Not too long ago I got a call from a friend who was having some problems related to group policy objects on his network. My friend made a habit of backing up his domain controllers on a regular basis. Even so, someone in the organization have made some changes to some group policy objects, and my friend needed to return them to their previous state. The catch was that he didn’t want to have to perform an authoritative restoration of the entire Active Directory just to recover a few group policy settings.
Fortunately, there is a way that you can backup your group policy settings separately from the rest of the Active Directory. Of course you have to do this before the need to restore your group policy settings arises.
Backing Up the Group Policy Objects
Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest: <your forest > | Domains | <your domain > | Group Policy Objects. When you do, the details pane should display all of the group policy objects that are associated with the domain. In Figure A there are only two group policy objects, but in a production environment you may have many more.
The Group Policy Objects container stores all of the group policy objects for the domain.
Now, right-click on the Group Policy Objects container, and choose the Back Up All command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box. As you can see in Figure B, this dialog box requires you to provide the path to which you want to store the backup files. You can either store the backups in a dedicated folder on a local drive, or you can place them in a folder on a mapped network drive. The dialog box also contains a Description field that you can use to provide a description of the backup that you are creating.
You must provide the path to which you want to store your backup of the group policy objects.
Backing Up Individual Group Policy Objects
In case you’re wondering, Windows Server 2008 does allow you to backup individual group policy objects. The process for doing so is very similar to what I just showed you. The difference is that when you select the Group Policy Objects container, shown in Figure A, you would right-click on an individual Group Policy Object rather than on the Group Policy Objects container. From there, you would choose the Back Up command from the shortcut menu. The rest of the process is identical to what you have already seen.
The Anatomy Of The Back Up
When you create a backup, Windows creates individual folders within the target folder. Each of these individual folders bears the GUID of the Group Policy Object that contains. This is true whether you are backing up an individual Group Policy Object, or all of the Group Policy Objects in the entire domain. You can see what the backup folder looks like in Figure C.
Windows creates a separate folder for each Group Policy Object.
The Restoration Process
When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command from the shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, and then implement the settings found in the backup.
Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import Settings option. This option works more like a merge than a restore. Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported.
As you can see, it is pretty simple to backup your Group Policy Objects. Even so, a lot of administrators do not realize the importance of backing up group policy objects separate from backing up the Active Directory.