Get GPO Backup

The GroupPolicy module from Microsoft offers a great deal of functionality from a command line. In terms of regular maintenance or administration it is pretty hard to beat, especially if you have 100s or 1000s of GPOs. When you have such a large number, backing them up is critical and easy to accomplish with the Backup-GPO cmdlet. However, if you want to restore or import from a backup, you have to resort to the graphical Group Policy Managment Console. I couldn’t find any way to manage GPO backups from PowerShell so I wrote my own.

My function, Get-GPOBackup, will search a GPO backup folder and retrieve backup objects. All of this is done using the file system. Technically you don’t need the Group Policy module to retrieve the backup information. However, if you want to restore anything then you of course need the Group Policy module loaded. The only parameter you need to specify is the path. Although the function is designed to use the value of a global variable, $GPBackupPath. So if you use this alot, set that variable. But perhaps before we get too far you’d like to see the function.

The complete function has comment based help.

get-gpobackp help

get-gpobackp help

As I said, the -Path parameter is key. It is not mandatory in the attribute-sense, but I have code that prompts for a missing value and the path is tested before anything else is done.

GPO backups are stored under a GUID for each GPO, so I use a regular expression pattern to identify these. I’m making an assumption that the path you specify won’t have any other folders with GUID-based names.

Each backup consists of a few XML files. My function parses the XML and creates a custom object for each backup. These are added to a temporary array.

Now for the really fun part. The function supports a few other parameters that allow you to search for a GPO by name. So if you specify -Name, everything else is filtered out.

I also include a parameter to get the latest backup. I accomplish this by grouping the backup objects by their GPO GUID, sorting by backup date and selecting the latest one.

You should end up with an object like this for each GPO backup.

I tried to create an object so that if you wanted to restore a GPO you could with minimal effort. Unfortunately, the Import-GPO cmdlet doesn’t have enough support for parameter binding. So if you want to restore a backup, you’ll need to resort to a ForEach-Object command like this:

My function is in a stand-alone script so to use it, you either need to copy and paste the function into your profile or dot source the script. Even though I wrote it to help with imports, you could easily use it to manage a backup folder, deleting obsolete backups. The function is writing an object to the pipeline that you can use in whatever manner you can think of. I hope you’ll let me know what you think and if there is anything you think is missing.

Download Get-GPOBackup.