This article is about the backup and recovery of Group Policy Objects (GPOs) in the Active Directory domain environment. If the GPO files in SYSVOL are modified, corrupted, or deleted, GPO backups allow you to revert to a previous version of the policy.
How to Backup Group Policies in AD
To back up GPOs, you can use the Group Policy Management Console graphical snap-in or the GroupPolicy module PowerShell cmdlets.
- Open the
GPMC.mscconsole - Go to the Group Policy Objects section and select the policy object that you want to back up.
- Select BackUp from the right-click context menu
- Specify the directory (local or UNC path of a remote location) where you want to save the GPO backup (the directory must exist) and click the Back up button.
The GPO backup includes:
- GPO settings
- Assigned permissions
- Script files
- WMI filters
- Security policy settings
However, information about the AD containers (OUs) to which the policy was linked and the inheritance settings are not included in such a backup.
To back up all AD domain policy objects, select Back Up All
For each policy, a separate directory is created with a unique backup ID as its name. The manifest.xml file (created in the root directory) stores information about the associations of subfolders with unique IDs to the corresponding GPO objects. 
The GPMC console is also used to view and manage GPO backups. Select the Group Policy Objects section in the console and select Manage Backups.
You will see a list of backups available in the specified directory. The backup dates are also displayed in this dialog. Click the View Settings button to view the GPO settings in the backup. To show only the latest GPO versions, check the Show only the latest version of each GPO option.
You can also back up group policies by using the Backup-GPO PowerShell cmdlet. This cmdlet is part of the GroupPolicy module that is installed by default on AD domain controllers. On Windows 11 and 11.1 this module can be installed from RSAT:
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0To back up a specified Group Policy Object to a remote location, run the following command:
Backup-GPO -Name "DC_Security" -Path "\\s-dc01\Backup" -Comment "Backup DC_Security GPO $(get-date)"
To back up all domain GPOs, run:
Backup-GPO -All -Path "\\s-dc01\Backup"Restoring GPOs from a Backup
Use the GPMC console to restore a GPO from a backup. Right-click the GPO and select Restore from Backup.
Select the source GPO backup directory, click Next, and select one of the previously created copies.
Click Next -> Finish to restore the previous GPO version.
When a GP object is restored from a backup, its version number is automatically incremented. This is necessary because the recovery object in SYSVOL must be replicated to other DCs.
You can restore a GPO using PowerShell:
Restore-GPO -Name DC_Security -Path "\\s-dc01\Backup"
This command restores the most recent version of the GPO. If you need to restore an older version, specify its ID (32-bit identifier):
Restore-GPO -Path "\\s-dc01\Backup" -BackupID 4E5C6EE6-2EE5-497D-A152-F90EF1A76C2DThe Restore-GPO cmdlet cannot restore the GPO object that was deleted from AD. You must first use the Restore-ADObject cmdlet to restore the GPO from the AD Recycle Bin.
Enable Automatic GPO Backup with Task Scheduler
You can use a PowerShell script that is run by the Task Scheduler to back up GPOs regularly.
On the domain controller, create a backup_gpo.ps1 file that contains the following code:
$date = get-date -format MM.dd.yyyy
$path = “\\s-dc01\backup\$date”
New-Item -Path $path -ItemType directory
Backup-Gpo -All -Path $pathCreate a Scheduler task to back up all GPOs daily:
$Trigger= New-ScheduledTaskTrigger -At 00:00am –Daily
$User= "NT AUTHORITY\SYSTEM"
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\Scripts\backup_gpo.ps1"
Register-ScheduledTask -TaskName "GPOBackup" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force
This task runs daily, creates a folder with the current data, and copies all GPOs into it.