Windows Server 2008 group policies are the primary security mechanism in Windows domains. They are used for everything
from software distribution to controlling which Control Panel icons are accessible to end users. As you might expect from such a versatile mechanism, there are many possible group policy setting configurations. Most organizations spend a great deal of time fine tuning their group policy configuration and the various group policy settings tend to evolve over time. As such, protecting an organization’s group policy objects against accidental change or loss is an important task. It is a good practice to back up group policies any time that you make a change, but there is no need to back them up on a daily basis unless the group policies change that frequently.
Why you need to backup Windows Server 2008 group policy settings
Some IT pros believe that it isn’t necessary to back up group policies.
When a group policy object is created in Windows Server 2008 or in Windows Server 2008 R2, that policy object is placed into the central store. The central store is a special folder that is automatically replicated to all of the domain controllers in the entire domain. That way, every domain controller has an identical copy of the group policy objects. The central store is located on Windows Server 2008 and 2008 R2 domain controllers at %Systemroot%\SYSVOL\domain\Policies.
With this in mind, there are a couple of arguments against backing up Windows Server 2008 group policy objects. One argument is that the group policy objects are already being replicated to each domain controller, so there is no need to back them up. Another argument is that if you are performing a full backup of at least one domain controller then you are already backing up the group policy objects.
While it is true that any full backup of a domain controller also includes a group policy backup, there is one very important reason for performing a separate backup of your group policy objects: Group policy-specific backups are easier to manage.
But keep in mind that if you ever need to restore a group policy object, then you need to understand that a restoration is an all or nothing proposition. The settings within the file being restored do not merge with an existing group policy object, the existing object is completely overwritten.
A hypothetical scenario
Imagine that someone makes a change to your default domain policy and the change causes major problems. Normally in a situation like that you would check the event logs to determine what has changed and what the previous value was so that you can put things back to the way that they were.
Let’s also suppose that multiple group policy settings were modified and you have no idea where the problem lies, other than that the default domain policy is the source of the problem. And let’s assume that the admin restored the default domain policy from last night’s backup of a domain controller.
Here’s the problem. If you look at Figure A, you can see the Central Store on a Windows 2008 R2 domain controller. The phrase Central Store is a Microsoft term that refers to this specific location. The individual policies reside in the rather cryptic looking sub folders, not in the Policy Definitions folder. The Policy Definitions folder is reserved for policy templates. For every group policy object there is a corresponding folder with a really long, cryptic name. There can be hundreds of these folders in a large environment. Normally if you have to restore a group policy setting then you would have to manually open an XML file in every single folder until you figure out which one matches the group policy object that you want to restore.
Trying to figure out which folder contains the policy that you are looking for just isn’t practical. Performing your own group policy backup allows you organize the backups in a way that makes it a lot easier to find the group policy object that you are looking for if you ever do have to do a restore.
The central store contains a copy of each group policy object.
Backing up and restoring group policy objects is a simple process. To backup a group policy object, open the Group Policy Management Console. Next, navigate through the console tree to Group Policy Management | <your forest> | Domains | <your domain> | Group Policy Objects. Now, right click on the Group Policy Objects container and choose the Back Up All command from the shortcut menu, as shown in Figure B.
Choose the Back Up All option from the shortcut menu.
When you do, Windows will prompt you for a backup destination and an optional description as shown in Figure C.
You can provide a description for your backup.
This method simultaneously backs up all of the group policy objects. The down side is that the group policy objects are all placed in folder structures that mimic those shown in Figure A. Therefore it may be better to backup your group policy settings one at a time. The method for doing so is almost identical to the technique described above except that you would right click on an individual group policy object rather than on the Group Policy Objects folder. As you can see in Figure D, when you right click on a group policy object, the shortcut menu contains backup and restore options specifically for that object.
You can backup and restore individual group policy objects.
If you backed up your domain controllers in the usual way (rather than using the method that was just described) and you need to restore a single group policy object then they key is figuring out which folder corresponds to the group policy object that you need to restore.
To do so, open a group policy object folder and look for a file named GPREPORT.XML. Open this file and look for a section called Identifier (near the top of the file). Just beneath the </Identifier> tag there is a <Name> tag. The text that follows this tag identifies the group policy object. To show you what I mean, I have highlighted the name of the group policy object in the XML excerpt shown in Figure E.
The name of the group policy object is embedded in the GPREPORT.XML file.