Export and Import Group Policy Objects (GPOs)

This is useful if you want to trash your VMs for instance and start afresh. Good to have all your GPOs backed up and handy so you can easily restore to the new domain.

There’s two ways of exporting and import GPOs: you can use the Group Policy Management Console (GPMC) or you can use PowerShell.

Using the GPMC

gpo-restore

To backup a GPO: open the GPMC, drill down to the Group Policy Objects container, right click on the GPO in question and select Back Up. Follow the dialog boxes that appear and save the GPO to wherever you want on the computer.

Note that you have to go down to the Group Policy Objects container.  Right clicking on the links to the GPOs from any OU won’t get you the correct menu.

The folder where you backup GPOs to contains sub-folders that contain the GPO files and settings. The sub-folders are named after GUIDs that uniquely identify the instance of the backup. If you take another backup of the same GPO to the same folder, the sub-folder that is created will have a different GUID. Within these sub-folders you can double-click a file called bkupInfo.xml to see the details of the GPO that was backed up.

To restore a GPO: open the GPMC, right click on the Group Policy Objects container and select Manage Backups. In the dialog box that appears set the path to the folder containing the backed up GPOs and then select the GPO that you want to restore.

There is a catch though. You can only restore GPOs to the same domain where they were backed up from. Not domain with the same name, but same domain. And if you try to restore a GPO to a different domain, you get a very uninformative “Failed…” error.

To work around this, you can import GPOs. For that go down to the Group Policy Objects container, create a new GPO, right click the GPO, and select Import Settings. Follow the dialog boxes that appear to give the path of the folder containing your backed up GPOs, select the GPO you want, and import. The difference between import and restore is that the former does not carry over the security settings nor does it restore the links of the GPO.

Using Powershell

Before you can use PowerShell to manage GPOs you must import the grouppolicy module:

After that you use many PowerShell cmdlets to manage GPOs. For instance:

To backup a GPO use the Backup-GPO cmdlet:

Note the output gives you the GPO name, GUID, and a GUID for the backup instance. We encountered the latter when using the GPMC. The sub-folders created in the path that you specify are named with this backup instance GUID.

It is best to specify an absolute path to the cmdlet. If you must specify relative paths, be sure not to start it with a period else the cmdlet throws an error. Even without the period, I find some of these cmdlets give an error.

To restore a GPO use the Restore-GPO cmdlet. Same caveats apply as the GPMC – restores can only be done to the same domain. Else a cryptic error is thrown:

The workaround, as before, is to import the GPO. First create a new GPO, then import:

It is possible to skip explicitly creating a new GPO before importing. Simply add a switch -CreateIfNeeded to the Import-GPO cmdlet and it will automatically create a new GPO with the target name given. Also one can backup/ restore/ import all GPOs by specifying a -All switch to the cmdlet. For instance:

That’s all for now!