This is useful if you want to trash your VMs for instance and start afresh. Good to have all your GPOs backed up and handy so you can easily restore to the new domain.
There’s two ways of exporting and import GPOs: you can use the Group Policy Management Console (GPMC) or you can use PowerShell.
Using the GPMC
To backup a GPO: open the GPMC, drill down to the Group Policy Objects
container, right click on the GPO in question and select Back Up
. Follow the dialog boxes that appear and save the GPO to wherever you want on the computer.
Note that you have to go down to the Group Policy Objects
container. Right clicking on the links to the GPOs from any OU won’t get you the correct menu.
The folder where you backup GPOs to contains sub-folders that contain the GPO files and settings. The sub-folders are named after GUIDs that uniquely identify the instance of the backup. If you take another backup of the same GPO to the same folder, the sub-folder that is created will have a different GUID. Within these sub-folders you can double-click a file called bkupInfo.xml
to see the details of the GPO that was backed up.
To restore a GPO: open the GPMC, right click on the Group Policy Objects
container and select Manage Backups
. In the dialog box that appears set the path to the folder containing the backed up GPOs and then select the GPO that you want to restore.
There is a catch though. You can only restore GPOs to the same domain where they were backed up from. Not domain with the same name, but same domain. And if you try to restore a GPO to a different domain, you get a very uninformative “Failed…” error.
To work around this, you can import GPOs. For that go down to the Group Policy Objects
container, create a new GPO, right click the GPO, and select Import Settings
. Follow the dialog boxes that appear to give the path of the folder containing your backed up GPOs, select the GPO you want, and import. The difference between import and restore is that the former does not carry over the security settings nor does it restore the links of the GPO.
Using Powershell
Before you can use PowerShell to manage GPOs you must import the grouppolicy
module:
1 |
PS> Import-Module grouppolicy |
After that you use many PowerShell cmdlets to manage GPOs. For instance:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
PS> get-gpo -all | fl DisplayName,Id,GpoStatus DisplayName : Default Domain Policy Id : 31b2f340-016d-11d2-945f-00c04fb984f9 GpoStatus : AllSettingsEnabled DisplayName : Default Domain Controllers Policy Id : 6ac1786c-016f-11d2-945f-00c04fb984f9 GpoStatus : AllSettingsEnabled DisplayName : Domain Defaults Policy Id : b331f39b-b73d-4678-9f91-41f986e4f56b GpoStatus : AllSettingsEnabled DisplayName : WSUS Policy Id : bf52c920-503e-440c-89a5-094210034962 GpoStatus : UserSettingsDisabled DisplayName : BgInfo Policy Id : d48e4138-c812-4d54-95e4-efaebf373969 GpoStatus : ComputerSettingsDisabled DisplayName : Domain Password Policy Id : f747aabf-a9d7-482a-a459-c71797c2bab8 GpoStatus : UserSettingsDisabled |
To backup a GPO use the Backup-GPO
cmdlet:
1 2 3 4 5 6 7 8 |
PS> Backup-GPO -Name "WSUS Policy" -Path C:\Users\Administrator\Bkp DisplayName : WSUS Policy GpoId : bf52c920-503e-440c-89a5-094210034962 Id : 169C4DC1-3651-4FC6-ABD0-69B16907A3D0 BackupDirectory : C:\Users\Administrator\Bkp CreationTime : 12/3/2012 2:34:40 AM DomainName : contoso.local Comment : |
Note the output gives you the GPO name, GUID, and a GUID for the backup instance. We encountered the latter when using the GPMC. The sub-folders created in the path that you specify are named with this backup instance GUID.
1 2 3 4 5 |
PS> Get-ChildItem C:\Users\Administrator\Desktop\GPOs Directory: C:\Users\Administrator\Desktop\GPOs Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 12/3/2012 3:15 AM {169C4DC1-3651-4FC6-ABD0-69B16907A3D0} |
It is best to specify an absolute path to the cmdlet. If you must specify relative paths, be sure not to start it with a period else the cmdlet throws an error. Even without the period, I find some of these cmdlets give an error.
1 2 3 4 5 6 |
PS> Backup-GPO -Name "WSUS Policy" -Path .\Bkp Backup-GPO : The system cannot find the path specified. (Exception from HRESULT: 0x80070003) At line:1 char:11 + Backup-GPO <<<< -Name "WSUS Policy" -Path .\Bkp + CategoryInfo : NotSpecified: (:) [Backup-GPO], DirectoryNotFoundException + FullyQualifiedErrorId : System.IO.DirectoryNotFoundException,Microsoft.GroupPolicy.Commands.BackupGpoCommand |
To restore a GPO use the Restore-GPO
cmdlet. Same caveats apply as the GPMC – restores can only be done to the same domain. Else a cryptic error is thrown:
1 2 3 4 5 6 |
PS C:\Users\Administrator\Desktop> Restore-GPO -Name "WSUS Policy" -Path C:\Users\Administrator\Desktop\GPOs Restore-GPO : Value does not fall within the expected range. At line:1 char:12 + Restore-GPO <<<< -Name "WSUS Policy" -Path C:\Users\Administrator\Desktop\GPOs + CategoryInfo : NotSpecified: (:) [Restore-GPO], ArgumentException + FullyQualifiedErrorId : System.ArgumentException,Microsoft.GroupPolicy.Commands.RestoreGpoCommand |
The workaround, as before, is to import the GPO. First create a new GPO, then import:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
PS> New-GPO "Imported WSUS Policy" DisplayName : Imported WSUS Policy DomainName : contoso.local Owner : CONTOSO\Domain Admins Id : 5ae0e434-c72d-4871-a587-b816e77198fb GpoStatus : AllSettingsEnabled Description : CreationTime : 12/3/2012 3:02:52 AM ModificationTime : 12/3/2012 3:02:52 AM UserVersion : AD Version: 0, SysVol Version: 0 ComputerVersion : AD Version: 0, SysVol Version: 0 WmiFilter : PS> Import-GPO -BackupGpoName "WSUS Policy" -TargetName "Imported WSUS Policy" -Path C:\Users\Administrator\Desktop\GPOs DisplayName : Imported WSUS Policy DomainName : contoso.local Owner : CONTOSO\Domain Admins Id : 5ae0e434-c72d-4871-a587-b816e77198fb GpoStatus : UserSettingsDisabled Description : CreationTime : 12/3/2012 3:02:52 AM ModificationTime : 12/3/2012 3:03:45 AM UserVersion : AD Version: 1, SysVol Version: 1 ComputerVersion : AD Version: 1, SysVol Version: 1 WmiFilter : |
It is possible to skip explicitly creating a new GPO before importing. Simply add a switch -CreateIfNeeded
to the Import-GPO
cmdlet and it will automatically create a new GPO with the target name given. Also one can backup/ restore/ import all GPOs by specifying a -All
switch to the cmdlet. For instance:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
PS> Backup-GPO -All -Path C:\Users\Administrator\Desktop\GPOs DisplayName : Default Domain Policy GpoId : 31b2f340-016d-11d2-945f-00c04fb984f9 Id : 53d6540a-4b15-462f-ba51-8e89bb87b9eb BackupDirectory : C:\Users\Administrator\Desktop\GPOs CreationTime : 12/3/2012 3:15:02 AM DomainName : contoso.local Comment : DisplayName : Default Domain Controllers Policy GpoId : 6ac1786c-016f-11d2-945f-00c04fb984f9 Id : fd0e94cc-ed6b-44cb-8985-703f00015ee6 BackupDirectory : C:\Users\Administrator\Desktop\GPOs CreationTime : 12/3/2012 3:15:03 AM DomainName : contoso.local Comment : ... |
That’s all for now!