Tips on copying and backing up Group Policy Objects


Tips on copying and backing up Group Policy Objects


Summary : Group Policy configuration is one of the most powerful aspects of Windows. Read several tips on copying and backing up Group Policy Objects, which can save admins a lot of time.

A cornerstone technology of Windows is Group Policy, which can be assigned locally (a single policy for a Windows system) or managed centrally in an Active Directory domain. When leveraging Active Directory, a number of Group Policy Objects (GPOs) can be assigned to computers and users.

I believe that GPOs are one of the most critical and powerful management tools available; that said, GPOs can also be complicated to work with. For instance, if you need to recreate a GPO, it may require a tedious maneuvering of screens to verify settings from one GPO to another. Fortunately, the Group Policy Management console allows us to do a few things to tackle this task efficiently. The first is a centralized list of GPOs for the entire domain, regardless of the Organizational Unit (OU) where they reside. This panel is shown in Figure A.

Figure A 
Click the image to enlarge.

This console serves a number of purposes, but one that irritates me is nomenclature. Figure A is a screenshot of my personal lab, and I have not done a good job in naming the GPOs. Ideally, a GPO is self-documenting so that it tells you: what it does, where it lives, and who it applies to (users, groups, computers, etc.).

Please excuse my lab’s sloppy nomenclature, and let’s focus on the ability to copy and back up a GPO in this console. When we right-click the individual GPO, a very powerful context menu appears. (Note: This menu is not available where the GPO resides in terms of the OUs listed above; it is only available in the Group Policy Objects section.) This context menu is shown in Figure B.

Figure B 
Click the image to enlarge.

The copy and backup options are the two tasks that can really save administrators a lot of time. The copy operation will take an existing GPO, and allow you to paste it into the Group Policy Objects section. This may not be intuitive, and Figure C shows where it becomes an option.

Figure C 
Click the image to enlarge.

A new GPO is created as a copy of the source GPO, and it can be linked to an OU later. This can be very helpful when a GPO is built over time, but is not ready to be applied to the destination OU.

The ability to back up a GPO exports the GPO to an .XML file, which can be archived and used to recover a previous version of a GPO. There also is an option to back up all GPOs, which will make a large .XML repository in a specified folder path. In both situations, the ability to have the GPOs on outside of the domain controller can be attractive. While backup solutions can protect down to this level, simply for a quick check by hand, the backup options within the Group Policy Management console can be of great aid. Viewing the .XML file isn’t very helpful, but can be an easy way to spot-check settings (Figure D).

Figure D 
Click the image to enlarge.

Rick Vanover is an IT infrastructure manager for a financial services organization in Columbus, Ohio. He has years of IT experience and focuses on virtualization, Windows-based server administration and system hardware.