Export and import (GPO)
2 September 2021Thank you for reading this post, don't forget to subscribe!
There are two ways to export and import GPOs: you can use the Group Policy Management Console (GPMC) or you can use PowerShell.
GPMC
Backup
- Open GPMC
- Go to the Group Policy Object container
- Right click on the GPO in question and select Save.
- Follow the dialogs that appear and save the GPO wherever you want on the computer.
Note that you need to go down to the Group Policy Object container. Right-clicking on the links to GPOs from any organizational unit will not give you the correct menu.
The folder where you save the GPOs contains subfolders that contain the GPO files and settings. Subfolders are named after GUIDs that uniquely identify the instance of the backup.
If you make another backup of the same GPO in the same folder, the created subfolder will have a different GUID. In these subfolders, you can double-click a file called bkupInfo.xml to see the details of the GPO that was backed up.
Restore
Open GPMC
- Right click on the Group Policy Object container and select Manage Backups.
- In the dialog box that appears, set the path to the folder containing the backed up GPOs, and then select the GPO you want to restore.
Note that you can only restore GPOs to the same domain from which they were backed up, no domain with the same name, but the same domain .
Import
To work around this problem, you can import GPOs. To do this, go down to the Group Policy Object container:
- Create a new GPO
- Right click on the GPO and select Import Configurations.
- Follow the dialog box that appears to indicate the path of the folder containing your saved GPOs
- Select the desired GPO and import.
The difference between import and restore is that the former does not preserve security settings and does not restore GPO links.
PowerShell
- You need to import the Group Policy module
1 | Import-Module grouppolicy |
- To display the list of GPOs type the following command:
1 | get-gpo -all | fl DisplayName,Id,GpoStatus |
- Results
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | PS C:\Users\Administrateur> get-gpo -all | fl DisplayName,Id,GpoStatus DisplayName : Default Domain Policy Id : 31b2f340-016d-11d2-945f-00c04fb984f9 GpoStatus : AllSettingsEnabled DisplayName : Default Domain Controllers Policy Id : 6ac1786c-016f-11d2-945f-00c04fb984f9 GpoStatus : AllSettingsEnabled DisplayName : MapNetworkDrive Id : aec1e92a-c377-4570-932f-25899eb8c340 GpoStatus : AllSettingsEnabled DisplayName : Printers Id : a66076f2-966e-4556-af94-b09f2363348f GpoStatus : AllSettingsEnabled |
- To back up a GPO type the following command:
1 | Backup-GPO -Name "Default Domain Policy" -Path C:\Users\Administrateur\Desktop\chader |
- Results
1 2 3 4 5 6 7 8 9 10 | PS C:\Users\Administrateur> Backup-GPO -Name "Default Domain Policy" -Path C:\Users\Administrateur\Desktop\chader DisplayName : Default Domain Policy GpoId : 31b2f340-016d-11d2-945f-00c04fb984f9 Id : 6db54c5e-3f15-4585-9fe2-c82c0bfe1094 BackupDirectory : C:\Users\Administrateur\Desktop\chader CreationTime : 02/09/2021 10:15:56 DomainName : CHADER.COM Comment : |
- To restore a GPO type the following command:
1 | Restore-GPO -Name "Default Domain Policy" -Path C:\Users\Administrateur\Desktop\chader |
- Results
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | PS C:\Users\Administrateur> Restore-GPO -Name "Default Domain Policy" -Path C:\Users\Administrateur\Desktop\chader DisplayName : Default Domain Policy DomainName : CHADER.COM Owner : CHADER\Admins du domaine Id : 31b2f340-016d-11d2-945f-00c04fb984f9 GpoStatus : AllSettingsEnabled Description : CreationTime : 30/08/2021 10:41:36 ModificationTime : 01/09/2021 11:17:09 UserVersion : Version AD : 2, Version SysVol : 2 ComputerVersion : Version AD : 5, Version SysVol : 5 WmiFilter : |
- To import a GPO, first create a GPO with the following command:
1 | New-GPO "Template" |
- Results
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | PS C:\Users\Administrateur> New-GPO "Template" DisplayName : Template DomainName : CHADER.COM Owner : CHADER\Admins du domaine Id : 122c3a8f-ed29-4759-9e2c-c8077f8cc15d GpoStatus : AllSettingsEnabled Description : CreationTime : 02/09/2021 10:21:28 ModificationTime : 02/09/2021 10:21:28 UserVersion : Version AD : 0, Version SysVol : 0 ComputerVersion : Version AD : 0, Version SysVol : 0 WmiFilter : |
- Once the GPO is created, Import a GPO with the following command:
1 | Import-GPO -BackupGpoName "default Domain Policy" -TargetName "Template" -Path C:\Users\Administrateur\Desktop\chader |
- Results
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | PS C:\Users\Administrateur> Import-GPO -BackupGpoName "default Domain Policy" -TargetName "template" -Path C:\Users\Administrateur\Desktop\chader DisplayName : Template DomainName : CHADER.COM Owner : CHADER\Admins du domaine Id : 122c3a8f-ed29-4759-9e2c-c8077f8cc15d GpoStatus : AllSettingsEnabled Description : CreationTime : 02/09/2021 10:21:28 ModificationTime : 02/09/2021 10:26:04 UserVersion : Version AD : 1, Version SysVol : 1 ComputerVersion : Version AD : 1, Version SysVol : 1 WmiFilter : |
- To delete a GPO type the following command:
1 | remove-GPO "template" |
Bonus
I give you a little bonus, generally during a domain controller migration with a change of drill bit, we want to recover the GPOs present on the source domain without creating them again, unfortunately the ADMT tool does not allow this to be done.
I am using the following script which mirrors the combination of the commands seen above in a loop, it will allow you to:
- Back up all GPOs on the source domain
- Export the full list of source domain GPOs
- Creates Group Policy Objects from CSV
- Import settings from GPOs
Note:
The copy of GPOs / CSV files will have to be done manually from the source domain to the destination domain.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | # Source Domain Controller # grouppolicy Module Import-Module grouppolicy # Backup all GPO Backup-GPO -All -Path C:\Users\Administrateur\Desktop\chader # Export all GPO to CSV $ListGPO = Get-GPO -all | Select-Object DisplayName $ListGPO | Export-Csv -Path C:\Users\Administrateur\Desktop\chader\ListGPO.csv -NoTypeInformation -Encoding UTF8 # You can edit the CSV before Create / Import # Target Domain Controller # Create Gpo in new Domain Controller $BGNS = Import-Csv -Path "C:\Users\Administrateur\Desktop\chader\ListGPO.csv" -encoding UTF8 foreach ($BGN in $BGNS) { $GPO = $BGN.DisplayName New-GPO "$GPO" } # Import Gpo in new Domain Controller $BG = "C:\Users\Administrateur\Desktop\chader" $BGNS = Import-Csv -Path "C:\Users\Administrateur\Desktop\chader\ListGPO.csv" -encoding UTF8 foreach ($BGN in $BGNS) { $GPO = $BGN.DisplayName Import-GPO -BackupGpoName "$GPO" -TargetName "$GPO" -Path "$BG" } |
Views: 14070
