PowerShell Script: Backup all GPOs that have been modified this month
The scene: Backups take up space, but they’re a crucial part of GPO management. Ideally, one would do regular backups (monthly? weekly? your call) but only of the GPOs that have changed. This script will do that for you and print out a nice settings report of each GPO as it’s being backed up.
The following PowerShell script uses the Group Policy PowerShell cmdlets in Windows Server 2008 R2 (Windows 7 Client) to back up GPOs in the domain of the local computer that have been modified within the last month. After each GPO has been backed up, a settings report is generated for each GPO (much easier to read than the backup report).
Copy the following text and save it as a .ps1 file. The # symbols denote comments, so they won’t be run.
# The following script finds all GPOs in the domain that have been modified this month. It then takes these GPOs backs them up and generates a settings report for each. Finally it lists out all of the GPOs that were backed up.
## it depends on being opened from the Active Directory provider shortcut to the PowerShell console, or navigating to that AD provider first
# necessary for any work with group policy cmdlets if ‘import-module’ fails, use ‘add-module’
import-module grouppolicy
#get all GPO's linked in the local computer’s domain
#first step is to get the domain object
# enter "get-ADDomain -?" for help
$mydomain = get-ADDomain -current LocalComputer
# the next step gets all the GPO's currently in the domain that have been modified this month
$currentDate = get-Date
$ModGPOs = get-gpo -domain $mydomain.DNSRoot -all | where {$_.ModificationTime.Year.equals($currentDate.Year) -And $_.ModificationTime.Month.equals($CurrentDate.Month)}
# loop through GPOs
$RootPath = "C:GPOBackupReports"
Foreach ($GPO in $ModGPOs) {
# Backup the GPO to the specified path
$GPOBackup = backup-GPO $GPO.DisplayName -path "C:GPOBackup"
# First build the Report path, then generate a report of the backed up settings.
$ReportPath = $RootPath + $GPO.ModificationTime.Month + "-"+ $GPO.ModificationTime.Day + "-" + $GPO.ModificationTime.Year + "_" + $GPO.Displayname + "_" + $GPOBackup.Id + ".html"
get-GPOReport -Name $GPO.DisplayName -path $ReportPath -ReportType HTML
}
# Output which GPOs that have been successfully backed up.
"The following " + $ModGPOs.count + " GPOs were successfully backed up:" | out-host
Foreach ($GPO in $ModGPOs) {
" " + $GPO.DisplayName | out-host
}
"Go to " + $RootPath + " to view the settings reports for the backed up GPOs." | out-host
Some of you may have seen this at TEC 2009, hope you find this helpful.
Mark Gray (Group Policy PM)
Comments
Anonymous
January 01, 2003
I just got back from another great MMS in Las Vegas and I’d like to thank everyone who stopped by theAnonymous
March 30, 2009
Hi, i try to use $ModGPOs = get-gpo -domain $mydomain.DNSRoot -all | where {$.ModificationTime.Year.equals($currentDate.Year) -And $.ModificationTime.Month.equals($CurrentDate.Month)} but paramter -ALL doesn-t work any idea? Best regards