NIST's guidance for a Zero Trust Architecture

Top Read Articles

Group Policy Backup

What you will learn:

Group policies are critical pieces of instructions in an Active Directory environment used to configure a variety of advanced settings that can be applied to objects in the network. A set of Group Policy configurations are bundled as Group Policy Objects (GPO) which can then be applied to objects. IT administrators take weeks and months to create GPOs that are customized to the needs of an organization. Should something happen to the created GPOs and they are corrupted or deleted, there is no way to recover these GPOs, and the whole process should be repeated. This could have far-reaching consequences in terms of business continuity and organization security. Hence, it is imperative to back up GPOs so that administrators can restore GPOs should something happen to them. In this article, we will touch on what GPOs are, understand why backing up Active Directory GPOs is necessary, and look at how you can backup and restore GPOs from the created backups using the Group Policy Management Console and PowerShell.

What are Group Policy objects?

Active Directory Group policies are administered to objects through Group Policy objects (GPO). Using GPOs, administrators can define security parameters such as password policies, account policies, and other access privileges in a hierarchical manner based on precedence, in case an object is attached to more than one Group Policy. GPOs play a crucial role in an organization’s security. Without group policies, all objects in the network can gain access to all resources, which is not an ideal scenario from a security standpoint. You can learn more about what Group policies are in this article, and learn all about how to create and manage them using the Group Policy Management Console in this article.

Why backing up Active Directory Group Policy objects is necessary

As GPOs are critical in maintaining your organization’s security, it becomes necessary to backup GPOs should something unwarranted happen. There may be instances where two different administrators could modify the same GPO, and that could potentially result in a particular object gaining access to resources that they do not need or not getting access to critical resources they need. In such cases, one administrator can restore the GPO’s initial configurations from backups created earlier. There could also be instances where GPOs could be accidentally deleted or corrupted. In such cases too, having a GPO backup can ensure that the GPOs can be restored to their original state with all configurations.

Components of a Group Policy object backup in Active Directory

When you perform a Group Policy backup in Active Directory, the following data of the GPO is backed up:

  • Settings inside the GPO

  • Permissions assigned in the GPO

  • GPO GUID

  • WMI filter links if any were created 

This data is sufficient enough to restore GPOs to their working conditions should anything go wrong, and then the restored GPOs can be modified as necessary to suit the organizations’ needs further.

How to backup Active Directory Group Policy objects

Backing up GPOs in Active Directory can be done in two methods:

  • By using the Group Policy Management Console (GPMC)

  • By using PowerShell commands 

GPMC provides a UI to perform GPO backups in case you do not want to delve into command lines using PowerShell. GPMC offers a more intuitive alternative to backup and restore GPOs. However, if you do know PowerShell commands, you do not have to go through the hassle of navigating through the GPMC UI, as you can directly enter the commands that specify the GPOs to backup, which makes the process much simpler. There is no ‘one method is better than the other’ as both methods are similar in function.

How to backup Active Directory Group Policy objects using GPMC

  • Go to Start, and navigate to Administrative tools. Then, navigate to Group Policy Management and click on it.

  • In the GPMC window that opens, expand the Group Policy Objects folder that contains the GPO which you want to be backed up.

  • Right-click the GPO, and then click Back Up.

  • This will open the Backup Group Policy Object window. Specify the path to the folder where you want the backed-up version of the GPO to reside.

  • Once done, click Back Up.

  • Once the GPO backup operation is done the window will intimate you of successful completion of the GPO backup, click OK.

backup GPO active directory

Back-Up Group Policy Object

You have now successfully backed up one GPO. If you want to backup all the GPOs, it is a similar process. Here’s how you can backup all GPOs:

  • Go to Start, and navigate to Administrative tools. Then, navigate to Group Policy Management and click on it.

  • In the GPMC window that opens, navigate to the Group Policy Objects container.

  • Right-click the container, and then click Back Up All.

  • This will open the Backup Group Policy Object window. Specify the path to the folder where you want the backed-up versions of the GPOs to reside.

  • Once done, click Back Up.

  • Once the GPO backup operation is done the window will intimate you of successful completion of the GPO backup, click OK. 

restoring GPO Active Directory

Restoring GPO

You’ll now have backed up all the GPOs. You can verify if the GPOs have been backed up, by navigating to the folder you specified during the backup process. You should see a list of folders that would contain the GPO backup data. With this data, you can either restore a deleted GPO, or a modified GPO as necessary.

Group Policy backup PowerShell commands

The alternative method to using GMPC for GPO backup is using PowerShell commands. First, to open the PowerShell tool, go to Start, and navigate to Windows PowerShell. Click on it to open. Once the window is open, you need to type in the following syntax for a single GPO backup:

Backup-GPO -Name -Path [-Comment ] [-Domain ] [-Server ] []

Where,

-Name: Name of the GPO to be backed up

-Path: The location where the GPO backup should be stored

-Comment: A string of information that accompanies the GPO backup

-Domain: The domain in which the operation is performed

To backup all the GPOs, you can use the following command:

Backup-GPO -All -Path [-Comment ] [-Domain ] [-Server ] []

How to restore Group Policy objects from a backup

To restore a GPO from backups using GPMC, you can perform the following steps:

  • Go to Start, and navigate to Administrative tools. Then, navigate to Group Policy Management and click on it.

  • In the GPMC window that opens, navigate to the Group Policy Objects container.

  • Right-click on the container, and click on Manage Backups.

  • A window will open that shows a list of GPO backups. Sometimes, you may have to specify the GPO backup folder location. Select the GPO you want to restore.

  • If you want to view the GPO settings before performing the GPO restore operation, you can click on View Settings.

  • Once the GPO settings have been verified, click the Restore button to start the GPO restoration process.

  • Click on OK in the confirmation dialogue box that opens. 

Once these steps are completed, you will receive information that the restoration process for the GPO has been completed.

Restore Group Policy objects using PowerShell commands

To restore a GPO backup from PowerShell, open the Windows PowerShell tool, and enter the following command:

Restore-GPO -BackupId -Path [-Domain ] [-Server ] []

Where,

-BackupId: GUID of the GPO backup

To restore all the GPO backups, you can use the following line:

Restore-GPO -All -Path [-Domain ] [-Server ] []

Related posts
Active Directory FundamentalsTop Read Articles

How to Raise Active Directory Forest Functional Level

Top Read Articles

Active Directory Maintenance Checklist

Top Read Articles

Local Group Policy Editor

Leave a Reply

Your email address will not be published. Required fields are marked *