Home / server / Questions / 398064
In Process
PnP
Asked: 2012-06-13 12:19:42 +0800 CST

Backing up Group Policy Objects and their OU Links

  • 772

I realise there are multiple ways in which you can backup GPO's - via Powershell, via Group Policy Mgmt and so forth, but how in Windows are you able to backup not only the GPO's themselves, but their links to their respective OU's too? Is this achievable with these tools or would it require something like a System State backup to work?

Cheers!

windows-server-2008 backup group-policy powershell active-directory

3 Answers

  1. OU links are stored in the AD Database. So a system state backup and AD restore would make the job. Every container has an Attribute called gplink. So if you take an ldifde dump of that attribute I guess you could re-import it later. I hope this help.

    • 4

  2. The actual links to a group policy object are stored in the organizational unit, domain, or site objects, in the attribute gpLink. It is a single-valued string attribute that holds all of the gpo's, delimited with each gpo object enclosed in brackets [].

    The gPLink attribute holds a list of all Group Policy containers linked to the container and a number for each listed Group Policy container, that represents the Enforced (previously known as No Override) and Disabled option settings. The list appears in priority order from lowest to highest priority GPO.

    If you wanted to do this manually, you could perform a global catalog query of all objects that have that attribute (gpLink=*). If you combine this with the output of the gpmc backup, you should be all set. 

    $searcher = New-Object system.DirectoryServices.DirectorySearcher
$searcher.SearchRoot=[adsi]"GC://dc=domainname,dc=acme,dc=com"
#$searcher.SearchScope="subtree"  #if you have child domains
$searcher.PageSize=1000
$searcher=[adsisearcher]"(gpLink=*)"
$searcher.ClientTimeout=600
$ADResults = @() 
$results=$searcher.FindAll()
foreach ($result in $results) { 
    $tempObj = New-Object psObject 
    $adProperties = $result.properties 
    foreach ($propertyName in $adProperties.propertyNames) { 
       if (@($adProperties.item($propertyName)).count -gt 1) { 
            $tempObj | Add-Member -MemberType noteproperty -Name $propertyName -Value $adProperties.item($propertyName)} 
       else {
        $tempObj | Add-Member -MemberType noteproperty -Name $propertyName -Value ($adProperties.item($propertyName) | Out-String -Width 4096).trim()} 
       } # end foreach $propertyName 
    $ADResults += $tempObj 
} # end foreach $result 
$ADResults | select distinguishedName, gpLink | Out-File results.txt -Width 4096

    Some of the links can be quite numerous. If you can find an occurrence of ... in the results file, that means you need a larger output buffer than 4096.

    You may also find it useful to perform a query for objects that have the gpOptions attribute set. The gPOptions attribute contains the Block Policy Inheritance setting. It holds an integer value that indicates whether the Block Policy Inheritance option of a domain or OU is enabled (0) or disabled (1).

    • 4

  3. Try using the Advanced Group Policy Management tool from Microsoft, which is available for 'free' with the Desktop Optimization Pack if you have purchased software assurance licenses.

    If I recall correctly, it backups GPO link information and also provides versioning, workflow controls, and a recycle bin for GPO's.

    • 0