6.14 Backing Up and Restoring GPOs

It is recommended that you back up your GPOs. Consider the following:

  • IT departments can spend many weeks, and sometimes months, creating GPOs and assigning them to Active Directory objects.

  • Your organization may require and create a potentially large number of policies.

  • The Group Policy environment can become complicated quickly.

  • Unless the entire Active Directory can be restored (if it has been backed up), Microsoft Windows has no way to recover the GPO information or the time that was spent creating one or more GPOs.

  • If a GPO is lost through deletion or corruption, it could take several hours to recreate the exact settings.

Consider the following scenarios:

  • Two or more administrators (or delegated users) can simultaneously change the settings of a policy, which can effectively overwrite the changes made by one of the administrators.

  • Changes to GPO settings and links could have far‑reaching consequences if a GPO is corrupted or accidentally deleted.

  • Many users may be affected by the loss of a GPO, effectively denying them access to their business‑critical applications.

6.14.1 Backing Up Single or Multiple Objects

GPA provides you with GPO backup capabilities for one or many objects and provides the ability to restore those objects. To protect your organization from wasted hours of recreating policies, It is recommended that you use these features to back up your policy objects.

For example, once you have determined that GPOs in a test domain work properly, you can use the backup and restore functions to migrate the GPOs to your production domain. This feature is also handy when you need to restore a single GPO that may have become corrupted.

6.14.2 Storing/Backing Up Policy Templates

GPA provides a mechanism to store policy settings offline through templates. With a large number of policy settings, organizations might choose to implement only a subset of the policy settings. The group of policy settings at the domain level could be different from those at the OU level. However, your organization might want to standardize on these groupings across the entire enterprise.

Therefore, you can use the backup function to create company‑specific policy templates. You can make any grouping of policy settings constitute a template. Domain policy templates, OU policy templates, desktop policy templates, and server policy templates are typical examples. You can use these templates to standardize policy implementation and share policy information.

6.14.3 Backing Up GPOs

The backup function allows you to back up the following information:

  • GPO settings

  • Security information

The same information is available when you restore GPOs.

To create a backup copy of your Group Policy Objects:

  1. Create a folder for this backup procedure. Give it a name and location that is easy to remember.

    You use this folder later to store the information that GPA needs to back up your policy settings. You can create as many folders for as many backups as you like. For example, you could have a folder named Development Backup and another called Finance Backup. In this example, a folder called GPO Backups is created in a shared archive directory.

  2. Select the GPO you want to backup.

  3. On the Action menu, click Back Up.

  4. Specify the location of the backup folder and any appropriate comments.

  5. Click Back Up.

  6. Click OK on the information window.

  7. Click OK on the BackUp GPO window.

6.14.4 Restoring GPOs

You can restore the objects of a backed‑up policy to your current domain (single‑target restoration) or to the parent domain and one or more child domains (multi‑target restoration). For example, you are on a domain named Headquarters.com. If you restore a GPO that you previously backed up, you perform a single‑target restoration. You decide to restore the GPO but also want the Finance.Headquarters.com domain, a child of the Headquarters.com domain, to have the same GPO. If you restore that GPO to both domains, you perform a multi‑target restoration.

NOTE:You can restore GPOs to domains that do not have GPA installed.

The following illustration depicts a multi‑target GPO restore.

The following illustration depicts a single‑target GPO restore.

To restore saved GPOs from the same domain:

  1. Log on to a GPA Console computer.

  2. Start the GPA Console in the Group Policy Administrator program group.

  3. In the left pane, expand GP Explorer to the domain where you want to restore GPOs.

  4. In the left pane, click All GPOs.

  5. On the Action menu, click Restore.

  6. Complete the Restore Group Policy Object wizard.