filo/DigitalVision Vectors via G
How to create Group Policy backups in Windows Server
Group Policy Objects represent a significant time investment and an important configuration management tool. Follow these simple steps to protect them.
Group Policy is Microsoft's integrated configuration management tool for Active Directory devices. It consists of thousands of settings controlling everything from security to software deployment to UI options. With so many settings and opportunities for customization, it's critical to protect your Group Policy infrastructure from accidental loss or unintended changes.
Optimizing and managing Group Policy can take a lot of time, especially in large, distributed environments with various systems playing different roles.
Group Policy enables users to perform several important functions. Examples of what you can do with Group Policy are the following:
- Password policy.
- Desktop configurations.
- Restrict access to Control Panel.
- Disable automatic driver updates.
- USB blocking.
- Software management.
Settings are stored in collections called Group Policy Objects. GPOs can be linked to Active Directory (AD) sites, the domain and organizational units (OUs), enabling granular and role-specific configurations. The judicious use of New Technology File System (NTFS) permissions enables further control over which devices receive settings.
AD's distributed design helps maintain Group Policy availability by replicating GPOs among domain controllers (DCs), but administrators should consider additional steps to safeguard it.
Backups -- any backups -- are critical. GPOs contain many settings that customize your AD environment, representing many hours of work for your team. Group Policy provides users with the configurations and tools they need to do their jobs, and it restricts them from the options that might get in their way or generate support calls. It is essential to protect Group Policy.
This tutorial explains how to create Group Policy backups in Windows Server. By the end, you will be able to effectively maintain this critical piece of your AD infrastructure.
Back up all Group Policy Objects
The primary reason to back up data is disaster recovery. AD's design incorporates DR by replicating information across all DCs. However, you may find separate backups of Group Policy are useful in scenarios where you want to restore Group Policy as an independent action from recovering AD.
Access Group Policy backup functions from the Group Policy Management Console (GPMC). Select the parent folder named Group Policy Objects, right-click and choose Back Up All. Select a backup storage location.
Make sure to keep backups on a different drive than the AD database. Network or cloud storage is certainly acceptable if you can guarantee security and integrity. Enter a reasonable description that includes the backup date. Consider creating a naming convention for the backups to simplify identification.
The backup job should go quickly -- probably about one minute. As with other backup strategies, consider storing a copy off-site for additional peace of mind.
Restore Group Policy Objects
Restoring GPOs is also straightforward. Right-click the Group Policy Objects node in GPMC, and select Manage Backups. Browse to the folder that stores your Group Policy backups, and choose the GPO to restore. Click the Restore button, and watch the progress bar. The restore process should go quickly.
Restoring a GPO does not automatically update the settings on the systems it's linked to. You need to find another way of refreshing those systems if you need the settings in place quickly. Otherwise, wait for the default two hours for the automatic Group Policy refresh, and you should see your restored configurations.
The Manage Backups interface also lets you view the specific Group Policy settings for a given GPO. You can also delete the backup.
Back up specific Group Policy Objects
Another option is backing up individual GPOs. This approach solves a different problem than DR. It provides a rollback option from unanticipated results.
Consider the following scenario: You've developed a GPO to configure the workstations in the sales department. It includes desktop selections -- e.g., default icons -- Start menu options, security configurations, printer settings and other items relevant to the sales role. You have some modifications in mind, but if they don't work out, you need to be able to revert the machines back to the current configuration.
To do this, back up the existing GPO before you begin tinkering with the settings. If the new configurations don't provide the necessary interface, restore the original GPO.
To back up a single GPO, select it from the Group Policy Objects node in GPMC. The context menu includes a Back Up option. The remaining interface is similar to the above, where you backed up all GPOs. Choose a storage location and a useful description.
Figures 8, 9 and 10 demonstrate the process using a Driver Update Block GPO.
Use the same process outlined above to restore a single GPO. Remember to refresh the settings.
Copy a Group Policy Object
While copying a GPO isn't the same as backing it up, it is a useful function. It's handy to quickly duplicate the settings in a GPO for use with another site or OU. Maybe you're taking that sales interface configuration mentioned above, tweaking it and then applying the settings to the marketing department's systems. Right-click the GPO, and choose Copy.
To paste the copied GPO into the interface, right-click the Group Policy Objects node, and select Paste. The console prompts you to maintain the default NTFS permissions on the GPO or set them to the default. Choose one, and click OK. A confirmation of success appears. The copy is displayed in the list. Just rename it, and begin modifying it as needed.
Back up and restore GPOs using PowerShell
It's easy to back up all GPOs using PowerShell. The relevant cmdlet is Backup-GPO. If you're backing up the entire set, such as for DR purposes, use the -All parameter, and designate a destination path. Here's an example:
backup-gpo -all -path C:\GPO-backups\
You can also back up individual GPOs using PowerShell. In this case, add the -Name parameter, specify the GPO name and add the path:
backup-gpo -name 'Dev Desktop Configurations' -path C:\GPO-backups\
Use similar syntax with the Restore-GPO cmdlet to restore the GPO.
What about system backups?
AD stores the GPOs in the system volume (SYSVOL) directory, which is usually located on the DC's C: drive. Any standard backup that catches this location backs up the GPOs.
For example, if you use the standard Windows Server Backup utility to back up the DC's C: drive, you already have a duplicate of the GPOs. The difference is that a systemwide backup is harder to work with, especially when backing up a single GPO before making edits. GPMC's backup tool is quicker and easier.
The GPOs are displayed using their GPO ID, making them harder to identify in the SYSVOL folder. Use the Manage Backups feature in GPMC to differentiate among the GPOs.
Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial and CompTIA Blogs.
