Restore using GPMC
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Restoring a Group Policy object (GPO) re-creates the GPO from the data in the backup. A restore operation can be used in both of the following cases: the GPO was backed up but has since been deleted, or the GPO is live and you want to roll back to a known previous state. The end effect is the same in either case, except as noted below in some cases for GPOs that contain software installation settings. A restore operation replaces the following components of a GPO:
The Discretionary Access Control List (DACL) on the GPO
WMI filter links (but not the filters themselves)
The restore operation does not restore objects that are not part of the GPO. This includes:
Links to a site, domain, or organizational unit. Links are an attribute of the site, domain, or organizational unit, not the GPO. Any existing links in these containers will continue to be used, for example, when restoring an existing GPO to a previous state. However, if you have deleted a GPO and all links to the GPO, you must add these links back after restoring the GPO.
WMI filters. A GPO only contains a link to the WMI filter. If the WMI filter does not exist at the time of restore, the link will be dropped, otherwise the link will be restored.
IPSec Policies. A GPO only contains a link to the IPSec policy. If the IPSec policy does not exist at the time of restore, the link will be dropped, otherwise the link will be restored.
GPMC identifies the GPO by its domain and globally unique identifier (GUID). The purpose of a restore operation is to return the GPO to its original state, so the restore operation retains the original GUID even if it is recreating a deleted GPO. This is a key difference between the restore operation and the import or copy operations. You cannot use restore to transfer GPOs to different domains or forests. That capability is provided by import and copy.
GPMC identifies the GPO by its domain and globally unique identifier (GUID), a restore operation retains the original GUID even if it is recreating a deleted GPO. This is a key difference between the restore operation and the import or copy operations. You cannot use restore to transfer GPOs to different domains or forests. That capability is provided by import and copy.
Restoring a GPO from backup: permissions required
The permissions necessary to perform a restore of a GPO vary, depending on whether you are restoring an existing GPO or if you are restoring a GPO that has been deleted since it was backed up. Version numbers for the GPO are handled differently as well. The following table summarizes the situation for existing and deleted GPOs:
|GPO state||Permission needed to restore GPO from backup||GPO version number|
The user must have Edit settings, delete, and modify permissions on the GPO, as well as read access to the file system location where the backup is stored. This does NOT require GPO creation rights.
Incremented by 1, which will trigger client refreshes of settings from the GPO.
The user must have the right to create GPOs in the domain, as well as read access to the file system location where the backup is stored.
Retained unchanged from the backed-up GPO.
Restoring GPOs with software installation settings
When restoring a deleted GPO that contains Software Installation settings, some side effects are possible depending on the circumstances under which the GPO is restored.
When restoring a GPO that contains software installation settings, it is possible that:
Cross-GPO upgrade relationships that upgrade applications in the GPO being restored, if any, are not preserved after restore. A cross-GPO upgrade is one in which the administrator has specified that an application should upgrade another application, and the two applications are not in the same GPO. Note that upgrade relationships are preserved when applications—in the GPO being restored—upgrade applications in other GPOs.
If the client computer has not yet detected that the GPO has been deleted (either because the user has not logged on again or rebooted since the deletion of the GPO), and the application was deployed with the option to Uninstall this application when it falls out of scope of management then the next time the user logs on:
Published applications that the user has previously installed will be removed.
Assigned applications will be uninstalled before re-installation.
This issue can be avoided if all of the following conditions are met:
You perform the restore on a Windows Server 2003 domain controller instead of a Windows 2000 domain controller.
The user performing the restore has permissions to re-animate tombstone objects in the domain.
The time elapsed between deletion and restoration of the GPO does not exceed the tombstone lifetime specified in Active Directory.
Tombstone re-animation is a new feature of Windows Server 2003 Active Directory. By default, only Domain Admins and Enterprise Admins have this permission but you can delegate this right to additional users at the domain level using the ACL editor.
As a general rule, if you deploy software using Group Policy, it is recommended that you perform the restoration of GPOs that contain application deployments using a domain controller running Windows Server 2003 and that you grant the tombstone re-animation right to the users who will be performing restoration of those GPOs.
For more details on this issue, see the Group Policy Administration with Group Policy Management Console (GPMC) (http://www.microsoft.com/).
Finally, when restoring a GPO that contains software installation settings, if you are using categories to classify applications, the application in the restored GPO will appear in its original category only if the category exists at the time of restoration. Note that the category definition is not part of the GPO.