Weekly quickTIP

Better GPO Backups

Use your downtime productively and check that your GPO backups are up to snuff.

• By Greg Shields
• 09/29/2008

For just those times I take with me a mental litany of health checks to run. Making sure Active Directory has the right settings and that nothing appears out of place is a big part of that list. And of all the gigs I've been on, the one Active Directory configuration that I routinely find missing is good GPO backups.

Does your organization plan to use the "regular" Active Directory restore process to bring GPOs back to life? If so, you're in for a complex process that's fraught with pain. Navigating through Active Directory's authoritative restore process can be complex to the point of absurdity. (Really, Microsoft -- in eight years, couldn't we have figured out a teensy, weensy better process?) So, get around the complexity by using a completely different tool for doing your GPO backups straight out of the GPMC Scripts.

The GPMC scripts are made up of a number of individual command-line tools for manipulating GPOs, and two of these scripts have two handy tools for backing up and later restoring GPOs in a snap. You'll need to download and install them to a machine where you can create and reliably run a scheduled task. To back up your GPOs once the scripts are installed, create a scheduled task that runs the following command on a regular basis:

cscript.exe "C:\Program Files\Microsoft Group Policy\GPMC Sample Scripts\BackupAllGPOs.wsf" {backupLocation}

This command backs up the GPOs as well as their contents and settings to the location identified in {backupLocation}. If you ever need to restore an accidentally deleted GPO, the process is as simple as running:

cscript.exe "C:\Program Files\Microsoft Group Policy\GPMC Sample Scripts\RestoreGPO.wsf" {backupLocation} {backupID}

The value for {backupID} above will be the name or GUID of the GPO to restore.