July 13th, 2010

Hey, Scripting Guy! How Can I Use Group Policy Cmdlets to Back Up and Restore Group Policy Objects?

  Hey, Scripting Guy! Question Hey, Scripting Guy! I want to know how to use the Group Policy cmdlets in Windows PowerShell to back up and to restore Group Policy objects (GPOs), and I have heard that there are Group Policy cmdlets in Windows 7. Can you help me? — GJ   Hey, Scripting Guy! Answer

Hello GJ,

Microsoft Scripting Guy Ed Wilson here. It is hot and humid in Charlotte. The humidity hangs in the air like a heavy quilt on a hot summer night, draping everything exposed to the environment with a seemingly endless supply of moisture. The weeds are happy and thrive in the conditions. They appear to draw their needed nutrients from the thick syrupy air. The grasshoppers love the weather; I guess the dense air gives them more lift as they hop about the dark and dusty lawns. Most other living creatures seek respite in highly coveted shady spots away from the humidity. The humidity is nearly sentient, and it seems to seek its victims with malevolent intent. It invades homes through doors carelessly left standing wide, seeping under half-closed windows and oozing through cracks in chinking and insulation.

If carbon-based life forms do not care for humidity, personal computers have a particular disdain for its effects on motherboards and other electronic components comprising their insides. Oh, the joys of life in the deep south! I have not resorted to drinking iced tea, but I can see why one might be tempted to do so. A tall glass of cool spring water wrapped in a napkin to absorb the moisture from the glass and freshened up with a sprig of fresh plucked mint is my personal ticket to happiness. I have also found that a single ANZAC biscuit is a great accompaniment to the water when it is nibbled with mouselike bites. It makes no sense to complain about the weather. Instead, I come to terms with it.

 

GJ, the first thing you need to do when working with the Group Policy cmdlets is to import the GroupPolicy module. This assumes you have installed the appropriate package or enabled the appropriate feature. For more information about gaining access to the Group Policy cmdlets, see yesterday’s Hey, Scripting Guy! post.

The Import-Module cmdlet displays no feedback if the GroupPolicy module loads properly. The code shown here illustrates this:

PS C:> Import-Module -Name grouppolicy
PS C:>

By using the Get-Command cmdlet, you can ensure that the GroupPolicy module loaded properly. In addition, the command displays the cmdlets you will be able to access. The command and attendant output listed here shows the results:

PS C:> Get-Command -Module grouppolicy

CommandType     Name                               Definition
———–         —-                                 ———-
Cmdlet              Backup-GPO                         Backup-GPO -Guid <Guid> -Path …
Cmdlet              Copy-GPO                            Copy-GPO -SourceGuid <Guid> -T…
Cmdlet              Get-GPInheritance                 Get-GPInheritance [-Target] <S…
Cmdlet              Get-GPO                              Get-GPO [-Guid] <Guid> [[-Doma…
Cmdlet              Get-GPOReport                    Get-GPOReport [-Guid] <Guid> […
Cmdlet              Get-GPPermissions               Get-GPPermissions -Guid <Guid>…
Cmdlet              Get-GPPrefRegistryValue       Get-GPPrefRegistryValue -Guid …
Cmdlet              Get-GPRegistryValue             Get-GPRegistryValue -Guid <Gui…
Cmdlet              Get-GPResultantSetOfPolicy   Get-GPResultantSetOfPolicy [-C…
Cmdlet              Get-GPStarterGPO                 Get-GPStarterGPO -Guid <Guid> …
Cmdlet              Import-GPO                            Import-GPO -BackupId <Guid> -P…
Cmdlet              New-GPLink                           New-GPLink -Guid <Guid> -Targe…
Cmdlet              New-GPO                          &nbsp ;    New-GPO [-Name] <String> [-Com…
Cmdlet              New-GPStarterGPO                New-GPStarterGPO [-Name] <Stri…
Cmdlet              Remove-GPLink                      Remove-GPLink -Guid <Guid> -Ta…
Cmdlet              Remove-GPO                          Remove-GPO -Guid <Guid> [-Doma…
Cmdlet              Remove-GPPrefRegistryValue   Remove-GPPrefRegistryValue [[-…
Cmdlet              Remove-GPRegistryValue         Remove-GPRegistryValue [-Guid]…
Cmdlet              Rename-GPO                          Rename-GPO -Guid <Guid> -Targe…
Cmdlet              Restore-GPO                           Restore-GPO -BackupId <Guid> -…
Cmdlet              Set-GPInheritance                    Set-GPInheritance [-Target] <S…
Cmdlet              Set-GPLink                              Set-GPLink -Guid <Guid> -Targe…
Cmdlet              Set-GPPermissions                  Set-GPPermissions -Guid <Guid>…
Cmdlet              Set-GPPrefRegistryValue          Set-GPPrefRegistryValue -Guid …
Cmdlet              Set-GPRegistryValue               Set-GPRegistryValue -Guid <Gui…

PS C:>

A better, more informative display of Windows PowerShell cmdlets can be obtained by piping the results of the Get-Command cmdlet to the Get-Help cmdlet and finally to the Format-Table cmdlet. By choosing the name of the cmdlet and the description of the cmdlet, a nice table is produced. The resulting command is shown here:

Get-Command -Module grouppolicy | Get-Help | Format-Table name, synopsis -AutoSize -Wrap

The –wrap parameter wraps the text in the Windows PowerShell console as shown in the following image.

Image of -wrap parameter at work 

The display of the complete output of the previous command is shown here:

PS C:> Get-Command -Module grouppolicy | get-help | Format-Table name, synopsis -Aut
oSize -Wrap

Name                       Synopsis
—-                         ——–
Backup-GPO               Backs up one GPO or all the GPOs in a domain.
Copy-GPO                 Copies a GPO.
Get-GPInheritance       Retrieves Group Policy inheritance information for a specified domain or OU.
Get-GPO                    Gets one GPO or all the GPOs in a domain.
Get-GPOReport              Generates a report either in XML or HTML format for a specified GPO or for
                                   all GPOs in a domain.
Get-GPPermissions          Gets the permission level for one or more security principals on a specified GPO.
Get-GPPrefRegistryValue    Retrieves one or more Registry preference items under either Computer
 &nb sp;                                 Configuration or User Configuration in a GPO.
Get-GPRegistryValue        Retrieves one or more registry-based policy settings under either Computer
                                   Configuration or User Configuration in a GPO.
Get-GPResultantSetofPolicy Outputs the Resultant Set of Policy (RSoP) information for a user, a computer,
                                  or both to a file.
Get-GPStarterGPO           Gets one Starter GPO or all Starter GPOs in a domain.
Import-GPO                 Imports the Group Policy settings from a backed-up GPO into a specified GPO.
New-GPLink                 Links a GPO to a site, domain, or organizational unit (OU).
New-GPO                    Creates a new GPO.
New-GPStarterGPO           Creates a new Starter GPO.
Remove-GPLink              Removes a GPO link from a site, domain or OU.
Remove-GPO                 Deletes a GPO.
Remove-GPPrefRegistryValue Removes one or more Registry preference items from either Computer
                                   Configuration or User Configuration in a GPO.
Remove-GPRegistryValue     Removes one or more registry-based policy settings from either Computer 
                                   Configuration or User Configuration in a GPO.
Rename-GPO                 Assigns a new display name to a GPO.
Restore-GPO                Restores one GPO or all GPOs in a domain from one or more GPO backup files.
Set-GPInheritance          Blocks or unblocks inheritance for a specified domain or organizational unit (OU).
Set-GPLink                 Sets the properties of the specified GPO link.
Set-GPPermissions          Grants a level of permissions to a security principal for one GPO or all the GPOs in a domain.
Set-GPPrefRegistryValue    Configures a Registry preference item under either Computer Configuration or
                                    User Configuration in a GPO.
Set-GPRegistryValue        Configures one or more registry-based policy settings under either Computer 
                                    Configuration or User Configuration in a GPO.

PS C:>

To create a backup copy of all the GPOs in the domain, use the Backup-GPO cmdlet. When using this cmdlet, I prefer to target a specific domain controller and a specific domain. The destination for the backup can be a local location or a UNC path. The Backup-GPO cmdlet returns an instance of the Microsoft.GroupPolicy.GPOBackUp .NET Framework class and each instance of the class returns to the Windows PowerShell console. The output from the backup of all GPOs in the NWTraders.com domain command is shown here:

PS C:> Backup-GPO -All -Path \hyperv-boxbackups -Comment “weekly Backup” -Domain n
wtraders.com -Server dc1

DisplayName     : Default Domain Policy
GpoId           : 31b2f340-016d-11d2-945f-00c04fb984f9
Id              : ad374f52-45ab-47dd-9594-1bfd063c03e3
BackupDirectory : \hyperv-boxbackups
CreationTime    : 7/8/2010 12:47:34 PM
DomainName      : nwtraders.com
Comment         : weekly Backup

DisplayName     : TrustedHosts
GpoId           : 453d3237-0e74-4aac-a675-ddf2c8aeed4b
Id              : dd2ed13b-9b87-4f09-abaa-f3cc33285e1d
BackupDirectory : \hyperv-boxbackups
CreationTime    : 7/8/2010 12:47:39 PM
DomainName      : nwtraders.com
Comment         : weekly Backup

DisplayName     : Default Domain Controllers Policy
GpoId           : 6ac1786c-016f-11d2-945f-00c04fb984f9
Id              : accabff4-1113-452e-b8a6-ee5aa13047ed
BackupDirectory : \hyperv-boxbackups
CreationTime    : 7/8/2010 12:47:39 PM
DomainName      : nwtraders.com
Comment         : weekly Backup

The backup of each GPO is stored in a dynamically generated folder with an associated GUID. This is shown in the following image.

 Image of each GPO stored in dynamically generated folder

A manifest in the root of the backup folder points to each backup. The manifest is seen in XML Notepad in the following image.

 Image of manifest in root of backup folder

To restore a GPO, use the Restore-GPO cmdlet. You can select a specific GPO backup if you need to, or use the defaults that will restore the most recent backup. This is shown here:

PS C:> Restore-GPO -All -Domain nwtraders.com -path \hyperv-boxbackups

DisplayName      : Default Domain Policy
DomainName       : nwtraders.com
Owner            : NWTRADERSDomain Admins
Id               : 31b2f340-016d-11d2-945f-00c04fb984f9
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 9/8/2009 5:50:46 PM
ModificationTime : 7/8/2010 2:30:20 PM
UserVersion      : AD Version: 1, SysVol Version: 1
ComputerVersion  : AD Version: 26, SysVol Version: 26
WmiFilter        :

DisplayName      : TrustedHosts
DomainName       : nwtraders.com
Owner            : NWTRADERSDomain Admins
Id               : 453d3237-0e74-4aac-a675-ddf2c8aeed4b
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 5/3/2010 11:58:05 AM
ModificationTime : 7/8/2010 2:30:22 PM
UserVersion      : AD Version: 1, SysVol Version: 1
ComputerVersion  : AD Version: 2, SysVol Version: 2
WmiFilter        :

DisplayName      : Default Domain Controllers Policy
DomainName       : nwtraders.com
Owner            : NWTRADERSDomain Admins
Id               : 6ac1786c-016f-11d2-945f-00c04fb984f9
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 9/8/2009 5:50:46 PM
ModificationTime : 7/8/2010 2:30:23 PM
UserVersion      : AD Version: 1, SysVol Version: 1
ComputerVersion  : AD Version: 9, SysVol Version: 9
WmiFilter        :

PS C:>


GJ, that is all there is to using Group Policy cmdlets to backup and restore GPOs. Group Policy Week will continue tomorrow when we will talk about checking for replication.

We invite you to follow us on Twitter or

Author

0 comments

Discussion are closed.