3

I realise there are multiple ways in which you can backup GPO's - via Powershell, via Group Policy Mgmt and so forth, but how in Windows are you able to backup not only the GPO's themselves, but their links to their respective OU's too? Is this achievable with these tools or would it require something like a System State backup to work?

Cheers!

PnP
  • 1,684
  • 8
  • 39
  • 65
  • 1
    I believe that's what a system state backup is for. Keep in mind that group policies themselves are files stored in the sysvol of the domain controllers. The links are stored in AD, not the data. – uSlackr Jun 12 '12 at 20:35

3 Answers3

4

OU links are stored in the AD Database. So a system state backup and AD restore would make the job. Every container has an Attribute called gplink. So if you take an ldifde dump of that attribute I guess you could re-import it later. I hope this help.

Kalatzis Stefanos
  • 558
  • 1
  • 3
  • 9
4

The actual links to a group policy object are stored in the organizational unit, domain, or site objects, in the attribute gpLink. It is a single-valued string attribute that holds all of the gpo's, delimited with each gpo object enclosed in brackets [].

The gPLink attribute holds a list of all Group Policy containers linked to the container and a number for each listed Group Policy container, that represents the Enforced (previously known as No Override) and Disabled option settings. The list appears in priority order from lowest to highest priority GPO.

If you wanted to do this manually, you could perform a global catalog query of all objects that have that attribute (gpLink=*). If you combine this with the output of the gpmc backup, you should be all set. 

$searcher = New-Object system.DirectoryServices.DirectorySearcher
$searcher.SearchRoot=[adsi]"GC://dc=domainname,dc=acme,dc=com"
#$searcher.SearchScope="subtree"  #if you have child domains
$searcher.PageSize=1000
$searcher=[adsisearcher]"(gpLink=*)"
$searcher.ClientTimeout=600
$ADResults = @() 
$results=$searcher.FindAll()
foreach ($result in $results) { 
    $tempObj = New-Object psObject 
    $adProperties = $result.properties 
    foreach ($propertyName in $adProperties.propertyNames) { 
       if (@($adProperties.item($propertyName)).count -gt 1) { 
            $tempObj | Add-Member -MemberType noteproperty -Name $propertyName -Value $adProperties.item($propertyName)} 
       else {
        $tempObj | Add-Member -MemberType noteproperty -Name $propertyName -Value ($adProperties.item($propertyName) | Out-String -Width 4096).trim()} 
       } # end foreach $propertyName 
    $ADResults += $tempObj 
} # end foreach $result 
$ADResults | select distinguishedName, gpLink | Out-File results.txt -Width 4096

Some of the links can be quite numerous. If you can find an occurrence of ... in the results file, that means you need a larger output buffer than 4096.

You may also find it useful to perform a query for objects that have the gpOptions attribute set. The gPOptions attribute contains the Block Policy Inheritance setting. It holds an integer value that indicates whether the Block Policy Inheritance option of a domain or OU is enabled (0) or disabled (1).

curropar
  • 631
  • 3
  • 18
Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Looks great, but it fails on the very first line, as "property 'SearchRoot' cannot be found on this object; make sure it exists and is settable". I guess I'd have to set $searcher first. What kind of object is it? Thanks! – curropar Mar 12 '18 at 12:27
  • Never mind, a better search on Google has given me the answer: $searcher = New-Object system.DirectoryServices.DirectorySearcher – curropar Mar 12 '18 at 12:30
  • Edited the script with that line for future references. – curropar Mar 12 '18 at 12:32
0

Try using the Advanced Group Policy Management tool from Microsoft, which is available for 'free' with the Desktop Optimization Pack if you have purchased software assurance licenses.

If I recall correctly, it backups GPO link information and also provides versioning, workflow controls, and a recycle bin for GPO's.

SamErde
  • 3,409
  • 3
  • 24
  • 44