How to Backup and Restore GPO?

A backup of Group Policy objects allows you to quickly restore the state and settings of any GPO in domain in case of damage or incorrect changes. You can backup and restore GPO through the Group Policy Management Console graphical console or using PowerShell. In this article, we will cover the basics of backing up, restoring, and importing GPOs in an Active Directory domain on Windows Server 2016 or Windows Server 2019.

Hint. Group Policy Objects also backup when backing up an AD domain controller.

Backup and Restore GPOs Using GPMC

In order to run the Group Policy Management Console, press Win + R -> gpmc.msc. Go to the Group Policy Objects section, select the policy for which you want to backup. Choose the Back Up option from the context menu.

Note. By default, only members of the Domain Admins and Enterprise Admins groups have the authority to manage GPOs.

restore gpo from backup

Specify the folder in which you want to save the GPO backup (the directory must exist) and specify backup description. Press the Back up button.

backup all gpos

If the Group Policy backup is successful, the following message appears: GPO: CA_Proxy…Succeeded

backup group policy

Note. The following policy items are saved during the backup of the GPO:

  • Settings inside GPO;
  • GPO permissions and delegation;
  • GUID;
  • WMI filters links;

The GPO backup does not contain information about the AD containers to which it is assigned (scope-of-management info), information about GPO links, and block inheritance settings.

You can back up all domain GPOs. Just click on the root of the Group Policy Objects section and select Back Up All.

READ ALSO  Using Ntdsutil Tool to Manage Active Directory

backup gpo

Go to the GPO backup folder. As you can see, a separate directory with a unique backup-ID is created for each backup copy of the policy. It is quite difficult to find out which policy a particular backup folder refers to.

gpo backup

Hint. There are only two policies with well-known GUIDs in domain: Default Domain Policy i {31B2F340-016D-11D2-945F-00C04FB984F9} and Default Domain Controllers Policy {6AC1786C-016F-11D2-945F-00C04fB984F9}.

The easiest way to figure out which policy is relevant to each directory is through the GPMC. Select the Group Policy Objects section in the console and select Manage Backups.

backup gpo powershell

You will see a list of available backups in the specified directory (don’t forget to specify the path in the Backup location field). Select the backup you want to restore and click the Restore button.

Note. You can view the settings of any GPO using the View Settings button.

group policy backup

You can also restore a specific GPO from a backup if you select it in the console, right-click and select Restore from Backup in the menu.

how to backup gpo

The recovery wizard starts, in which you need to specify the GPO backup location.

how to backup gpo server

Select the version of GPO to recover. You can select by creation date or description. Also, using the “View Settings” button, you can see the settings contained in this GPO.

backup-gpo

Back Up and Restore GPO Using PowerShell

You can backup and restore GPO using PowerShell. For this, special cmdlets from the GroupPolicy module are used: Backup-GPO and Restore-GPO. The GPO module is part of the Remote Server Administration Tools (RSAT).

READ ALSO  How to Fix The Error Code 0xc00000e9?

Hint. You can list all cmdlets of the GroupPolicy module using the command:

Get-Command -Module GroupPolicy

restore group policy

To back up the CA_Proxy policy and save it to the C:backup folder, you must first import the module:

Import-Module GroupPolicy

And then execute the command:

Backup-GPO -Name "CA_Proxy" -Path "C:\Backup" -Comment "Backup CA_proxy policy from with PowerShell"

restore gpo

Hint. Please note the backup id, you may need it in the future when restoring.

In order to backup all domain GPOs, use the command:

Backup-GPO -All -Path "C:\Backup"

To restore the latest version of one GPO from the backup, use the command:

Restore-GPO -Name CA_Proxy -Path "C:\Backup"

restore group policy from backup

If you need to restore the latest version of the GPO, you need to specify its BackupID. BackupID is a 32-bit identifier that is unique for each backup. Its name matches the name of the folder where the copy is stored. For example:

Restore-GPO -Path “C:\Backups” -BackupID 334197E5-3F67-4C7E-B962-21BF63B783B8

powershell backup gpo

You can restore all GPOs from a backup at once:

Restore-GPO -All -Path “C:\Backups”

By the way, you can not only to restore the existing but also import new GPO with this. You can use backups not to replace an existing GPO, but to import setting to a new one. Create a new GPO:

New-GPO -Name "Test GPO Imported"

Hint. Please note that the domain controller with the FSMO (Flexible Single Master Operator) PDC Emulator role is responsible for creating the new Group Policy Object in the Active Directory domain. If this DC is not available, you cannot create a new GPO. In some cases, you can transfer any FSMO role to another domain controller.

READ ALSO  How to Deploy Printers to Users or Computers via Group Policy?

Now you can restore a backup of any GPO to a new policy (by import of all settings):

Import-GPO -BackupId "334197E5-3F67-4C7E-B962-21BF63B783B8" -TargetName "Test GPO Imported" -Path "C:\backup"

Schedule GPO Backup

Regularly Group Policy Objects backup will help to protect your Active Directory domain from unwanted changes. I’ll show you how to automate GPO backup using simple PowerShell script.

Create a backup_gpo.ps1 file on the domain controller with the following code:

$date = get-date -format dd.MM.yyyy

$path = “E:\GPO\Backup\$date”

New-Item -Path $path -ItemType directory

Backup-Gpo -All -Path $path

Create a new task scheduler job to back up all GPOs daily:

$Trigger= New-ScheduledTaskTrigger -At 00:00am –Daily

$User= "NT AUTHORITYSYSTEM"

$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\Scripts\backup_gpo.ps1"

Register-ScheduledTask -TaskName "GPOBackup" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force

As a result, a directory with the current date and a full copy of all GPOs will be created on a daily basis in the specified directory.

It is advisable to back up your GPO regularly, especially before making any changes. So you can roll back the changes as quickly as possible.

Cyril Kardashevsky
Latest posts by Cyril Kardashevsky (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.