Active Directory GPO Backup and Restore

Backup and restore group policy objects in Active Directory.

• Below details depicts, how to backup using both the group policy management console and using PowerShell.

Open

How to Backup Group Policy Objects using the GUI

• Step 1: Browse to the GPO you want to backup.

• Open the group policy management console and browse the GPOs. Select a single GPO, or to backup all of them, select the group policy objects folder. In this example, Please backup all GPOs.

Open

• Next, right-click what you want to backup, and select “back up”.

• When backing up all GPOs, it will say “Back Up All”.

• When backing up a single GPO it will say “Back Up”. In this example, backing up the lock screen gpo.

Step 2: Select a backup folder

• Next, select the folder that wants the GPO backups to be placed.

• Created a folder called “GPO_backups” on my local computer. It’s also a good idea to give your folder a description and date.

• Now click the “Back up” button to start the backup process.

• Check the status at the bottom where it will show how many GPOs were successfully backed up.

• Next, is how to backup GPOs using PowerShell.

Backup Group Policy Objects using PowerShell

• To backup GPOs with PowerShell, the Backup-gpo cmdlet is used.

Example 1: PowerShell Backup of a single GPO

• In the below example, it is backing up a single GPO to the folder c:\it\GPO_backups and providing a comment.

Example 2: PowerShell backup of all GPOs

• Use this command to backup all GPOs using Powershell.

• That’s how the backups GPOs with PowerShell, Microsoft has made it very easy.

Restore Group Policy Objects

• Sure, let's look at how to restore GPOs.

• To restore, right-click on “Group Policy Objects” and select “Manage Backups”.

• Browse to the backup folder select the GPOs to restore, and select a single or multiple GPO. In this example, it is restoring the lock screen GPO.

• Click the restore button and get the status screen.

• Nice work. The GPO has been restored.

• It’s a good idea to check the GPO to verify that the settings are correct after the restore. Click on the GPO and then to settings to verify its configuration.

• Use the Restore-GPO cmdlet to restore GPO settings but not to recover a deleted GPO.

• Let’s say someone made a change to my “Lock Screen” policy and needs to restore the settings from a backup. In this case, the Restore-GPO cmdlet can be used to restore the GPO settings.

• If the “Lock Screen” GPO was deleted the Restore-GPO cmdlet cannot be used.

• Below are examples.

• Do you see what that error message says? GPO was not found in my domain because the GPO was deleted so PowerShell cannot restore the settings.

• Now run it again, except this time the Lock screen GPO exists in the domain.

• So again, the Restore-GPO cmdlet appears to only work when the GPO exists in the domain, and will not restore a deleted GPO.

These are commands that will delete the registry changes

1. To delete Current Version Policies:

• reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" /f

2. To delete Microsoft WindowsSelfHost:

• reg delete "HKCU\Software\Microsoft\WindowsSelfHost" /f

3. To delete Software Policies:

• reg delete "HKCU\Software\Policies" /f

4. To delete Microsoft Policies:

• reg delete "HKLM\Software\Microsoft\Policies" /f

5. To delete Microsoft Windows CurrentVersion Policies:

• reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies" /f

6. To delete Microsoft WindowsSelfHost:

• reg delete "HKLM\Software\Microsoft\WindowsSelfHost" /f

7. To delete Software Policies:

• reg delete "HKLM\Software\Policies" /f

8. To delete WOW6432Node Microsoft Policies:

• reg delete "HKLM\Software\WOW6432Node\Microsoft\Policies" /f

9. To delete WOW6432Node Microsoft Windows CurretVersion Policies:

• reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies" /f

This completes the Active Directory GPO Backup and Restore Documentation.