Backing up and Restoring GPOs using the GPMC
Creating, linking, editing, and viewing settings within the GPMC are all key facets of what administrators do with Group Policy. Additionally, the GPMC extends the capabilities of Group Policy Management beyond what anything else from Microsoft provided. The ability to backup and restore GPOs using the GPMC is a welcomed and powerful addition to every company that runs Active Directory, even if they don't rely heavily on Group Policy.
Possible Management Options
The GPMC offers a new world to the Group Policy administrator with a full suite of backup and restoration options. Like files, application configurations, and other Active Directory related resources, Group Policy must be archived to protect the investment that has been placed in Active Directory and GPOs. The GPMC provides the basic backup and restore options, but also provides additional control over GPOs for administrative purposes. The full list of management options that the GPMC provides include:
- Backing up GPOs
- Restoring backed up GPOs
- Importing GPO settings from a backed up GPO
- Duplication of GPOs
All of these functions can also be performed with the GPMC command line tool. The tool is ideal for the administrator that wants to automate the archival process of GPOs. A great resource for getting more information on the GPMC command line tool is in the only book Microsoft has written on Group Policy, called The Group Policy Guide.
Backing Up GPOs
The backup utility that is embedded in the GPMC is very simple and easy to work with. The utility is associated with a menu option for each GPO, which makes management straightforward. When you want to backup a specific GPO, find the GPO under the Group Policy Objects node in the GPMC, then right-click on it. On the right-click menu you will find the Back Up option. After selecting this option, you will be presented with a dialog box that will ask you where to store the backed up GPO, as shown in Figure 1.
Figure 1: Archive location for the GPOs that are backed up using the GPMC
When selecting the archive location for the backed up GPOs, you can either select a folder on the local computer or a shared folder (by inputting a UNC path).
If you want to backup all of the GPOs, that is possible using the GPMC or the command line option for the GPMC. When using the GPMC to backup all GPOs at one time, you will need to go to the Group Policy Objects node. Once there, right-click on the node and select the Back Up All menu option. This will cycle through all of the GPOs for the domain and make a backup copy of them. The Backup status window will indicate how far along the backup is along, as well as indicating the number of GPOs that were backed up successfully and those which did not get backed up.
There are a few aspects of each GPO that is not included in the backup. These include:
- WMI Filters
- IPSec Policies
Since WMI filters and IPSec policies are not stored within the GPO, they are not backed up when the GPO is backed up. Another key aspect of the backup procedure that you must keep in mind are the links to the GPO. These are not backed up and therefore are not restored. This means that when you restore a backed up GPO you must manually configure the links to the sites, domain, and organizational units.
Restoring Backed up GPOs
Restoring backed up GPOs is as simple as backing them up. Some think that a new GPO must be created before an archived GPO can be restored, but that is not the case. When a GPO needs to be restored, it is typically due to a configuration, corruption, or other disastrous event. When a GPO needs to be restored, you only need to go to the Group Policy Objects node within the GPMC, right-click the node, and select Manage Backups from the menu. This will open up the window where you can manage all backed up GPOs, as shown in Figure 2.
Figure 2: The Manage Backups window provides control over archived GPOs
To restore the GPO, just highlight the correct version of the GPO that you want to restore and select the Restore button at the bottom of the window. To be 100% certain it is the correct version of the GPO, the interface provides you with a button that allows you to view the existing settings in the GPO you are looking to restore. When you select this option you will receive the HTML settings report for the GPO, as shown in Figure 3.
Figure 3: Viewing settings of archived GPO presents the HTML report
After you feel comfortable with the correct GPO to restore, the restoration will put the GPO back into the Active Directory and it will show up in the Group Policy Objects node in the GPMC again. At this point, links need to be restored to sites, domains, and organizational units, as well as references to WMI filters and IPSec policies verified.
Importing GPO settings from a backed up GPO
Another supported option in the GPMC is the ability to import policy settings from one GPO into another GPO. This is excellent for merging GPO policy settings and moving GPOs between domains. The steps are very similar to a typical backup and restore of the same GPO, but there are just a few differences.
First, the source GPO needs to be backed up. By following the basic steps in the section above for backing up a GPO you will get this step done quickly. Next, a new GPO must be created with the correct name that you desire for the target GPO. This can be created in the same domain, or a totally different domain. Finally, you need to import the settings from the source GPO to the target GPO. This is done by right-clicking on the source GPO and selecting the Import Settings menu option. The Import Settings Wizard will launch to help walk you through the procedures. The primary reason for the wizard is to have you backup the target GPO, in case you are performing a merge and you need to fall back to the original version, before the merge. After performing the backup of the target GPO, you will select the location of the backed up source GPO.
At this point, the GPMC import wizard will do a scan on the source GPO settings to see if there are any security principal or UNC path references that might need to be transferred from one environment to another. If there are these domain specific references in the source GPO, you will be given the opportunity to transfer these settings using the migration table to perform the conversion from one reference to another.
Duplication of GPOs
The final feature is one of the most useful from the administration standpoint and the easiest. This feature stems from the fact that a single GPO has over 1800 possible policy settings. If there are a multitude of settings configured in one GPO, that can take a long time to create. In many cases, there are GPOs that need to have the majority of the settings contained in another GPO, with only slight policy differences. Historically, the administrator would need to recreate the new GPO (containing almost the same suite of settings) from scratch, configuring all policy settings as the initial GPO, including duplicated settings.
With the GPMC, this inefficient method of creating similar GPOs is not needed. Now, you can Copy and Paste GPOs, allowing for duplication of the GPO settings to be made quickly. This is done by right-clicking the initial GPO and selecting the Copy menu option. Then, right-click the Group Policy Objects node in the GPMC and select Paste from the menu. Finally, you change the name of the GPO, modify the policy settings, and create the links to the sites, domain, and organizational units.
The first rule of the IT professional is to always make a good backup of data. Without a backup of data, the entire company is at risk. Group Policy is not an exception to this rule. In all reality, it is almost more important than data, since Group Policy controls security in the enterprise for clients and servers. The GPMC provides a seamless mechanism to provide backup and restore control over all GPOs in the Active Directory enterprise. This power of the GPMC even goes beyond typical backup and restore features, by including control over duplication and importing of settings between multiple GPOs. Without the GPMC these features would be difficult and nearly impossible, unless an investment was made in a non-Microsoft solution.