blog.powershell.no

On Windows PowerShell and other admin-related topics

Backing up Group Policy Objects using Windows PowerShell

A best practice in domain environments are backing up the Group Policy Objects regularly. Even though a GPO may be restored by restoring a system state backup from a domain controller to an alternate location, and then copy the contents from the deleted GPO to a new GPO to restore the settings, this may be a hazzle since it`s not pretty straightforward. It also requires you to restart the domain controller affected in Directory Services Restore Mode.
PowerShell MVP Don Jones has written a good article on this topic, available here.

For those of you who may not want to do GPO restore the hard way, or buy a commercial third party product, I would encourage you to schedule regular GPO backups using the Windows PowerShell Group Policy-module available in Windows Server 2008 R2, as well as RSAT in Windows 7.
To accomplish this, I`ve written a small script which backs up all modified GPO`s in the specified timespan. I would generally recommend to have the script run once a day, thereby setting the timespan-variable to the last 24 hours. The script are called Backup-ModifiedGPOs.ps1, and available from here.

All Group Policy Objects modified in the specified timespan are backup up to the specified backup path.
Also, an HTML-report are created for each GPO-backup, with the unique backup GUID as part of the filename. This way you can easily see what settings each backup contains.

When restoring a GPO, you must first note the GUID of the backup you want to restore. Then you can restore the GPO by using the Restore-GPO cmdlet in the Group Policy-module. Sample usage:

image

Administrators who feels more comfortable working with the GUI, may use the Group Policy Management Console to do the restore.

The following procedure from the Group Policy Planning and Deployment Guide on Microsoft TechNet describes how to accomplish the restore operation from the GUI:

To view the list of GPO backups

  1. In the GPMC console tree, expand the forest or domain that contains the GPOs that you want to back up.
  2. Right-click Group Policy Objects, and the click Manage Backups.
  3. In the Manage Backups dialog box, enter the path to the location where you stored the GPO backups that you want to view. Alternatively, you can click Browse, locate the folder that contains the GPO backups, and then click OK.
  4. To specify that only the most recent version of the GPOs be displayed in the Backed up GPOs list, select the Show only the latest version of each GPO check box. Click Close.

Using the GPMC to restore GPOs

You can also restore GPOs. This operation restores a backed-up GPO to the same domain from which it was backed up. You cannot restore a GPO from a backup into a domain that is different from the GPO’s original domain.

To restore a previous version of an existing GPO

  1. In the GPMC console tree, expand Group Policy Objects in the forest or domain that contains the GPOs that you want to restore.
  2. Right-click the GPO that you want to restore to a previous version, and then click Restore from Backup.
  3. When the Restore Group Policy Object Wizard opens, follow the instructions in the wizard, and then click Finish.
  4. After the restore operation completes, a summary will state whether the restore succeeded. Click OK.

To restore a deleted GPO

  1. In the GPMC console tree, expand the forest or domain that contains the GPO that you want to restore.
  2. Right-click Group Policy Objects, and then click Manage Backups.
  3. In the Manage Backups dialog box, click Browse, and then locate the file that contains your backed-up GPOs.
  4. In the Backed up GPOs list, click the GPO that you want to restore, and then click Restore.
  5. When you are prompted to confirm the restore operation, click OK.
  6. After the restore operation completes, a summary will state whether the restore succeeded. Click OK. Click Close.

Important: Since Group Policy links are stored on the Organizational Unit objects in Active Directory, this information are not backup up and also not restore. However, the HTML backup-reports contains this information, so you may manually re-link the GPO to the correct OU(s).

Also note that WMI filters and IPSec policies are not backed up by the backup feature in the Group Policy Management Console. For more information on how to manage these items, see the before mentioned Group Policy Planning and Deployment Guide.

 

Advertisements

June 15, 2010 - Posted by | Active Directory management, Group Policy, Scripting, Windows 7, Windows PowerShell, Windows Server 2008 R2

12 Comments »

  1. […] Backing up Group Policy Objects using Windows PowerShell « blog.powershell.no – […]

    Pingback by Bookmarks for June 18th through June 27th | The Wahoffs.com | June 27, 2010 | Reply

  2. This is exactly what I’m after, but am having some problems running the script (I changed the path and signed it, all else is the same): http://pastebin.com/2VjUF3Jt

    I’d appreciate your assistance.

    Comment by CypherBit | November 12, 2010 | Reply

    • Hi,

      I see that the script requires an initial backup to be in place of all GPO`s. I`ll make an update to the script to fix this automatically.
      Until then, remove “| Where-Object {$_.ModificationTime -gt $Timespan}” from the $ModifiedGPOs variable on first run. Afterwards, set it back to:
      $ModifiedGPOs = Get-GPO -all | Where-Object {$_.ModificationTime -gt $Timespan}

      I should`ve tested this on a fresh system before publishing it…”note to self” 🙂

      Comment by Jan Egil Ring | November 12, 2010 | Reply

      • Hello,

        thank you so much for the prompt reply. I did as suggested and removed “| Where-Object {$_.ModificationTime -gt $Timespan}” added it back, ran the script again and receive the same errors.

        Does it have to do anything with the fact that the timespan of 24h didn’t pass?

        Comment by CypherBit | November 13, 2010

  3. Could the error above be attributed to the fact that no changes to GPOs was made?

    Comment by CypherBit | November 17, 2010 | Reply

  4. Andy Helsby have posted an improved version of the script here: http://poshcode.org/2369

    I`ve updated the link in the blog-post.

    Thanks Andy!

    Comment by Jan Egil Ring | November 21, 2010 | Reply

    • I don’t know if it’s just me but I’m still getting errors: http://pastebin.com/vD8xn6HW

      I’d really like to have this in my environment, but don’t have the PS skills required to know what to change.

      Comment by CypherBit | November 24, 2010 | Reply

      • Hi,

        I`m sorry for the lack of testing…busy times at work these days 🙂

        I`ve re-published the script here: http://poshcode.org/2386

        I`ve added a -FirstRun parameter that let`s you backup all GPO`s on first run, and also added some additional logic.

        Will probably re-write the script as an advanced function some time in the future.

        Comment by Jan Egil Ring | November 24, 2010

  5. Excellent!

    Thank you so much, this version works great for me.

    Comment by CypherBit | November 30, 2010 | Reply

  6. Thanks for the updates Jan. I was pretty pleased with my edits to the script so was excited to share the updates. It was my second powershell script so hadn’t come across the switch function yet 😉

    Comment by Andy Helsby | December 1, 2010 | Reply

  7. […] to Jan Egil Ring for this dandy script.  Checkout his blog and his post on this […]

    Pingback by Backup Only Group Policy Objects That Have Changed « Paul Abke's Blog | July 14, 2011 | Reply

  8. […] blog.powershell.no – Backing up Group Policy Objects using Windows PowerShell […]

    Pingback by PowerShell – Резервное копирование групповых политик (GPO) « ИТ Блог Алексея Максимова | March 11, 2012 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: