Although it’s not directly related to the application of Group Policy Objects (GPOs), administrators typically do not back up their GPOs so they can recover in case of a disaster. In fact, Microsoft only provides limited control over GPO backup and recovery, which may explain why admins overlook such required measures.
As a best practice, all administrators should do the following with regard to their GPOs:
- Back up all GPOs on a daily basis.
- Generate a report on GPOs to view all their settings.
- Implement a solution that allows for setting-level GPO recovery.
As an administrator, you can use the Group Policy Management Console (GPMC), the VBScripts that are provided by Microsoft, or even the PowerShell commands that are available to back up your GPOs. All of these solutions will do an excellent job of backing up the GPOs in case you need to restore them. Figure 1 illustrates how you can use the GPMC to back up all of your GPOs.
Figure 1. The GPMC lets admins back up all GPOs.
With regard to generating reports for your GPOs, this is an essential step in case you need to investigate a GPO’s settings. The reason you need a report is that if the GPO setting is changed, there is no other way of knowing what the setting was. Creating a report of each GPO (by clicking “Save Report”), will include the settings, permissions, etc., as seen in Figure 2.
Figure 2. Generating a report of each GPO is essential.
For each GPO, you’ll need to go through the motions of generating a report. It is also a good idea to generate an HTML version, so the GPOs can be posted on a secured site for all admins to view.
(Note: ADAudit Plus and RecoveryManager Plus can track all changes made to GPOs. RecoveryManager Plus can even restore setting-level changes to GPOs.)
The final consideration of being able to restore a GPO setting (without having to restore all settings in the GPO) is one that is rarely evaluated. Microsoft does not provide this level of restoration, even with their Advanced Group Policy Management (AGPM) tool. RecoveryManager Plus not only gives you the power to restore GPOs to any point in time, but the ability to restore just the settings in the GPO that require restoration. Figure 3 illustrates the level of detail that RecoveryManager Plus provides.
Figure 3. Restoring setting-level configurations to a GPO with RecoveryManager Plus.
Be sure you don’t make a huge mistake by failing to back up your GPO environment. Being able to restore GPOs and their settings is key to the stability of your entire AD enterprise.
If you want to test RecoveryManager Plus in your own environment, download it here.