Active Directory

Back Up and Restore Group Policy Objects Using PowerShell

The Group Policy Management Console (GPMC) allows administrators to back up Group Policy Objects (GPOs) independently of full domain controller backups, which can be useful in situations where one or more GPOs need to be restored or in test environments where changes need to be rolled back on a regular basis. In this Ask the Admin, I’ll show you how to automate GPO back up using PowerShell, along with instructions on how to perform restores from the command line.

Using the Backup-GPO PowerShell cmdlet

The Backup-GPO PowerShell cmdlet doesn’t capture all Group Policy data; only GPO settings, delegation, and information about security filtering. That means that you can’t use Backup-GPO on its own to restore a fully working Group Policy configuration, because WMI filters, scope-of-management (SOM) information, and other details, such as whether GPO links are enabled, inheritance blocked etc., are not included in the backup data.

Admittedly that sounds bad, but the built-in backup feature in GPMC doesn’t do any more, so you won’t be any worse off using PowerShell. It’s possible to make up for the shortcomings of GPMC backup and the Backup-GPO cmdlet using PowerShell, but those are extra topics that I’ll cover in future Ask the Admin articles.

Using Backup-GPO to back up all Group Policy Objects in a domain (Image Credit: Russell Smith)
Using Backup-GPO to back up all Group Policy Objects in a domain (Image Credit: Russell Smith)

Back Up All Group Policy Objects (GPOs)

Let’s start by backing up all GPOs in a domain. You’ll need to log in to a domain controller (DC), management PC, or server joined to the domain, where the Remote Server Administration Tools (RSAT) are installed, which includes the GPMC PowerShell cmdlets. For more information on RSAT, see Remote Server Administration Tools (RSAT) for Windows 8: Download and Install on the Petri IT Knowledgebase. Make sure you log in with an account that’s allowed to manage Group Policy Objects.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Switch to the Start screen, type powershell and click Windows PowerShell in the search results. To set variables for the date and file path for the backup, run the following code in the PowerShell prompt. It’s important to note that when specifying the date format, month is referenced using a capital letter.

​$date = get-date -format dd.MM.yyyy 
$path = “c:\GPOBackups\$date”

In this example, I’ve set the backup path to be a folder on the local server, but you could alternatively specify a shared folder on a remote device instead. Now run the New-Item cmdlet to create a folder for the backup, using today’s date:

​New-Item -Path $path -ItemType directory

Finally, run the Backup-GPO cmdlet as shown below to back up all GPOs in the user’s domain:

​ Backup-Gpo -All -Path $path
GPO backups created using the Backup-GPO PowerShell cmdlet (Image Credit: Russell Smith)
GPO backups created using the Backup-GPO PowerShell cmdlet (Image Credit: Russell Smith)

Back Up a Single Group Policy Object

Remove the –All parameter from the above Backup-GPO cmdlet and replace it with the name of the GPO you want to back up, as shown below:

​Backup-GPO –Name 'Helpdesk Shutdown Computer NT Right' –Path $path

Restoring Group Policy Objects

To restore a single GPO using the Restore-GPO cmdlet, all you need to do is specify the name of the GPO and its backup path:

​Restore-GPO -Name 'Helpdesk Shutdown Computer NT Right' –Path $path

Alternatively, you can restore all GPOs in a given backup path:

​Restore-GPO -All –Path $path

Stay tuned to the Petri IT Knowledgebase to learn how to back up and restore WMI filters, Group Policy scope-of-management information, and other configuration that’s required to fully restore Group Policy.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: