Group Coverage utilization is ubiquitous in company networks, however few admins have a strong understanding of all of the shifting components and the way to shield them in case of catastrophe.
Group Coverage Objects — usually known as GPOs — would be the solely instrument used to handle person and laptop accounts. Many admins rely on this service to work, however issues can have an effect on any instrument. Microsoft constructed Group Coverage to function with little upkeep, however GPOs might be finicky to handle. Corruption of GPO settings and conflicts between coverage modifications made by a number of admins are commonplace. To keep away from a breakdown of this vital administration instrument, it’s best to have a strong understanding of the GPO backup and restore course of.
What’s Group Coverage and what are Group Coverage Objects?
Group Coverage is a core function of Microsoft Energetic Listing (AD) that manages configuration settings for customers and computer systems in a Home windows area. Group Coverage has been round since Home windows 2000. Since its introduction, Group Coverage Objects have seen incremental enhancements, however the main ideas of GPOs stay unchanged. Admins use GPOs to use settings to a set of sources, together with customers, computer systems, safety settings, teams, organizational models (OUs) and AD websites, or to a complete area. Group Coverage can configure round 12,000 particular person settings.
You configure a Group Coverage Object to carry the settings to deploy. This new coverage applies to the place within the AD tree construction the place you hyperlink the GPO. Most instances, you hyperlink insurance policies to a selected OU or to your complete area after which safety teams in AD restrict which customers or computer systems obtain the coverage. All this happens inside a central administration instrument known as the Group Coverage Administration Console, generally known as the GPMC. Every coverage is its personal object, therefore the title Group Coverage Object.
Admins use GPMC to configure and analyze Group Coverage settings, however the insurance policies created from the console reside within the SYSVOL folder on the area controllers. These settings apply to customers and their computer systems at login after which refresh within the background all through the day. The settings managed through the Group Coverage Administration Console are registry key values within the Home windows OS.
The registry is a big assortment of settings that management numerous points of how the Home windows OS and put in purposes function. Admins use GPMC to configure settings that change the values for the corresponding keys within the registry and lock these values all the way down to hold customers from tampering with them.
Why Group Coverage reliability is vital to the enterprise
The Group Coverage Administration Console is a Microsoft Administration Console snap-in and is a GUI instrument that controls the configuration of the Home windows OS through insurance policies. The insurance policies are a group of settings that relate to particular registry keys, however GPMC gives a safer and extra elegant option to handle these settings and deploy them to a fleet of computer systems.
Microsoft included Group Coverage with AD, so there is no such thing as a added price to make use of the Group Coverage Administration Console, whatever the dimension and scope of your atmosphere. GPMC controls and configures lots of of hundreds of computer systems, all from a single console. I can’t underscore sufficient Group Coverage’s significance and impression within the enterprise configuration administration area.
The best way to again up Group Coverage Objects
In a typical company atmosphere, there might be many Group Insurance policies used to handle the atmosphere. Microsoft recommends solely 20 to 30 Group Insurance policies, however it’s commonplace to see many extra GPOs in use in the true world. At my present employer, now we have about 90 Group Insurance policies to handle about 25,000 computer systems.
You possibly can again up GPOs individually or as a whole set. Every Group Coverage is a mix of information and folders, and every Group Coverage has a definite set of information, relying on what settings are in use. You can not simply copy the information. This screenshot reveals the Group Coverage folder and file construction generated by the tree command.
The best way to again up Group Coverage Objects with GPMC
You possibly can carry out backups both with the Group Coverage Administration Console GUI instrument or with PowerShell.
In GPMC, right-click on a GPO, and select Again Up. This invokes a backup wizard that prompts you for a backup location and an optionally available remark.
This backup course of shops every GPO in its personal folder. Microsoft expects you to work together with GPO backups both utilizing the Group Coverage Administration Console or PowerShell, regardless that you’ll be able to entry the folder with the backup knowledge. This screenshot reveals the backup folder, which doesn’t have the Group Coverage title within the folder construction.
Every iteration of a GPO backup has a globally distinctive identifier (GUID) as its title. Microsoft makes use of these GUIDs because the GPO backup ID. Some restore operations want the GPO backup ID to work accurately, which is usually a problem to grasp. The file construction generated by the tree command reveals a visible structure of the information and folders within the GPO backup folder.
The Group Coverage backup folder and file construction is just like the unique Group Coverage folder construction. Nevertheless, there are further XML information with the GPO information in a brand new guardian folder known as DomainSysVol. A easy file copy is not sufficient to again up a Group Coverage. The 2 XML information created throughout the backup include all the data associated to the GPO, such because the area it got here from and different knowledge wanted for the restore course of.
To again up all GPOs is a virtually duplicate course of as a single file backup. Proper-click on the Group Coverage Objects folder, and choose Again Up All.
You then see the identical window we noticed within the single GPO backup technique. You choose the placement and add an optionally available remark.
As soon as the backup completes, you obtain a abstract report of the backup course of.
Every backed-up GPO lives in its personal folder. Every folder has the identical GUID for a reputation and comprises further subfolders and information wanted for the restore.
The best way to again up a Group Coverage Object with PowerShell
The opposite choice to again up GPOs is to make use of PowerShell. PowerShell invokes the identical engine because the Group Coverage Administration Console for backups, and the file construction can be the identical.
The next PowerShell command is an instance of the way to again up a single GPO:
backup-gpo -name "Take a look at GPO" -path C:gpobackupPowerShellBackup -comment "single file backup"
To again up all GPOs, use the -All parameter:
backup-gpo -All -path C:gpobackupPowerShellBackupAllGPOs -comment "Backup All GPOs"
The best way to restore Group Insurance policies with GPMC
Each strategies to revive GPOs have potential pitfalls that make the method more durable than it needs to be. The best choice is to make use of every in tandem. First, let’s take a look at the way to restore a GPO with GPMC.
Proper-click the Group Coverage Objects folder, and choose Handle Backups. This opens a window exhibiting the abstract of saved backups.
The interface reveals loads of helpful information, however it may be irritating to make use of. You can not see all backups for all places in a single view. For instance, discover the Backup location drop-down on the prime of the window. For those who made backups to a number of folder paths as I did in my examples, then it is advisable choose the folder location earlier than you’ll be able to see the backups in that location and the feedback that have been added throughout the backup course of.
The screenshot additionally reveals three backups, which got here from the Again Up All GPOs choice. You possibly can’t restore all information directly. If I wanted to revive all my GPOs, then that will require three separate restores. That is simple in my lab however not nice in my company atmosphere, the place I’ve greater than 90 GPOs in use.
There’s a checkbox for model management on the backside of the restore window. If checked, then you definately solely see the newest backup, no matter what number of backups of the GPO exist. You possibly can kind by backup timestamp and choose a selected GPO backup to revive.
Performing a GPO restore in GPMC takes two clicks. Choose the GPO, click on Restore after which verify the operation. The system reveals a abstract window when the restore course of finishes, which solely takes a number of seconds. Nevertheless, pay attention to one main problem: For those who restore a deleted GPO, the hyperlinks to the GPO is not going to be restored.
The screenshot reveals the check GPO, which is linked to the US-Raleigh OU. Within the safety filtering part, I’ve added Area Admins.
If I delete the GPO and carry out a restore operation, then the hyperlink to the US-Raleigh OU is gone and never restored. There could be no difficulty if I restored a GPO over an present one.
The best way to restore a Group Coverage with PowerShell
PowerShell makes it simple to revive a single GPO. I solely want the title of the GPO and the GPO backup folder. The Restore-GPO cmdlet reads the data within the folder and finds the right file to revive. The next command restores the GPO:
Restore-GPO -Identify "Take a look at GPO" -Path C:GPOBackupPowerShellBackup
Restoring a GPO from a earlier model is a more difficult job and one that may not make sense till you learn extra.
First, the excellent news is we will use PowerShell to revive backups made by the Group Coverage Administration Console. The inverse can be true: We are able to restore backups created by PowerShell with GPMC. That is vital to know as a result of this can be very tough to revive totally different variations of GPOs through PowerShell with out cautious planning.
For instance, let’s take a look at the syntax wanted for a restore:
Restore-GPO -BackupId 0fc29b3c-fb83-4076-babb-6194c1b4fc26 -Path "PATH-to-your-backup"
To revive a unique model of a GPO moderately than the newest model, you want the backup ID of the model wished. At first look, that does not appear too tough, however I wish to spotlight an issue that is not instantly apparent.
Once I carried out the backups in earlier examples, I needed to choose the backup folder. The backup course of can solely ship the backups to the folder I specify. It does not have a way to create folders. Within the instance that backed up all of the GPOs, the outcome was three subfolders inside a guardian GPO backup folder. The subfolder names have been GUIDs, that are additionally the backup IDs for every GPO.
If I needed to again up 90 GPOs, I might find yourself with 90 subfolders for every backup job. If I carry out backups of 90 GPOs on 10 consecutive days and the identical folder for the output, then I might have 900 subfolders in my GPO backup folder. All I must work with is GUIDs, and no GPO names could be seen. This screenshot reveals six folders, which signify two backups of three GPOs, with an instance of how the a number of backups seem within the GUI.
Now, the problem of doing a restore for alternate variations turns into clear: How do you discover the appropriate GUID for the backup job you want? There’s a risk, however it’s arduous and never a practical option to work.
Discover the GPO title of a GPO backup file
For this instance, I take advantage of File Explorer to search out the GPO backup folder. With File Preview enabled, I can see the file contents within the preview pane. Once I click on on the GPReport file, I see the “pleasant” title of the GPO within the preview pane. This screenshot reveals all of the related information with the pleasant title of the backup highlighted in yellow.
Discovering the appropriate backup ID is tough if all of the backup information are in the identical folder. You possibly can find the right backup ID by trying on the Created Time worth in every GPReport file. If that is the right date, then you need to use the GUID of the folder’s title because the backup ID. You could possibly additionally have a look at the timestamp on the GPReport file and see if it is the right date, however timestamps can change, which makes them unreliable.
I may additionally use PowerShell to search out all of the GPReport.xml information after which parse every file to retrieve the file creation timestamp, GPO ID, GPO backup ID and GPO Identify. This may require writing some customized code that’s trickier than it sounds.
The simplest resolution is to save lots of every day’s backup information to a brand new folder. This would scale back the hassle to search out the right backup ID to only at some point’s price of knowledge. You could possibly automate a option to create the folder construction earlier than the backups begin after which change the backup path to the right folder for every day.
Use GPMC and PowerShell to make each higher
The GPO backup and restore course of works greatest if you use the Group Coverage Administration Console and PowerShell collectively, which addresses the shortcomings of every instrument.
We begin with a way to run backups on an interval. Most admins run backups on an automatic schedule. For those who suppose again to the GUI backup course of, it was lacking a key function: a scheduler. This requires invoking the GUI backup wizard to take a backup, which most admins wouldn’t want. Nevertheless, PowerShell makes this job a lot simpler with a script that automates your complete course of: scheduling the duty, creating each day folders and operating the backup job.
When it comes time to do restores, utilizing PowerShell to revive the latest backup is fast and straightforward. However it may be a posh problem to revive alternate variations of GPOs utilizing PowerShell if you do not know the GPO backup ID. The GUI handles the restore course of for alternate variations moderately properly. It may acknowledge the totally different backup variations and show the data contained in the restore software moderately than having to browse for the data within the folders.
Studying to work with a number of instruments is a key administrative talent
Whereas Microsoft supplies many administrative instruments that work properly sufficient, there are shortcomings to get round. However, when used collectively, the instruments give IT execs every part they should create a complete backup technique. Take a while to arrange your backup and restore course of. Construct automation to deal with the each day backups. Take a look at and doc the restoration course of, and share along with your colleagues. You may thank your self down the highway if catastrophe strikes.
