In this guide, you will learn how to backup and restore group policy objects in Active Directory.
I’ll be showing you how to backup using both the group policy management console and using PowerShell.
Let’s get started.
Tip: The Restore-GPO cmdlet does not recover deleted GPOs, but instead it is for restoring an existing GPO from backup. You will need to use the GUI to recover a deleted GPO. Details and examples are below.
How to Backup Group Policy Objects using the GUI
Step 1: Browse to the GPO you want to backup.
Open the group policy management console and browse the GPOs. You can select a single GPO, or to backup all of them, select the group policy objects folder. In this example, I’ll backup all GPOs.
Next, right-click what you want to backup, and select “back up”.
When backing up all GPOs, it will say “Back Up All”.
When backing up a single GPO it will say “Back Up”. In this example, I’m backing up the lock screen gpo.
Step 2: Select a backup folder
Next, select the folder where you want the GPO backups to be placed.
I created a folder called “GPO_backups” on my local computer. It’s also a good idea to give your folder a description and date.
Now click the “Back up” button to start the backup process.
You can check the status at the bottom where it will show how many GPO’s were successfully backed up.
As you can see it’s very easy to backup group policy objects (GPO). Next, I’ll show you how to backup GPOs using PowerShell.
Backup Group Policy Objects using PowerShell
To backup GPOs with PowerShell, the Backup-gpo cmdlet is used.
Example 1: PowerShell Backup a single GPO
In the below example, I’m backing up a single GPO to the folder c:\it\GPO_backups and provide a comment.
backup-gpo -Name 'Computer - Allow Pings' -Path C:\it\GPO_backups -Comment "GPO-Backup"
Example 2: PowerShell backup all GPOs
Use this command to backup all GPOs using Powershell.
backup-gpo -All -path C:\it\GPO_backups
That’s how you backups GPOs with PowerShell, Microsoft has made it very easy.
Restore Group Policy Objects
Now that you know how to backup your GPOs, let’s look at how to restore them.
To restore, right-click on “Group Policy Objects” and select “Manage Backups”.
Browse to your backup folder and select the GPOs to restore, you can select a single or multiple GPOs. In this example I’m restoring my lock screen GPO.
Click the restore button and you will get the status screen.
Nice work. The GPO has been restored.
It’s a good idea to check the GPO to verify that the settings are correct after the restore. You can do this by clicking on the GPO and then to settings to verify it’s configuration.
You can also use the Restore-GPO cmdlet to restore GPO settings but not to recover a deleted GPO.
Let me show you.
Let’s say someone made a change to my “Lock Screen” policy and I need to restore the settings from a backup. In this case, the Restore-GPO cmdlet can be used to restore the GPO settings.
If the “Lock Screen” GPO was deleted the Restore-GPO cmdlet cannot be used.
Below are examples.
Do you see what that error message says? GPO was not found in my domain because the GPO was deleted and so PowerShell cannot restore the settings.
Now I’ll run it again, except this time the Lock screen GPO exists in the domain.
So again, the Restore-GPO cmdlet appears to only work when the GPO exists in the domain, and will not restore a deleted GPO.
Microsoft documentation says:
The Restore-GPO cmdlet restores a Group Policy Object (GPO) backup to the original domain from which it was saved. If the original domain is not available, or if the GPO no longer exists in the domain, the cmdlet fails.
https://docs.microsoft.com/en-us/powershell/module/grouppolicy/restore-gpo?view=windowsserver2022-ps
Resources
- Restore-GPO – Command documentation by Microsoft
- Backup-GPO – Command documentation by Microsoft
- Group Policy Backup Script – Here is a script created by Mike Kanakos that lists the GPO by name instead of an ID.
- 15 Group Policy Best Practices