Backup using GPMC
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Backing up a Group Policy object (GPO) copies the data in the GPO to the file system. The backup function also serves as the export capability for GPOs. A GPO backup can be used to restore the GPO to the backed-up state, or to import the settings in the backup to another GPO. For step-by-step instructions, see Back up a Group Policy object using GPMC.
What is saved in a backup
Backing up a GPO saves all information that is stored inside the GPO to the file system. This includes the following information:
The GPO globally unique identifier (GUID) and domain
The discretionary access control list (DACL) on the GPO
The WMI filter link, if there is one, but not the filter itself
Links to IP Security Policies, if any
XML report of the GPO settings, which can be viewed as HTML from within GPMC
Date and time stamp of when the backup was taken
User-supplied description of the backup
What is not saved in a backup
Backing up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO includes the following information:
Links to a site, domain or organizational unit
IP Security policy
This data is not available when the backup is restored to the original GPO or imported into a new one.
Multiple backups of the same or different GPO can be stored in the same file system location. Each backup is identified by a unique backup ID. The collection of backups in a given file system location can be managed using the Manage Backups dialog box in GPMC or through the scriptable interfaces. The Manage Backups dialog box is available by right-clicking either the Domains node or the Group Policy Objects node in a given domain. When you open Manage Backups from the Group Policy Objects node, the view is automatically filtered to show only backups of GPOs from that domain. When opened from the Domains node, the Manage Backups dialog box shows all backups, regardless of which domain they are from.
Securing GPO backups
To prevent unauthorized access and tampering, you should store GPO backups in a secure location with strong file system security (using discretionary access control lists, also known as DACLs) so that only authorized administrators have access to the backups.
For additional security, you can store these files on computers running Windows 2000 or later operating systems. This will prevent tampering with the data while in transit over the network. This is because all SMB traffic between computers running Windows 2000 and above is digitally signed by default. Furthermore, mutual authentication is used for communications between computers running Windows 2000 or later, which ensures that the data comes from a trusted source.
ConceptsCreate a migration table
Restore a backed-up Group Policy object using GPMC
Copy a Group Policy object using GPMC
Import a Group Policy object using GPMC
Backup using GPMC
Copy using GPMC
Restore using GPMC
Import using GPMC
The migration table editor
Scripting Group Policy tasks using GPMC