GPO backup and restore using PowerShell

March 05, 2022 ,

 

You can backup and restore GPOs using PowerShell. To do this, special cmdlets from the GroupPolicy module are used: Backup-GPO and Restore-GPO . The GPO module is part of the Remote Server Administration Tools ( RSAT ).
Hint: You can list all the cmdlets of the GroupPolicy module using the command:

Get-Command -Module GroupPolicy

To backup the CA_Proxy policy and save it to the C:\backup folder, you must first import the module 

Import-Module GroupPolicy
And then run the command:
Backup-GPO -Name "CA_Proxy" -Path "C:\Backup" -Comment "Backup CA_proxy policy from with PowerShell"

Hint: Please note the backup ID, you may need it in the future when restoring.
To back up all GPOs in the domain, use the command:

Backup-GPO -All -Path "C:\Backup"
To restore the latest version of a GPO from backup, use the command:
Restore-GPO -Name CA_Proxy -Path "C:\Backup"

If you need to restore the latest version of the GPO, you must specify its BackupID. BackupID is a 32-bit identifier that is unique for each backup. Its name matches the name of the folder where the copy is stored. For example:

Restore-GPO -Path “C:\Backups” -BackupID 334197E5-3F67-4C7E-B962-21BF63B783B8

You can restore all GPOs from backup at once:

Restore-GPO -All -Path “C:\Backups”
By the way, you can not only restore existing GPO but also import new GPO with this. You can use backups not to replace an existing GPO, but to import settings into a new one. Create a new GPO:
New-GPO -Name "Test GPO Imported"
Hint: Note that the domain controller with the FSMO (Flexible Single Master Operator) PDC Emulator role is responsible for creating the new Group Policy Object in the Active Directory domain. If this DC is not available, you cannot create a new GPO. In some cases, you can transfer any FSMO role to another domain controller.
You can now restore a backup of any GPO to a new policy (importing all settings):
Import-GPO -BackupId "334197E5-3F67-4C7E-B962-21BF63B783B8" -TargetName "Test GPO Imported" -Path "C:\backup"
Schedule GPO Backup
Regular backup of Group Policy Objects will help protect your Active Directory domain from unwanted changes. I'll show you how to automate GPO backup using a simple PowerShell script.
Create a backup_gpo.ps1 file on the domain controller with the following code:
$date = get-date -format dd.MM.yyyy
$path = “E:\GPOBackup\$date”
New-Item -Path $path -ItemType directory
Backup-Gpo -All -Path $path
Create a new task scheduler job to backup all GPOs daily:
$Trigger= New-ScheduledTaskTrigger -At 00:00am –Daily
$User= "NT AUTHORITYSYSTEM"
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\Scripts\backup_gpo.ps1"
Register-ScheduledTask -TaskName "GPOBackup" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force
As a result, a directory with the current date and a complete copy of all GPOs in the specified directory will be created daily.
It's a good idea to back up your GPO regularly, especially before you make any changes. So you can revert the changes as quickly as possible.

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.