Backing up, Restoring, Migrating, and Copying GPOs
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
GPMC provides mechanisms for backing up, restoring, migrating, and copying existing GPOs. This is very important for maintaining your Group Policy deployments in event of error or disaster. It helps you avoid having to manually recreate lost or damaged GPOs and then go through the planning, testing, and deployment phases again. Part of your ongoing Group Policy operations plan should include regular backups of all GPOs. Inform all Group Policy administrators about how to use GPMC to restore GPOs.
GPMC also provides for copying and importing GPOs, both from the same domain and across domains. You can use GPMC to migrate an existing GPO, for example, from an existing domain into a newly deployed domain. You can either copy GPOs or import settings from one GPO into another GPO. This can save you a lot of time and trouble by enabling you to re-use the contents of existing GPOs. Copying GPOs enables you to move straight from the staging phase to production, provided you have the proper trust between the environments. Import allows you to transfer settings from a backed-up GPO into an existing GPO, and is especially useful in situations where there is no trust between the source and destination domains. If you want to reuse existing GPOs, copying also allows you to conveniently move GPOs from one production environment to another.
Using GPMC to Work with GPOs
To create GPO backups, you must have at least Read access to the GPOs and Write access to the folder in which the backups are stored. See Figure 2.10 to help you identify the items referred to in the procedures that follow.
Figure 2.10 Backup Options in the Group Policy Management Console User Interface
Using GPMC to Back up GPOs
The backup operation backs up a live GPO to the file system. The location of the backup can be any folder to which you have write access. After backing-up GPOs, you must use GPMC to display and manipulate the contents of your backup folder, either by using the GPMC UI or programmatically by using a script. Do not interact with backed-up GPOs directly through the file system. Once backed up, archived GPOs can be processed by the Import and Restore operations.
Note that you can back up multiple instances of the same GPO to the same location — GPMC uniquely identifies each backup instance and provides mechanisms to allow you to pick which instance of the archived GPO you want to work with. For example, you can choose to display only the most recent backups when viewing the contents of a backup folder through GPMC. This can be useful when you make backups of a GPO after changing it, and later need to restore a previous version of that GPO.
To back up all GPOs in a domain
In the GPMC console tree, expand the forest or domain that contains the GPOs you want to back up.
Right-click the Group Policy Objects container.
In the context menu, click Back Up All.
In the Backup Group Policy Object dialog box, enter the path to the location at which you want to store the GPO backups. Alternatively, you can click Browse, locate the folder in which you want to store the GPO backups, and then click OK.
Type a description for the GPOs that you want to back up, and then click Backup.
After the operation completes, click OK.
To back up a specific GPO
In the Group Policy Objects container, right-click the GPO you want to back up.
In the context menu, click Back Up.
In the Backup Group Policy Object dialog box, enter the path to the location at which you want to store the GPO backup. Alternatively, you can click Browse, locate the folder in which you want to store the GPO backup, and then click OK.
Type a description for the GPO that you want to back up, and then click Backup.
After the operation completes, click OK.
To manage GPO backups
In the GPMC console tree, expand the domain that contains the GPOs that you want to back up.
Right-click Group Policy Objects container.
In the Manage Backups dialog box, click Browse, locate the folder that contains your GPO backups, and then click OK.
- You should secure backed-up GPOs by ensuring that only authorized administrators have permission to access the folder to which you are saving GPOs. Use good security on the file system where they are backed up.
Using GPMC to Restore GPOs
You can also restore GPOs. This operation takes a backed-up GPO and restores it to the same domain from which it was backed up. You cannot restore a GPO from backup into a domain different from the GPO’s original domain.
To restore a previous version of an existing GPO
In the GPMC console tree, expand the forest or domain that contains the GPOs you want to restore.
Expand the Group Policy Objects container, right-click the GPO you want to restore to a previous version, and then click Restore from Backup.
When the Restore Group Policy Object Wizard appears, follow the instructions and provide the appropriate information about the backed-up GPO that you want to restore, and then click Finish.
After the Restore Group Policy Object Wizard completes the restore operation, click OK.
To restore a deleted GPO
Right-click the Group Policy Objects container and then select the Manage Backups option from the context menu.
In the Manage Backups dialog box, click Browse, and then locate the file system that contains your backed-up GPOs.
Select the GPO that you want to restore, and then click Restore.
When you are prompted to confirm the restore operation, click OK.
- Settings that are stored outside the GPOs, such as WMI filters and IPSec policies are not backed up or restored during these processes. However, links to WMI filters and IPSec are stored in the GPO, and these are backed up as part of the GPO. During restore, the links are preserved if the underlying object still exists in Active Directory.
Using GPMC to Copy GPOs and Import GPO Settings
GPMC allows you to copy GPOs, both in the same domain and across domains, as well as import Group Policy settings from one GPO to another. Perform these operations as part of your staging process prior to deployment in your production environment. These operations are also useful for migrating GPOs from one production environment to another.
Although the collection of settings which comprises a GPO is logically a single entity, the data for a single GPO is stored in multiple locations and in a variety of formats; some data is contained in Active Directory and other data is stored in the Sysvol folder on domain controllers. This means that you cannot simply copy GPOs by copying a folder from one computer to another. However, GPMC provides built-in support that allows you to do this safely and relatively simply.
A copy operation copies an existing, live GPO to the desired destination domain. A new GPO is always created as part of this process. The destination domain can be any trusted domain in which you have the rights to create new GPOs. Simply add the desired forests and domains in GPMC and use GPMC to copy and paste (or drag and drop) the desired GPOs from one domain to another. To copy a GPO, you must have permission to create GPOs in the destination domain.
An additional option available when copying GPOs is to copy the Discretionary Access Control List (DACL) on the GPO in addition to the settings within the GPO. This is useful for ensuring that the new GPO that is created as part of the copy operation has the same security filtering and delegation options as the original GPO.
Importing a GPO allows you to transfer settings from a backed-up GPO to an existing GPO. Importing a GPO transfers only the GPO settings; it does not modify the existing security or links on the destination GPO. Importing a GPO is useful for migrating GPOs across untrusted environments, because you only need access to the backed-up GPO, not the actual GPO. Because an import operation only modifies settings, Edit permissions on the destination GPO are sufficient to perform the operation.
When copying or importing a GPO, you have the option of specifying a migration table if the GPO contains security principals or UNC paths that might need to be updated to new values in the target domain. Use the Migration Table Editor to create and edit migration tables; migration tables are described in the next section, "Using GPMC to Migrate GPOs."
To copy a GPO
In the GPMC console tree, right-click the GPO that you want to copy, and then click Copy.
To place the copy of the GPO in the same domain as the source GPO, right-click the Group Policy Objects container, and then click Paste.
To place the copy of the GPO in a different domain (either in the same or a different forest), expand the destination domain, right-click the Group Policy Objects container, and then click Paste.
If you are copying within a domain, click Use the default DACL for new GPOs or Preserve the existing DACL, and then click OK.
If you are copying to or from another domain, answer all the questions in the cross-domain copying wizard that appears, and then click Finish.
To import settings from a backed up GPO into a GPO
In the GPMC console tree, expand the domain that contains the GPO into which you want to import settings.
Expand the Group Policy Objects container, right-click the GPO, and then click Import Settings.
When the Import Settings Wizard appears, follow the instructions and provide the appropriate information about the backed up GPO that contains the settings you want to import, and then click Finish.
Using Migration Tables
Because some data in a GPO is domain-specific and might not be valid if copied directly to another domain, GPMC introduces migration tables. Migration tables are stored with the file name extension .migtable, and are actually XML files.
A migration table is a file that maps references to users, groups, computers, and UNC paths in the source GPO to new values in the destination GPO. The migration table consists of one or more mapping entries. Each mapping entry consists of a source type, source reference, and destination reference. If you specify a migration table when performing an import or copy, each reference to the source entry is replaced with the destination entry when the settings are written into the destination GPO. To use a migration table, the destination references specified in the migration table must already exist.
To examine a sample migration table, see program files\GPMC\Scripts\SampleMigrationTable.migtable on a computer where GPMC is installed. You do not need to know XML to create or edit migration tables; GPMC provides the Migration Table Editor for manipulating migration tables.
You can use migration tables to update security principals and UNC paths to new values as part of the import or copy operation.
The following items can contain security principals and can be modified using a migration table.
Security policy settings of the following types:
User rights assignment
Advanced folder redirection settings
The GPO DACL, if it is preserved during a copy operation
The DACL on software installation objects, which is only preserved if the option to copy the GPO DACL is specified
Also, the following items can contain UNC paths, which might need to be updated to new values as part of the import or copy operation, because servers in the original domain might not be accessible from the domain to which the GPO is being migrated:
Folder redirection Group Policy settings
Software installation Group Policy settings
References to scripts (such as for logon and startup scripts) that are stored outside the GPO. The script itself is not copied as part of the GPO copy or import operation, unless the script is stored inside the source GPO.
A migration table is a simple table that specifies a mapping between a source value and a destination value. Figure 2.11 shows a migration table in the Migration Table Editor in GPMC.
Figure 2.11 Migration Table Editor
The purpose of this table is to perform, during the copy or import operation, conversion of the references in a GPO to new references that will work in the target domain.
For more information about using migration tables, see "Staging Group Policy Deployments," in this book, and see the white papers available from the Administering Group Policy with GPMC link and the Migrating GPOs Across Domains by Using GPMC link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.