Friday, October 7, 2016

Restore a Deleted GPO (when you have AD recycle bin turned on, system state backup but no GPO backups)

This is mostly to save some notes for myself.

I'm in the middle of migrating our Sharepoint Lists to a new server, and one step was cleaning up the old GPOs that assigned those lists to users in Outlook. I went ahead and deleted those before figuring out that using the old GPOs would be the best source for getting the old URLs to cleanup the old lists from Outlook...oops! Luckily, Powershell, AD Recycle Bin, and my System State backup came to the rescue.

The very simplest solution is to restore the GPO from a backup that you've taken using Group Policy Management Console or the Powershell GroupPolicy module. Unfortunately, I've taken those backups on an ad-hoc basis only and the most recent was a few months too old for the GPOs I needed. I'll definitely be setting up a scheduled task to run that backup today.

GPOs have two components: the files that are stored in your \\domain\Sysvol that contain the actual settings, and a component stored in the Active Directory database. Even if you haven't explicitly backed up the GPO from GPMC, your other backups may have you covered.

First, I restored the GPOs'  Active Directory components from the Active Directory Recycle bin available since Server 2008 R2.

Open Active Directory Administrative Center. Navigate to the Deleted Items folder, and then restore the selected GPOs to their original location.

Now the GPO will be visible in GPMC, but it will display an error that the files are missing.

Next, I restored a backup of my DC's system state to a folder (NOT to the original Domain Controller). I mounted the VHD file by navigating to the \WindowsImageBackup\DC1\Backup (date) 000101\ folder that Data Protection Manager created.

An error popped up for me about the VHD not being able to assign a drive letter automatically. To resolve this, I opened Computer Management, navigated to Disk Management, and assigned a drive letter manually.

Now, in the newly mounted VHD, I navigated to E:\Windows\SYSVOL\domain\Policies\ and carefully copied all of the {xxxx} folders to a folder accessible on my management workstation.

Next, to avoid overwriting any existing GPOs, I used Powershell to help me copy over only the GPOs that I needed to the SYSVOL folder on my active domain controllers. To prevent errors, I worked only in the directory where I had restored the GPOs from the backup, not directly on my SYSVOL. Before running the commands below, you may want to add a -whatif and double-check you're in the right directory.

$ids = Get-GPO -all | where {$_.displayname -like "*Sharepoint Lists"} | select ID 
$dirs = (gci | select name) 
$dirs | %{if (-not ($ -contains $ { remove-item $ -recurse -force} }
copy * \\DOMAIN\sysvol\DOMAIN.TLD\Policies -recurse

Now, the contents of your SYSVOL directory will match with the newly restored AD object. Take a backup with GPMC right away, and if you can, set up a scheduled task to perform the backup!

No comments:

Post a Comment