Whether you have only a few Group Policy objects (GPOs) or a few hundred, you know the complexity they bring to your Active Directory environment. Every GPO admin is concerned that a GPO change will go unnoticed and potentially break some or all of the computers on the network. Most organizations take a “limited privileged access” approach to try and curb such changes. However, even the most seasoned and thorough GPO admin can make a mistake that might take hours to recover from.
Let me remind you of the limitations of Group Policy, just so we are all on the same page. First, there is no “are you sure?” option when making a change to Group Policy. Second, there are many settings in a GPO that are variables, meaning the value is set manually. If the setting is altered or removed, there is no trace of what the old value was. Third, it is nearly impossible to track the changes that occur in a GPO, so even setting up logging can be ineffective.
Of course, you can back up your GPOs, so that if a setting changes you can restore it to a previous version. This is highly suggested, as without a GPO recovery tool this is really your only option. As a more manual option, you can print out each GPO and its settings, so you have a hard copy that you can dig into and recover from. I find that many organizations do have backups and printed versions, but they are usually very old and not updated as often as they need to be.
Instead of relying on full backups and manual printouts to recover from a Group Policy change, why not use a tool that allows you to quickly see what changed (including both the old and new values), as well as undo the change if you want the old value put back?
RecoveryManager Plus from ManageEngine provides this level of recovery from GPO changes. Figure 1 illustrates what the GPO changes look like, as well as how simple it is to choose your desired setting and restore it.
Figure 1. Group Policy recovery at the GPO setting level.
Not only will you see the last value of the GPO settings, but you can see the history of each setting as it changed over time. With a full history of GPO settings, you can restore a GPO’s settings back to any time in its history.
If you want to give this GPO recovery option a try in your own environment, you can download RecoveryManager Plus here.