
close
close
Chance to win $250 in Petri 2023 Audience Survey
The Group Policy Management Console (GPMC) allows administrators to back up Group Policy Objects (GPOs) independently of full domain controller backups, which can be useful in situations where one or more GPOs need to be restored or in test environments where changes need to be rolled back on a regular basis. In this Ask the Admin, I’ll show you how to automate GPO back up using PowerShell, along with instructions on how to perform restores from the command line.
The Backup-GPO PowerShell cmdlet doesn’t capture all Group Policy data; only GPO settings, delegation, and information about security filtering. That means that you can’t use Backup-GPO on its own to restore a fully working Group Policy configuration, because WMI filters, scope-of-management (SOM) information, and other details, such as whether GPO links are enabled, inheritance blocked etc., are not included in the backup data.
Admittedly that sounds bad, but the built-in backup feature in GPMC doesn’t do any more, so you won’t be any worse off using PowerShell. It’s possible to make up for the shortcomings of GPMC backup and the Backup-GPO cmdlet using PowerShell, but those are extra topics that I’ll cover in future Ask the Admin articles.
Using Backup-GPO to back up all Group Policy Objects in a domain (Image Credit: Russell Smith)
Let’s start by backing up all GPOs in a domain. You’ll need to log in to a domain controller (DC), management PC, or server joined to the domain, where the Remote Server Administration Tools (RSAT) are installed, which includes the GPMC PowerShell cmdlets. For more information on RSAT, see Remote Server Administration Tools (RSAT) for Windows 8: Download and Install on the Petri IT Knowledgebase. Make sure you log in with an account that’s allowed to manage Group Policy Objects.
Switch to the Start screen, type powershell and click Windows PowerShell in the search results. To set variables for the date and file path for the backup, run the following code in the PowerShell prompt. It’s important to note that when specifying the date format, month is referenced using a capital letter.
$date = get-date -format dd.MM.yyyy $path = “c:\GPOBackups\$date”
In this example, I’ve set the backup path to be a folder on the local server, but you could alternatively specify a shared folder on a remote device instead. Now run the New-Item cmdlet to create a folder for the backup, using today’s date:
New-Item -Path $path -ItemType directory
Finally, run the Backup-GPO cmdlet as shown below to back up all GPOs in the user’s domain:
Backup-Gpo -All -Path $path
GPO backups created using the Backup-GPO PowerShell cmdlet (Image Credit: Russell Smith)
Remove the –All parameter from the above Backup-GPO cmdlet and replace it with the name of the GPO you want to back up, as shown below:
Backup-GPO –Name 'Helpdesk Shutdown Computer NT Right' –Path $path
To restore a single GPO using the Restore-GPO cmdlet, all you need to do is specify the name of the GPO and its backup path:
Restore-GPO -Name 'Helpdesk Shutdown Computer NT Right' –Path $path
Alternatively, you can restore all GPOs in a given backup path:
Restore-GPO -All –Path $path
Stay tuned to the Petri IT Knowledgebase to learn how to back up and restore WMI filters, Group Policy scope-of-management information, and other configuration that’s required to fully restore Group Policy.
More in Active Directory
Microsoft Releases Update to Streamline Exchange Online License Assignments
Jan 24, 2023 | Rabia Noureen
How to Export Active Directory Users to CSV With PowerShell and ADUC
Jan 23, 2023 | Michael Reinders
ManageEngine ADSelfService Plus: Protect On-Premises and Cloud Services from Password Attacks with Multi-factor Authentication
Jan 12, 2023 | Michael Reinders
Microsoft 365 to Launch New $1.99/Month Basic Subscription with 100 GB of OneDrive Storage
Jan 11, 2023 | Rabia Noureen
Most popular on petri