You can see file-based information about your GPOs inside SYSVOL, and some people mistakenly believe that keeping a filesystem-level backup of that folder is all that they need to consider their GPOs backed up. While this file data could be useful, it is not the full picture. Log into your Domain Controller, and take a look at the following location: C:WindowsSYSVOLsysvolmydomain.local (if you have configured your Domain Controller with something other than C:Windows as %systemroot%, then navigate there instead).
Here, you will see a folder for Policies, one for Scripts, and one for StarterGPOs (if you followed along in Using a Starter GPO to build finalized GPOs and enabled Starter GPOs in your environment). This is the file structure data used by Group Policy. Opening up the Policies folder shows us a bunch of strange-looking GUIDs, and each one is a folder for one of our GPOs:
The process of backing up a GPO combines this Group Policy Container information stored in SYSVOL with Group Policy Template data inside Active Directory. These two pieces of information are combined into backup files that are saved wherever you specify during the backup process. Here is a list of the types of data that are saved when backing up any GPO:
- The GPO settings
- The GPO permissions (visible on the Delegation tab of the GPO)
- WMI Filter Links: Only information about which WMI Filters were linked is stored, the WMI Filters themselves are not stored when you back up a GPO. The actual WMI Filters need to be backed up separately, which we will cover later in this chapter. This is necessary because WMI Filters are not stored inside Group Policy Objects, but rather stored alongside them in Active Directory.
- GPO Link Locations: While GPO Links are indeed stored inside a GPO backup, the process of recovering a GPO does NOT restore GPO links. We will also discuss this in more depth when we cover the restoration of GPOs.