Backup GPO Settings with retention

Backing up Active Directory should be part and parcel of creating a forest, however an often overlooked area is GPO settings.   Of course these are backed up along with AD, but restoring settings from an AD backup is pretty traumatic.  GPO settings should be backed up so that you can quickly apply an older version or check what has changed.

There are plenty of tools around to manage GPOs, Microsoft even has Advanced Group Policy Management available.  This is a great tool but only for customers with Software Assurance (it is part of the Microsoft Desktop Optimization Pack)   So what about a free tool…  I looked around and there are lots of scripts that do things with backing up GPOs, some even backup GPO links, WMI filters, etc, etc. but in my case I really only wanted the settings.

Simple answer (as often is the case) is PowerShell

Get-GPO -All | Backup-GPO -Path c:\GPOBackup

The above will do a backup of all of your GPOs to a directory structure.  Great!  Now what about retaining a few copies…  From the old tape backup days (yeah I know, do you remember those days!) we have daily, weekly, monthly retention on a grandfathering system.  Wouldn’t it be cool if we can do the same for GPO settings!?

Yes, I hear you shout! Well wait no more!  The script below allows you to do just that.  A summary of the parameters is as follows

  • Path: The Path parameter specifies the location where the GPOs will be saved (Example: C:\GPOBackup)
  • DailyRetention: The DailyRetention parameter specifies the number of daily backups to retain (Example: 14)
  • WeeklyRetention: The WeeklyRetention parameter specifies the number of weekly backups to retain (Example: 6)
  • MonthlyRetention: The MonthlyRetention parameter specifies the number of monthly backups to retain (Example: 12)
  • DayForMonthlyBackup: The DayForMonthlyBackup parameter specifies the day of the month to take a monthly backup (Example: 1)
  • DayOfWeekForWeeklyBackup: The DayOfWeekForWeeklyBackup parameter specifies the day of the week to take a weekly backup (Example: Sunday)

The piece I’m most proud of in the script is the validation of the above.  I always knew you could do some cool validations in PowerShell, but look at this

Param(
    [Parameter(Position=0,Mandatory=$false)]
    [ValidateScript({Test-Path $_ -PathType 'Container'})]
    [string]$Path = "C:\GPOBackup",
    [Parameter(Position=1,Mandatory=$false)]
    [ValidateRange(0,365)]
    [int]$DailyRetention = 14,
    [Parameter(Position=2,Mandatory=$false)]
    [ValidateRange(0,104)]
    [int]$WeeklyRetention = 6,
    [Parameter(Position=3,Mandatory=$false)]
    [ValidateRange(0,60)]
    [int]$MonthlyRetention = 12,
    [Parameter(Position=4,Mandatory=$false)]
    [ValidateRange(0,28)]
    [int]$DayForMonthlyBackup = 1,
    [Parameter(Position=5,Mandatory=$false)]
    [ValidateScript({[system.dayofweek].getenumvalues() -contains $_})]
    [system.dayofweek]$DayOfWeekForWeeklyBackup = [system.dayofweek].getenumvalues()[0]
)

Is that elegant, or what!  I especially like the ValidateScript option to validate the days of the week.  Now it should even work on non-English OS!

Anyway after all of that excitement, please find the script below

*** As always the script is provided on an as is basis, please test it before you use it in a production environment. ***

Backup-GPOWithRetention.ps1

Twan van Beers

Twan is a senior consultant with over 20 years of experience. He has a wide range of skills including Messaging, Active Directory, SQL, Networking and Firewalls. Twan loves to write scripts and get deep and dirty into debugging code, in order to understand and resolve the most complex of problems.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search