The Group Policy Management Console (GPMC) allows administrators to back up Group Policy Objects (GPOs) independently of full domain controller backups, which can be useful in situations where one or more GPOs need to be restored or in test environments where changes need to be rolled back on a regular basis. In this Ask the Admin, I’ll show you how to automate GPO back up using PowerShell, along with instructions on how to perform restores from the command line.
The Backup-GPO PowerShell cmdlet doesn’t capture all Group Policy data; only GPO settings, delegation, and information about security filtering. That means that you can’t use Backup-GPO on its own to restore a fully working Group Policy configuration, because WMI filters, scope-of-management (SOM) information, and other details, such as whether GPO links are enabled, inheritance blocked etc., are not included in the backup data.
Admittedly that sounds bad, but the built-in backup feature in GPMC doesn’t do any more, so you won’t be any worse off using PowerShell. It’s possible to make up for the shortcomings of GPMC backup and the Backup-GPO cmdlet using PowerShell, but those are extra topics that I’ll cover in future Ask the Admin articles.
Let’s start by backing up all GPOs in a domain. You’ll need to log in to a domain controller (DC), management PC, or server joined to the domain, where the Remote Server Administration Tools (RSAT) are installed, which includes the GPMC PowerShell cmdlets. For more information on RSAT, see Remote Server Administration Tools (RSAT) for Windows 8: Download and Install on the Petri IT Knowledgebase. Make sure you log in with an account that’s allowed to manage Group Policy Objects.
Switch to the Start screen, type powershell and click Windows PowerShell in the search results. To set variables for the date and file path for the backup, run the following code in the PowerShell prompt. It’s important to note that when specifying the date format, month is referenced using a capital letter.
$date = get-date -format dd.MM.yyyy $path = “c:\GPOBackups\$date”
In this example, I’ve set the backup path to be a folder on the local server, but you could alternatively specify a shared folder on a remote device instead. Now run the New-Item cmdlet to create a folder for the backup, using today’s date:
New-Item -Path $path -ItemType directory
Finally, run the Backup-GPO cmdlet as shown below to back up all GPOs in the user’s domain:
Backup-Gpo -All -Path $path
Remove the –All parameter from the above Backup-GPO cmdlet and replace it with the name of the GPO you want to back up, as shown below:
Backup-GPO –Name 'Helpdesk Shutdown Computer NT Right' –Path $path
To restore a single GPO using the Restore-GPO cmdlet, all you need to do is specify the name of the GPO and its backup path:
Restore-GPO -Name 'Helpdesk Shutdown Computer NT Right' –Path $path
Alternatively, you can restore all GPOs in a given backup path:
Restore-GPO -All –Path $path
Stay tuned to the Petri IT Knowledgebase to learn how to back up and restore WMI filters, Group Policy scope-of-management information, and other configuration that’s required to fully restore Group Policy.