Active Directory Group Policy Health Check Items - (Part 4)

by [Published on 6 April 2017 / Last Updated on 6 April 2017]

This is the Part 4 of “Active Directory Group Policy Health Check Items” article series. In Part 1 of this article series, we explained a list of Group Policy health check items that we think it is necessary to include your Active Directory health check procedure.

If you would like to read the other parts in this article series please go to:

In the Part 2 of this article series, we provided a handy PowerShell script that you can use to get a list of GPOs that are not applied to any objects in the Active Directory domains. The PowerShell script collects domain information automatically from an Active Directory forest and then get the list of GPOs that are not applying.

Part 3 focused on gathering a list of GPOs that are disabled in the Active Directory domains. We provided a handy PowerShell script that you can use to retrieve the list of Group Policy Objects that have been configured in the domains, but are set to disabled state. In Part 4, we are going to explain the fourth Group Policy health check item that is checking the GPO backup status and what all methods you can use to perform backup of GPOs.

As you might be knowing a GPO has two versions; Active Directory version and SYSVOL version. The Active Directory version is sometimes referred to as GPC and SYSVOL version is referred to as GPT. The Active Directory version of a GPO is stored in the Active Directory database and the GPT version of the GPO is stored in the SYSVOL folder. When a GPO backup is performed, it is necessary to backup both the versions of a GPO.

While there are many methods available to backup domain GPOs, but the most preferred method that has been in use is to use the Group Policy Management Console or GPMC. The GPMC provides greater flexibility and does all the job that you need for backing up GPOs.

Backing Up GPOs using GPMC

Group Policy Management Console helps you backup GPOs quickly. Before you can perform GPO backup operations using GPMC ensure that you have sufficient permissions. All you need is the read permission on the GPOs and write permissions on the target folder. All users in an Active Directory domain have read permission. What you can do is follow the steps outlined below to backup GPOs using the GPMC:

  1. Open Group Policy Management Console by typing GPMC.MSC in the Start Menu.
  2. Expand Group Policy Objects node in the GPMC console.
  3. In case you need to backup a single GPO, right click on the Group Policy Object and then click on the “Back Up” action. 
  4. If you prefer to backup all GPOs in a domain, right click on the “Group Policy Objects” node and then click on the “Back Up All” action.
  5. You will be presented with the Backup Group Policy Object dialog box as shown in the Figure 1.0 below:

    Image


    Figure 1.0 – Specifying GPO Backup Location and Description

  6. In the “Location” field, specify the GPO backup location. Please ensure you have write permissions to the folder where the backed up GPOs will be stored. 
  7. In the “Description” field, type a description for the GPOs and then click on the “Back Up” button. When you hit Back Up button, GPMC will initiate a backup operation for all GPOs. GPMC might take some time depending on the number of GPOs you have in your domain. However, once the GPO backup operation is completed, you will be notified by the GPMC that tells you the number of GPOs that have been backed up successfully.

Tip: When you perform GPO backups, the GPMC creates individual folders within the location specified when backing up the GPOs. GPMC creates the folder by GPO’s GUID name and then copy the GPT contents from SYSVOL to GPO’s GUID folders. You can browse the location and see the contents.

Backing Up GPOs using PowerShell

In case you need to script GPO backup operation, what you can do is use Backup-GPO PowerShell cmdlet. Backup-GPO PowerShell cmdlet allows you to backup individual or all GPOs as explained in the below PowerShell commands:

To backup an individual GPO using Backup-GPO PowerShell cmdlet, issue the below command:

  • Backup-GPO –Name “ScreenSaverGPO” –Path E:\BackupGPOsFolder –Comment “Daily Backup”

To perform backup operation for all GPOs, execute below command:

  • Backup-GPO –All –Path E:\BackupGPOsFolder

Tip: Backup-GPO PowerShell cmdlet does the same job as GPMC. Backup-GPO PowerShell cmdlet utilizes the GPMC APIs to trigger GPO backup operation.

Summary and Next GPO Health Check Item

In this part, we explained necessary backup methods available to backup domain GPOs. As we explained, GPOs can be backed up using GPMC as well as PowerShell cmdlet. The preferred method that has been in use is to use GPMC. In case you need to design a script so that GPOs can be backed up automatically during night time, you can use Backup-GPO PowerShell cmdlet.

In the next part of this article series, we are going to provide a PowerShell script that you can use to get a list of GPOs that do not have the descriptive text set.

***

See Also


The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.