As with any piece of data in your organization, it is a good idea to keep backups of your GPOs. Keeping these backups separately from a full Domain Controller or full Active Directory backup can be advantageous, as it enables a quicker restore of individual GPOs in the event of an accidental deletion. Or perhaps you updated a GPO, but the change you made is now causing problems and you want to roll that policy back to make sure it is configured the way that it was yesterday. Whatever your reason for backing up and restoring GPOs, let's take a look at a couple of ways to accomplish each task. We will use the Group Policy Management Console to perform these functions, and will also figure out how to do the same backup and restores via PowerShell.
We are going to perform these tasks from a Windows Server 2016 domain controller in our environment. We will utilize both the Group Policy Management Console and the PowerShell command line.
There is a GPO in our domain called Map Network Drives. First, we will use Group Policy Management Console to back up and restore this GPO:
Now let's try accomplishing the same full GPO backup, but this time using PowerShell:
Backup-GPO -Path C:GPO_Backups_PowerShell -All
Now that we have two full backup sets of the GPOs, let's try to restore the GPO called Map Network Drives.
Now we will restore the same Map Network Drives GPO, but using PowerShell as follows:
Restore-GPO -Name "Map Network Drives" -Path
C:GPO_Backups_PowerShell
Rather than typing out the name of the GPO in this command, you could instead specify the GUID of the policy. This number is generally a lot longer than the name, however, and so I tend to see admins preferring to utilize the name of the policy. For example, the GUID of our Map Network Drives GPO is 77eed750-de8e-44e9-9649-96cab2f2abdc.
Backing up and restoring GPOs is going to be a regular task for anybody administering Active Directory and Group Policy. In this recipe, we walked through each process, using a couple of different tools for each procedure. Group Policy Management Console is nice because it is graphically interfaced, and it is easy to look at the options available to you. PowerShell is often preferred, however, because it can be automated (think scheduled backups). It also facilitates remote execution of these commands from another machine inside the network.
Here are some links for more extensive information about the PowerShell cmdlets we used today:
3.142.252.87