Managing GPO Backups
The GPMC provides some
amazing features, but some of these are not automated. One of the best
and most important features of the GPMC is the ability to protect your
Group Policy investment by backing up the GPOs. You have complete
control over restoring your backups in case of a disaster.
Note
If
you want to automate the process of backing up GPOs when an
administrator edits them, you should consider the Microsoft Advanced
Group Policy Management (AGPM) tool. |
Backing Up GPOs
When
you back up a GPO, all of the settings that you have implemented are
archived; this is valuable in case of a disaster or in case an older
version of the GPO is needed in the future. The backup routine also
backs up other essential aspects of the GPO. These other areas include:
The areas of a GPO that are not included in the backup and restore routine include:
To perform a backup of
a single GPO, you must have Read permissions on the GPO and Write
permissions on the folder containing the GPO backup. Then follow these
steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Expand the Group Policy Objects node, right-click the GPO that you want to back up, and then click Back Up.
|
3. | In
the Back Up Group Policy Object dialog box, type the path and name of
the folder where you want to store your GPO backups in the Location box.
|
4. | (Optional) Enter a description for the backed-up GPO in the Description box.
|
5. | Click Back Up.
|
Note
If
you have not already configured a path and folder for backing up your
GPOs, click Browse in step 3 to create a folder in which you want to
store your GPO backups. To secure the backed-up GPO, ensure that only
authorized administrators have permission to access the folder to which
you are exporting the GPOs. |
Of
course, if you choose to back up your GPOs in this manner, you must
perform these steps for each GPO if you want to back up all of the GPOs
for the domain. A much more efficient option is to select the option to
back up all of the GPOs. This is the default option in the GPMC
interface. To back up all of your GPOs at one time, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Right-click the Group Policy Objects node, and then click Back Up All.
|
3. | In the Back Up Group Policy Object dialog box, type the path and name of the folder where you want to store your GPO backups.
|
4. | Click Back Up.
|
5. | After the GPO is backed up, click OK.
|
Figure 3 shows the confirmation of a successful backup.
Best Practices
It
is a best practice to back up a GPO before and after you modify it.
This ensures that you have a functioning copy of the GPO before you
alter it. The GPMC backup program allows you to restore GPOs that you
have backed up. |
Restoring GPOs
You might need to
recover a GPO because of an incorrect configuration that must be undone,
or for a variety of other reasons. Regardless of the reason, the
restoration process is easy and straightforward. You can restore a GPO
that still exists, or one that you have deleted. This is possible
because the system backs up the GPO’s GUID, settings, and WMI filter
links. The process for restoring a GPO that still exists in the GPMC is
slightly different from the process for restoring one that has been
deleted, but the end result is the same, which are all of the aspects of
the GPO that were backed up (see list of items backed up above).
Restoring an Existing GPO
To restore a GPO that still exists in the GPMC and has been backed up, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Expand the Group Policy Objects node.
|
3. | Right-click
the GPO that you want to restore from the backup archive, and then
click Restore From Backup. The Restore Group Policy Object Wizard
appears.
|
4. | On the Welcome to the Restore Group Policy Object Wizard page, click Next.
|
5. | On the Backup Location page, select the folder that contains the backed-up GPO from the Backup Folder list, and then click Next.
|
6. | On the Source GPO page, select the GPO that you want to restore from the Backed Up GPOs list box, and then click Next.
|
7. | Click Finish to complete the Restore Group Policy Object Wizard, as shown in Figure 4.
|
Warning
Restoration of an existing GPO will overwrite the existing GPO. |
Restoring a Deleted GPO
If an administrator has
already deleted a GPO, or it no longer exists in the domain but has been
backed up in the past, you can restore it by following these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Right-click the Group Policy Objects node, and then click Manage Backups.
|
3. | In the Manage Backups dialog box, select the GPO that you want to restore from the Backed Up GPOs list, as shown in Figure 5.
|
4. | Click Restore, and then, in the Group Policy Management message box, click OK to confirm the restoration.
|
Viewing the GPO Settings of a Backed-Up GPO
If
you have been following the best practices for backing up your GPOs,
you will have numerous copies of your GPOs in the backup archive. With
so many GPOs listed in the archive, it is difficult to know which GPO
has the settings that you want to restore. The GPOs include the
timestamp when they are archived, but over time this will not help you
remember the exact settings that were in the GPO at the time of the
backup.
To help you remember
the settings in the backed-up GPOs, you can access a settings report
from within the GPO archive. To view the settings of any backed-up GPO,
follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Right-click the Group Policy Objects node, and then click Manage Backups.
|
3. | In the Manage Backups dialog box, select the GPO for which you want to view the settings from the Backed Up GPOs list.
|
4. | Click View Settings.
|
Note
If
a Microsoft Internet Explorer dialog box appears regarding security of
the Web page you are attempting to view, you can either close the dialog
box and view the content on a limited basis or add the page to the
trusted sites list. |
The
ability to view the settings of a backed-up GPO is also extremely
useful when you are restoring a GPO. The View Settings button is
available during the selection of the GPO when you are restoring it. It
is always a good idea to look at the GPO settings before restoration, to
ensure that you do not deploy an incorrect or damaging setting into
production.
