Today, I am sharing a PowerShell script that allows you to restore Group Policy from backups. My restore function is a companion tool to the Group Policy backup tool I shared with 4sysops readers earlier this year.

Mike Kanakos

Mike is a Windows IT pro located in the Research Triangle Park area of North Carolina with 13+ years of experience as an admin and 20 years in the field. He specializes in Active Directory, Azure AD, Group Policy, and automation via PowerShell. You can follow Mike's blog at networkadm.in or on Twitter at @MikeKanakos.

As a quick refresher, the backup tool I built saves Group Policy backups with easy-to-read folder names rather than GUIDs as filenames, which is what you would get from the default Backup-GPO cmdlet from Microsoft. When you have a large number of Group Policy Objects (GPOs) backed up with GUIDs, it's not easy to figure out which backup file is the one you need when it comes time to restore data. My backup tool solves that problem.

Once you start using my backup tool to back up Group Policy, the built-in Restore-GPO cmdlet will not read the backups my tool creates. Why? The built-in cmdlet is looking for files named as GUIDs, and my backup tool renames the files to a different naming convention.

But fear not! My backup tool makes backing up GPOs super easy, and restoring GPOs with this companion tool is also a very easy process. Let me walk you through the operation of the Restore-GroupPolicy function. If you are not familiar with my backup tool, I recommend you visit my write-up first so you can easily follow along here.

Backing up to restore ^

To show off the restore process, I'll start by creating a new Group Policy. From there I'll back it up, delete it, and finally restore the policy back to a domain controller (DC) to demonstrate the end-to-end process and how easy it is to do. So let's get started by creating a GPO we can test with. We can do this from PowerShell like so:

After creating the GPO, we should get a summary of the new GPO info, like so:

Here’s a quick screenshot to show that the GPO now exists in my domain:

Creating a test GPO

Creating a test GPO

The next step would be to back up this GPO using the Backup-GroupPolicy cmdlet I talked about earlier in this article. The syntax for this cmdlet is very simple. You need to specify a path for the backup, the domain name, and the server to back up the data from. This will back up all GPOs to the path specified. The cmdlet will create a subfolder with today's date and store the backups in that subfolder.

When the backup completes, we have a folder that contains all the GPO backups. Notice the backup of the Group Policy named "Dummy GPO for Testing" has a modified folder name that consists of the friendly name of the GPO and the actual backup ID of the GPO.

GPO backup confirmation

GPO backup confirmation

Once we have a valid backup, we can go ahead and delete the Dummy GPO. Again, we can do this via PowerShell.

Restore-GroupPolicy syntax ^

Restoring a GPO from backup with the Restore-Group-Policy cmdlet is a simple process similar to the backup process we followed earlier. To perform a restore, we provide similar information like we did during backup. We need to provide three pieces of information: the exact name of the Group Policy backup, the location of the backup, and the DC to perform the restore to. For our demonstration, the syntax is:

When we execute the command, the cmdlet reaches out to the folder, reads the GPO backup, and initiates the restore process. Once the process completes, it returns the summary information.

Notice the time of GPO creation has changed to the time I ran the restore (approximately two and half hours after I ran the first backup). We now have our Dummy GPO restored to the SYSVOL folder on a DC without any issue, and it only took one command to get back a working copy of the GPO. Active Directory will then replicate that GPO to all the other DCs in my domain.

Restore-GroupPolicy code ^

The Restore-GroupPolicy cmdlet doesn't have a bunch of complex code. Most of the code is creating some temp variables and then temporarily renaming the file path to those variables. After creating the temp variables, it passes all the info to the built-in Group Policy cmdlets from Microsoft to do the actual GPO restore.

That's the main portion of the code for this script. When I write scripts, I always prefer to write functions because they include help and examples, and also the code becomes portable. The Restore-GroupPolicy cmdlet is a function, so make sure you load it into memory before you attempt to run it. You can find the full script below. The latest versions of all of my scripts are always located in my GitHub repo. I hope you find this tool and all of my others worthy additions to your sysadmin tool kit. Please reach out via the comments section if you have any questions about this or any of my other scripts.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

2+

Users who have LIKED this post:

  • avatar
  • avatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account