Hey, Scripting Guy! I want to know how to use the Group Policy cmdlets in Windows PowerShell to back up and to restore Group Policy objects (GPOs), and I have heard that there are Group Policy cmdlets in Windows 7. Can you help me? — GJ
Hello GJ,
Microsoft Scripting Guy Ed Wilson here. It is hot and humid in Charlotte. The humidity hangs in the air like a heavy quilt on a hot summer night, draping everything exposed to the environment with a seemingly endless supply of moisture. The weeds are happy and thrive in the conditions. They appear to draw their needed nutrients from the thick syrupy air. The grasshoppers love the weather; I guess the dense air gives them more lift as they hop about the dark and dusty lawns. Most other living creatures seek respite in highly coveted shady spots away from the humidity. The humidity is nearly sentient, and it seems to seek its victims with malevolent intent. It invades homes through doors carelessly left standing wide, seeping under half-closed windows and oozing through cracks in chinking and insulation.
If carbon-based life forms do not care for humidity, personal computers have a particular disdain for its effects on motherboards and other electronic components comprising their insides. Oh, the joys of life in the deep south! I have not resorted to drinking iced tea, but I can see why one might be tempted to do so. A tall glass of cool spring water wrapped in a napkin to absorb the moisture from the glass and freshened up with a sprig of fresh plucked mint is my personal ticket to happiness. I have also found that a single ANZAC biscuit is a great accompaniment to the water when it is nibbled with mouselike bites. It makes no sense to complain about the weather. Instead, I come to terms with it.
GJ, the first thing you need to do when working with the Group Policy cmdlets is to import the GroupPolicy module. This assumes you have installed the appropriate package or enabled the appropriate feature. For more information about gaining access to the Group Policy cmdlets, see yesterday’s Hey, Scripting Guy! post.
The Import-Module cmdlet displays no feedback if the GroupPolicy module loads properly. The code shown here illustrates this:
PS C:> Import-Module -Name grouppolicy
PS C:>
By using the Get-Command cmdlet, you can ensure that the GroupPolicy module loaded properly. In addition, the command displays the cmdlets you will be able to access. The command and attendant output listed here shows the results:
PS C:> Get-Command -Module grouppolicy
CommandType Name Definition
———– —- ———-
Cmdlet Backup-GPO Backup-GPO -Guid <Guid> -Path …
Cmdlet Copy-GPO Copy-GPO -SourceGuid <Guid> -T…
Cmdlet Get-GPInheritance Get-GPInheritance [-Target] <S…
Cmdlet Get-GPO Get-GPO [-Guid] <Guid> [[-Doma…
Cmdlet Get-GPOReport Get-GPOReport [-Guid] <Guid> […
Cmdlet Get-GPPermissions Get-GPPermissions -Guid <Guid>…
Cmdlet Get-GPPrefRegistryValue Get-GPPrefRegistryValue -Guid …
Cmdlet Get-GPRegistryValue Get-GPRegistryValue -Guid <Gui…
Cmdlet Get-GPResultantSetOfPolicy Get-GPResultantSetOfPolicy [-C…
Cmdlet Get-GPStarterGPO Get-GPStarterGPO -Guid <Guid> …
Cmdlet Import-GPO Import-GPO -BackupId <Guid> -P…
Cmdlet New-GPLink New-GPLink -Guid <Guid> -Targe…
Cmdlet New-GPO  
; New-GPO [-Name] <String> [-Com…
Cmdlet New-GPStarterGPO New-GPStarterGPO [-Name] <Stri…
Cmdlet Remove-GPLink Remove-GPLink -Guid <Guid> -Ta…
Cmdlet Remove-GPO Remove-GPO -Guid <Guid> [-Doma…
Cmdlet Remove-GPPrefRegistryValue Remove-GPPrefRegistryValue [[-…
Cmdlet Remove-GPRegistryValue Remove-GPRegistryValue [-Guid]…
Cmdlet Rename-GPO Rename-GPO -Guid <Guid> -Targe…
Cmdlet Restore-GPO Restore-GPO -BackupId <Guid> -…
Cmdlet Set-GPInheritance Set-GPInheritance [-Target] <S…
Cmdlet Set-GPLink Set-GPLink -Guid <Guid> -Targe…
Cmdlet Set-GPPermissions Set-GPPermissions -Guid <Guid>…
Cmdlet Set-GPPrefRegistryValue Set-GPPrefRegistryValue -Guid …
Cmdlet Set-GPRegistryValue Set-GPRegistryValue -Guid <Gui…
PS C:>
A better, more informative display of Windows PowerShell cmdlets can be obtained by piping the results of the Get-Command cmdlet to the Get-Help cmdlet and finally to the Format-Table cmdlet. By choosing the name of the cmdlet and the description of the cmdlet, a nice table is produced. The resulting command is shown here:
Get-Command -Module grouppolicy | Get-Help | Format-Table name, synopsis -AutoSize -Wrap
The –wrap parameter wraps the text in the Windows PowerShell console as shown in the following image.
The display of the complete output of the previous command is shown here:
PS C:> Get-Command -Module grouppolicy | get-help | Format-Table name, synopsis -Aut
oSize -Wrap
Name Synopsis
—- ——–
Backup-GPO Backs up one GPO or all the GPOs in a domain.
Copy-GPO Copies a GPO.
Get-GPInheritance Retrieves Group Policy inheritance information for a specified domain or OU.
Get-GPO Gets one GPO or all the GPOs in a domain.
Get-GPOReport Generates a report either in XML or HTML format for a specified GPO or for
all GPOs in a domain.
Get-GPPermissions Gets the permission level for one or more security principals on a specified GPO.
Get-GPPrefRegistryValue Retrieves one or more Registry preference items under either Computer
&nb
sp; Configuration or User Configuration in a GPO.
Get-GPRegistryValue Retrieves one or more registry-based policy settings under either Computer
Configuration or User Configuration in a GPO.
Get-GPResultantSetofPolicy Outputs the Resultant Set of Policy (RSoP) information for a user, a computer,
or both to a file.
Get-GPStarterGPO Gets one Starter GPO or all Starter GPOs in a domain.
Import-GPO Imports the Group Policy settings from a backed-up GPO into a specified GPO.
New-GPLink Links a GPO to a site, domain, or organizational unit (OU).
New-GPO Creates a new GPO.
New-GPStarterGPO Creates a new Starter GPO.
Remove-GPLink Removes a GPO link from a site, domain or OU.
Remove-GPO Deletes a GPO.
Remove-GPPrefRegistryValue Removes one or more Registry preference items from either Computer
Configuration or User Configuration in a GPO.
Remove-GPRegistryValue Removes one or more registry-based policy settings from either Computer
Configuration or User Configuration in a GPO.
Rename-GPO Assigns a new display name to a GPO.
Restore-GPO Restores one GPO or all GPOs in a domain from one or more GPO backup files.
Set-GPInheritance Blocks or unblocks inheritance for a specified domain or organizational unit (OU).
Set-GPLink Sets the properties of the specified GPO link.
Set-GPPermissions Grants a level of permissions to a security principal for one GPO or all the GPOs in a domain.
Set-GPPrefRegistryValue Configures a Registry preference item under either Computer Configuration or
User Configuration in a GPO.
Set-GPRegistryValue Configures one or more registry-based policy settings under either Computer
Configuration or User Configuration in a GPO.
PS C:>
To create a backup copy of all the GPOs in the domain, use the Backup-GPO cmdlet. When using this cmdlet, I prefer to target a specific domain controller and a specific domain. The destination for the backup can be a local location or a UNC path. The Backup-GPO cmdlet returns an instance of the Microsoft.GroupPolicy.GPOBackUp .NET Framework class and each instance of the class returns to the Windows PowerShell console. The output from the backup of all GPOs in the NWTraders.com domain command is shown here:
PS C:> Backup-GPO -All -Path \hyperv-boxbackups -Comment “weekly Backup” -Domain n
wtraders.com -Server dc1
DisplayName : Default Domain Policy
GpoId : 31b2f340-016d-11d2-945f-00c04fb984f9
Id : ad374f52-45ab-47dd-9594-1bfd063c03e3
BackupDirectory : \hyperv-boxbackups
CreationTime : 7/8/2010 12:47:34 PM
DomainName : nwtraders.com
Comment : weekly Backup
DisplayName : TrustedHosts
GpoId : 453d3237-0e74-4aac-a675-ddf2c8aeed4b
Id : dd2ed13b-9b87-4f09-abaa-f3cc33285e1d
BackupDirectory : \hyperv-boxbackups
CreationTime : 7/8/2010 12:47:39 PM
DomainName : nwtraders.com
Comment : weekly Backup
DisplayName : Default Domain Controllers Policy
GpoId : 6ac1786c-016f-11d2-945f-00c04fb984f9
Id : accabff4-1113-452e-b8a6-ee5aa13047ed
BackupDirectory : \hyperv-boxbackups
CreationTime : 7/8/2010 12:47:39 PM
DomainName : nwtraders.com
Comment : weekly Backup
The backup of each GPO is stored in a dynamically generated folder with an associated GUID. This is shown in the following image.
A manifest in the root of the backup folder points to each backup. The manifest is seen in XML Notepad in the following image.
To restore a GPO, use the Restore-GPO cmdlet. You can select a specific GPO backup if you need to, or use the defaults that will restore the most recent backup. This is shown here:
PS C:> Restore-GPO -All -Domain nwtraders.com -path \hyperv-boxbackups
DisplayName : Default Domain Policy
DomainName : nwtraders.com
Owner : NWTRADERSDomain Admins
Id : 31b2f340-016d-11d2-945f-00c04fb984f9
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 9/8/2009 5:50:46 PM
ModificationTime : 7/8/2010 2:30:20 PM
UserVersion : AD Version: 1, SysVol Version: 1
ComputerVersion : AD Version: 26, SysVol Version: 26
WmiFilter :
DisplayName : TrustedHosts
DomainName : nwtraders.com
Owner : NWTRADERSDomain Admins
Id : 453d3237-0e74-4aac-a675-ddf2c8aeed4b
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 5/3/2010 11:58:05 AM
ModificationTime : 7/8/2010 2:30:22 PM
UserVersion : AD Version: 1, SysVol Version: 1
ComputerVersion : AD Version: 2, SysVol Version: 2
WmiFilter :
DisplayName : Default Domain Controllers Policy
DomainName : nwtraders.com
Owner : NWTRADERSDomain Admins
Id : 6ac1786c-016f-11d2-945f-00c04fb984f9
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 9/8/2009 5:50:46 PM
ModificationTime : 7/8/2010 2:30:23 PM
UserVersion : AD Version: 1, SysVol Version: 1
ComputerVersion : AD Version: 9, SysVol Version: 9
WmiFilter :
PS C:>
GJ, that is all there is to using Group Policy cmdlets to backup and restore GPOs. Group Policy Week will continue tomorrow when we will talk about checking for replication.
We invite you to follow us on Twitter or
0 comments