

  • GPO objects (stored in CN=Policies within AD)
  • SYSVOL data (such as policy templates, logon scripts).

• Reason: In this mode, UCS does not act as an AD Domain Controller and therefore does not participate in AD replication (DRS, DFS-R).

Write Mode (AD ↔ UCS)

• In bidirectional synchronization mode, user accounts, groups, and passwords are kept consistent between UCS and AD.

• Not synchronized:

  • Group Policy Objects
  • SYSVOL contents

• UCS does not become a full AD Domain Controller in this setup, and the AD Connector does not provide a mechanism for SYSVOL replication.

Special Case: AD Takeover

• During an Active Directory Takeover with UCS (where Samba/AD on UCS becomes the new Domain Controller), GPOs are not migrated automatically.
• Instead, GPO objects and the related SYSVOL files must be copied separately from the AD server to UCS.
• This confirms that under normal AD Connector operation, no synchronization of GPOs occurs.

Overview: GPO Synchronization by Mode

Conclusion

Regardless of the chosen operation mode, the UCS AD Connector does not synchronize Group Policy Objects or SYSVOL data.

• Accounts, groups, and computer objects can be synchronized.
• Group Policies must be migrated separately or managed manually, especially in the case of an AD Takeover.