Group Policy Backup and Restore Steps

In this guide, you will learn how to backup and restore group policy objects in Active Directory.

I’ll be showing you how to backup using both the group policy management console and using PowerShell.

Let’s get started.

Tip: The Restore-GPO cmdlet does not recover deleted GPOs, but instead it is for restoring an existing GPO from backup. You will need to use the GUI to recover a deleted GPO. Details and examples are below.

How to Backup Group Policy Objects using the GUI

Step 1: Browse to the GPO you want to backup.

Open the group policy management console and browse the GPOs. You can select a single GPO, or to backup all of them, select the group policy objects folder. In this example, I’ll backup all GPOs.

gpo backup select folder

Next, right-click what you want to backup, and select “back up”.

When backing up all GPOs, it will say “Back Up All”.

backup all gpos

When backing up a single GPO it will say “Back Up”. In this example, I’m backing up the lock screen gpo.

backup a single group policy

Step 2: Select a backup folder

Next, select the folder where you want the GPO backups to be placed.

I created a folder called “GPO_backups” on my local computer. It’s also a good idea to give your folder a description and date.

select backup folder

Now click the “Back up” button to start the backup process.

gpo backup success page

You can check the status at the bottom where it will show how many GPO’s were successfully backed up.

As you can see it’s very easy to backup group policy objects (GPO). Next, I’ll show you how to backup GPOs using PowerShell.

Backup Group Policy Objects using PowerShell

To backup GPOs with PowerShell, the Backup-gpo cmdlet is used.

Example 1: PowerShell Backup a single GPO

In the below example, I’m backing up a single GPO to the folder c:\it\GPO_backups and provide a comment.

backup-gpo -Name 'Computer - Allow Pings' -Path C:\it\GPO_backups -Comment "GPO-Backup"
gpo backup using powershell

Example 2: PowerShell backup all GPOs

Use this command to backup all GPOs using Powershell.

backup-gpo -All -path C:\it\GPO_backups
backup all gpos with powershell

That’s how you backups GPOs with PowerShell, Microsoft has made it very easy.

Restore Group Policy Objects

Now that you know how to backup your GPOs, let’s look at how to restore them.

To restore, right-click on “Group Policy Objects” and select “Manage Backups”.

restore group policy

Browse to your backup folder and select the GPOs to restore, you can select a single or multiple GPOs. In this example I’m restoring my lock screen GPO.

restore process select gpo

Click the restore button and you will get the status screen.

gpo restore success page

Nice work. The GPO has been restored.

It’s a good idea to check the GPO to verify that the settings are correct after the restore. You can do this by clicking on the GPO and then to settings to verify it’s configuration.

verify gpo settings after restore

You can also use the Restore-GPO cmdlet to restore GPO settings but not to recover a deleted GPO.

Let me show you.

Let’s say someone made a change to my “Lock Screen” policy and I need to restore the settings from a backup. In this case, the Restore-GPO cmdlet can be used to restore the GPO settings.

If the “Lock Screen” GPO was deleted the Restore-GPO cmdlet cannot be used.

Below are examples.

restore-gpo example

Do you see what that error message says? GPO was not found in my domain because the GPO was deleted and so PowerShell cannot restore the settings.

Now I’ll run it again, except this time the Lock screen GPO exists in the domain.

restore-gpo example 2

So again, the Restore-GPO cmdlet appears to only work when the GPO exists in the domain, and will not restore a deleted GPO.

Microsoft documentation says:

The Restore-GPO cmdlet restores a Group Policy Object (GPO) backup to the original domain from which it was saved. If the original domain is not available, or if the GPO no longer exists in the domain, the cmdlet fails.

https://docs.microsoft.com/en-us/powershell/module/grouppolicy/restore-gpo?view=windowsserver2022-ps

Resources

Recommended Tool: Permissions Analyzer for Active Directory

This FREE tool lets you get instant visibility into user and group permissions and allows you to quickly check user or group permissions for files, network, and folder shares.

You can analyze user permissions based on an individual user or group membership.

This is a Free tool, download your copy here.

Leave a Comment