Cloud optimize

Tips on copying and backing up Group Policy Objects

Group Policy configuration is one of the most powerful aspects of Windows. Read several tips on copying and backing up Group Policy Objects, which can save admins a lot of time.

A cornerstone technology of Windows is Group Policy, which can be assigned locally (a single policy for a Windows system) or managed centrally in an Active Directory domain. When leveraging Active Directory, a number of Group Policy Objects (GPOs) can be assigned to computers and users.

I believe that GPOs are one of the most critical and powerful management tools available; that said, GPOs can also be complicated to work with. For instance, if you need to recreate a GPO, it may require a tedious maneuvering of screens to verify settings from one GPO to another. Fortunately, the Group Policy Management console allows us to do a few things to tackle this task efficiently. The first is a centralized list of GPOs for the entire domain, regardless of the Organizational Unit (OU) where they reside. This panel is shown in Figure A. Figure A

Click the image to enlarge.

This console serves a number of purposes, but one that irritates me is nomenclature. Figure A is a screenshot of my personal lab, and I have not done a good job in naming the GPOs. Ideally, a GPO is self-documenting so that it tells you: what it does, where it lives, and who it applies to (users, groups, computers, etc.).

Please excuse my lab's sloppy nomenclature, and let's focus on the ability to copy and back up a GPO in this console. When we right-click the individual GPO, a very powerful context menu appears. (Note: This menu is not available where the GPO resides in terms of the OUs listed above; it is only available in the Group Policy Objects section.) This context menu is shown in Figure B. Figure B

Click the image to enlarge.
The copy and backup options are the two tasks that can really save administrators a lot of time. The copy operation will take an existing GPO, and allow you to paste it into the Group Policy Objects section. This may not be intuitive, and Figure C shows where it becomes an option. Figure C

Click the image to enlarge.

A new GPO is created as a copy of the source GPO, and it can be linked to an OU later. This can be very helpful when a GPO is built over time, but is not ready to be applied to the destination OU.

The ability to back up a GPO exports the GPO to an .XML file, which can be archived and used to recover a previous version of a GPO. There also is an option to back up all GPOs, which will make a large .XML repository in a specified folder path. In both situations, the ability to have the GPOs on outside of the domain controller can be attractive. While backup solutions can protect down to this level, simply for a quick check by hand, the backup options within the Group Policy Management console can be of great aid. Viewing the .XML file isn't very helpful, but can be an easy way to spot-check settings (Figure D). Figure D

Click the image to enlarge.

What tricks do you employ for copying and backing up GPOs? Let us know in the discussion.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

8 comments
jonem
jonem

Hi All, Great topic! Do you have any tip on how to backup the connections to the OU's? The scenario is to simulate a complete server crash. First I restore the AD, then restore the GP objects and if possible restore the connections to an OU in the Group policy manager. Is this possible you think? Best, Jon

Craig_B
Craig_B

I use a simple PowerShell script to backup our GPO's. Since we have multiple domains, I create a folder based on the domain name and date and copy the GPOs with a simple report for reference. #Configure Variables $Date = ((get-date).tostring('MMM-dd-yyyy')) $BkupFolder = "\\ServerName\Backups\GPO Backups\$env:userdomain\$Date" #Create new folder based on domain and date New-Item -type Directory -Path $BkupFolder # Need to import this module to manage GPOs Import-Module GroupPolicy #Backup GPO's in the current domain to the specified folder Write-Host "Backing up $env:userdomain GPO's to $BkupFolder" Backup-GPO -All -Path $BkupFolder > $BkupFolder\BkupReport.txt

rsaylor
rsaylor

We have a regular backup policy for our GPO's (since we use them for "everything" domain), but have found a bit of a problem when we copied our 2003 GPO's into our newly migrated 2010 Domain. It appears as some of them don't work the way they did in 2003. Is there a specific reason for that? Are they not compatible? We also found that our WSUS policies don't seem to be working in the 2010 domain as well (at least not as efficiently as they used to)

b4real
b4real

Through a copy operation is really safe. How have you tweaked or saved them this way?

mclghlne
mclghlne

I don't think there is a Server 2010, at least not one by MS. I'd recommend upgrading your domain rather than installing new and importing if you are going from 2003 to 2008R2. Personally I haven't seen any issues going this route.

rsaylor
rsaylor

That's what I get for creating the post in haste! Should have said Server 2008 R2. Thanks