filo/DigitalVision Vectors via G

Tutorial

How to create Group Policy backups in Windows Server

Group Policy Objects represent a significant time investment and an important configuration management tool. Follow these simple steps to protect them.

Damon Garn
By
Published: 01 Jul 2024

Group Policy is Microsoft's integrated configuration management tool for Active Directory devices. It consists of thousands of settings controlling everything from security to software deployment to UI options. With so many settings and opportunities for customization, it's critical to protect your Group Policy infrastructure from accidental loss or unintended changes.

Optimizing and managing Group Policy can take a lot of time, especially in large, distributed environments with various systems playing different roles.

Group Policy enables users to perform several important functions. Examples of what you can do with Group Policy are the following:

  • Password policy.
  • Desktop configurations.
  • Restrict access to Control Panel.
  • Disable automatic driver updates.
  • USB blocking.
  • Software management.

Settings are stored in collections called Group Policy Objects. GPOs can be linked to Active Directory (AD) sites, the domain and organizational units (OUs), enabling granular and role-specific configurations. The judicious use of New Technology File System (NTFS) permissions enables further control over which devices receive settings.

Screenshot Group Policy objects
Figure 1. Organizations often have many Group Policy Objects.

AD's distributed design helps maintain Group Policy availability by replicating GPOs among domain controllers (DCs), but administrators should consider additional steps to safeguard it.

Backups -- any backups -- are critical. GPOs contain many settings that customize your AD environment, representing many hours of work for your team. Group Policy provides users with the configurations and tools they need to do their jobs, and it restricts them from the options that might get in their way or generate support calls. It is essential to protect Group Policy.

This tutorial explains how to create Group Policy backups in Windows Server. By the end, you will be able to effectively maintain this critical piece of your AD infrastructure.

Back up all Group Policy Objects

The primary reason to back up data is disaster recovery. AD's design incorporates DR by replicating information across all DCs. However, you may find separate backups of Group Policy are useful in scenarios where you want to restore Group Policy as an independent action from recovering AD.

Access Group Policy backup functions from the Group Policy Management Console (GPMC). Select the parent folder named Group Policy Objects, right-click and choose Back Up All. Select a backup storage location.

Make sure to keep backups on a different drive than the AD database. Network or cloud storage is certainly acceptable if you can guarantee security and integrity. Enter a reasonable description that includes the backup date. Consider creating a naming convention for the backups to simplify identification.

The backup job should go quickly -- probably about one minute. As with other backup strategies, consider storing a copy off-site for additional peace of mind.

Screenshot of Back Up All option in menu
Figure 2. Select Back Up All to back up the entire library of GPOs.
Screenshot of Back Up Group Policy Object window
Figure 3. Specify where to back up the GPOs, and provide a description.
Screenshot of GPO backup progress interface
Figure 4. GPO backup progress interface

Restore Group Policy Objects

Restoring GPOs is also straightforward. Right-click the Group Policy Objects node in GPMC, and select Manage Backups. Browse to the folder that stores your Group Policy backups, and choose the GPO to restore. Click the Restore button, and watch the progress bar. The restore process should go quickly.

Restoring a GPO does not automatically update the settings on the systems it's linked to. You need to find another way of refreshing those systems if you need the settings in place quickly. Otherwise, wait for the default two hours for the automatic Group Policy refresh, and you should see your restored configurations.

Screenshot of Manage Backups option in menu
Figure 5. Restore backups using the Manage Backups option.
Screenshot of the Manage Backups interface and the Restore option
Figure 6. The Manage Backups interface and the Restore option
Screenshot of the Restore progress page
Figure 7. Restore progress page.

The Manage Backups interface also lets you view the specific Group Policy settings for a given GPO. You can also delete the backup.

Back up specific Group Policy Objects

Another option is backing up individual GPOs. This approach solves a different problem than DR. It provides a rollback option from unanticipated results.

Consider the following scenario: You've developed a GPO to configure the workstations in the sales department. It includes desktop selections -- e.g., default icons -- Start menu options, security configurations, printer settings and other items relevant to the sales role. You have some modifications in mind, but if they don't work out, you need to be able to revert the machines back to the current configuration.

To do this, back up the existing GPO before you begin tinkering with the settings. If the new configurations don't provide the necessary interface, restore the original GPO.

To back up a single GPO, select it from the Group Policy Objects node in GPMC. The context menu includes a Back Up option. The remaining interface is similar to the above, where you backed up all GPOs. Choose a storage location and a useful description.

Figures 8, 9 and 10 demonstrate the process using a Driver Update Block GPO.

Screenshot of user choosing to Back Up single GPO
Figure 8. Right-click a single GPO to back it up before making major changes.
Screenshot of Back Up GPO pane with location selected.
Figure 9. Specify a storage location and description.
Screenshot of backup progress interface for a single GPO
Figure 10. The backup progress interface for a single GPO

Use the same process outlined above to restore a single GPO. Remember to refresh the settings.

Copy a Group Policy Object

While copying a GPO isn't the same as backing it up, it is a useful function. It's handy to quickly duplicate the settings in a GPO for use with another site or OU. Maybe you're taking that sales interface configuration mentioned above, tweaking it and then applying the settings to the marketing department's systems. Right-click the GPO, and choose Copy.

Screenshot of user selecting Copy option for GPO
Figure 11. Right-click a GPO, and select Copy to duplicate it.

To paste the copied GPO into the interface, right-click the Group Policy Objects node, and select Paste. The console prompts you to maintain the default NTFS permissions on the GPO or set them to the default. Choose one, and click OK. A confirmation of success appears. The copy is displayed in the list. Just rename it, and begin modifying it as needed.

Screenshot of user selecting Paste option for GPO
Figure 12. Select the GPO node, and paste the duplicate GPO.
Screenshot of permissions window for Copy GPO
Figure 13. Choose whether to preserve existing permissions on the GPO.
Screenshot of the copy progress bar
Figure 14. The copy progress bar
Screenshot of copied GPO highlighted to rename.
Figure 15. Rename the copied GPO.

Back up and restore GPOs using PowerShell

It's easy to back up all GPOs using PowerShell. The relevant cmdlet is Backup-GPO. If you're backing up the entire set, such as for DR purposes, use the -All parameter, and designate a destination path. Here's an example:

backup-gpo -all -path C:\GPO-backups\

Screenshot of GPO backup process in PowerShell
Figure 16. Use PowerShell to back up GPOs.

You can also back up individual GPOs using PowerShell. In this case, add the -Name parameter, specify the GPO name and add the path:

backup-gpo -name 'Dev Desktop Configurations' -path C:\GPO-backups\

Screenshot of single GPO backup process in PowerShell
Figure 17. Use PowerShell to back up a single GPO.

Use similar syntax with the Restore-GPO cmdlet to restore the GPO.

Screenshot of the restore-gpo cmdlet in PowerShell
Figure 18. Use the restore-gpo cmdlet to restore a GPO.

What about system backups?

AD stores the GPOs in the system volume (SYSVOL) directory, which is usually located on the DC's C: drive. Any standard backup that catches this location backs up the GPOs.

For example, if you use the standard Windows Server Backup utility to back up the DC's C: drive, you already have a duplicate of the GPOs. The difference is that a systemwide backup is harder to work with, especially when backing up a single GPO before making edits. GPMC's backup tool is quicker and easier.

Screenshot of GPO ID numbers in SYSVOL folder
Figure 19. GPOs are displayed using GPO ID numbers in the SYSVOL folder.

The GPOs are displayed using their GPO ID, making them harder to identify in the SYSVOL folder. Use the Manage Backups feature in GPMC to differentiate among the GPOs.

Screenshot of GPO IDs in the Manage Backups interface
Figure 20. Relate GPO names and GPO IDs using the Manage Backups interface.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial and CompTIA Blogs.

Dig Deeper on Data backup and recovery software

Disaster Recovery
Storage
ITChannel
Close