Recipe 9.18 Restoring a GPO

9.18.1 Problem

You want to restore a GPO.

9.18.2 Solution

9.18.2.1 Using a graphical user interface
  1. Open the GPMC snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to back up, and expand the Group Policy Objects container.

  3. Right-click on the GPO you want to restore, and select Restore from Backup.

  4. Click Next.

  5. Select the backup folder location and click Next.

  6. Select the backup you want to restore and click Next.

  7. Click Finish.

  8. You will see the restore status window. After it completes, click OK to close the window.

9.18.2.2 Using a command-line interface
> restoregpo.wsf "<BackupFolder>" "<GPOName>"
9.18.2.3 Using VBScript
' This code restores a GPO from a back up.
' ------ SCRIPT CONFIGURATION ------
strGPO      = "<GPOName>"       ' e.g. Sales Users GPO
strDomain   = "<DomainDNSName>" ' e.g. rallencorp.com
strLocation = "<BackupFolder>"  ' e.g. c:\GPMC Backups
strBackupID = "<BackupGUID>"    ' e.g. {85CA37AC-0DB3-442B-98E8-537291D26ED3}
' ------ END CONFIGURATION ---------

set objGPM = CreateObject("GPMgmt.GPM")
set objGPMConstants = objGPM.GetConstants( )
  
' Initialize the Domain object
set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)

' Make sure backup location and ID are valid
set objGPMBackupDir = objGPM.GetBackupDir(strLocation)
set objGPMBackup = objGPMBackupDir.GetBackup(strBackupID)
WScript.Echo "Backup found:"
WScript.Echo "  ID: " & objGPMBackup.ID
WScript.Echo "  Timestamp: " & objGPMBackup.TimeStamp
WScript.Echo "  GPO ID: " & objGPMBackup.GPOID
WScript.Echo "  GPO Name: " & objGPMBackup.GPODisplayName
WScript.Echo "  Comment: " & objGPMBackup.Comment
WScript.Echo 

' Perform restore
set objGPMResult = objGPMDomain.RestoreGPO(objGPMBackup, _
                                           objGPMConstants.DoNotValidateDC)
' This will throw an exception if there were any errors
' during the actual operation.
on error resume next
objGPMResult.OverallStatus( )
if objGPMResult.Status.Count > 0 then
   WScript.Echo "Status message(s): " & objGPMResult.Status.Count
   for i = 1 to objGPMResult.Status.Count
      WScript.Echo objGPMResult.Status.Item(i).Message
   next
   WScript.Echo vbCrLf
end if

' Print result
if Err.Number <> 0 then
   WScript.Echo "Error restoring GPO " & objGPMBackup.GPODisplayName
   WScript.Echo "Error: " & Err.Description
else 
   WScript.Echo "Restore successful."
   WScript.Echo "GPO '" & objGPMBackup.GPODisplayName & _
                "' has been restored."
end if

9.18.3 Discussion

To restore a GPO using GPMC, you first need a valid backup of the GPO. The procedure for backing up a GPO is described in Recipe 9.17. You can then restore the GPO, even if the GPO has been deleted. To restore a deleted GPO, use the following steps:

  1. Right-click on the Group Policy Objects container in the target domain and select Manage Backups.

  2. Highlight the GPO you want to restore and click the Restore Button

  3. Click Yes to confirm.

  4. Click OK after the restore completes.

If you don't have a valid backup of the GPO, but you do have another GPO that is identical or similar to the one you want to restore (perhaps in another forest), you can copy that GPO to replace the one you want to restore. See Recipe 9.3 for more on copying GPOs.

9.18.3.1 Using VBScript

To restore a GPO, I have to first get a handle to the backup I am going to restore from. This is done by instantiating an object to the backup location with GPM.GetBackupDir, and then calling GPMBackupDir.GetBackup with the GUID of the backup to be restored. If you need to programmatically search for the backup ID, you can use the GPMBackup.SearchBackups method to find the most recent backup or a backup with a particular display name.

After I obtain a GPMBackup object, I call the GPMDomain.RestoreGPO method. The first parameter is the GPMBackup object that represents the backup to restore. The second parameter is a validation flag, and I use the constant that causes the restore to not be validated against a domain controller.

9.18.4 See Also

Recipe 9.3 for copying a GPO, Recipe Recipe 9.17 for backing up a GPO, and MSDN: GPMDomain.RestoreGPO



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List