You should even be able to restore a single GPO without an authoritative restore of the whole database (very bad idea to do this, if you don't absolutely need to) - but your problem will be documentation: you will need the GUID of the GPO to address it's GPC in the Sytem\Policies container during the authoritative restore via NTDSutil.
As you'll previously have restored the system state, you should also find the matching GPT folder back in SysVol, but you can't simply make this authoritative. So you can copy this folder to a temp-location outside of SYSVOL prior to booting the DC - and then copy it back to SYSVOL after the boot process completes (this makes the folder "authoritative" for FRS, which will then also re-copy it out to the other DCs. Same as what is happening with the GPC after the authoritiative restore. But although it's a nice excercise, I haven't tried it myself and I would also not go down this path for a single GPO restore. Instead you have to make sure you get your reporting and documentation for GPO management right - if you know what settings were applied within a certain GPO, it's much easier to simply recreate the GPO than to go through the described restore hassle. Related files (like application binaries) should not be stored within the GPO itself anyways; so you shouldn't loose these when you accidentally delete a GPO. Even with GPMC (obviously a good addition to GPO mgmt - however, it's not as if there weren't other similarly powerful tools available before...), although you can backup and restore GPOs rather easily, you won't get around having a good documentation (e.g. regular reports on your GPOs) as GPMC doesn't restore the GPO links themselves. You still have to know which OUs your GPO was applied to and if you use Win2003 you also still have to know which WMI filters were applied (these are also not stored as part of the GPO itself). So there is really no way around good documentation - and if you have it, you might as well leverage it to recreate an accidentally deleted GPO. /Guido -----Original Message----- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Montag, 18. August 2003 17:24 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] authoritative GPO restore Rick, please excuse the whinge borne out of a bit of frustration i am afraid !! am needing to write procedural documents for what i would regard as a fairly simple task (and given issues we have with allowed run list policy values not unlikely either !!) ie restore of a inadvertantly (or otherwise !) deleted or corrupt GPO not unreasonable to have had functionality equiv to GPMC in win2k ?? duly noted on GPMC - will recommend to deploy as soon as possible without GPMC, it seems there are all sorts of interdependencies on AD objects / SYSVOL file system objects which need to be got right when restoring GPO was looking to seek the views of others on the procedure for this restore say of a single GPO ?? as per my original mail; 1. DS restore mode 2. restore of what sysvol file system directories / system state to original 3. restore (what ?) to alternate location 3. ntdsutil - run authoritative restore (seems only to apply to AD objects) 4. copy certain file system directories (polices / scripts ??) to original location Thanks for your help throughout GT GT ----- Original Message ----- From: "Rick Kingslan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 18, 2003 2:34 PM Subject: RE: [ActiveDir] authoritative GPO restore > Graham, > > Though I don't totally disagree, I'm not sure what part of the picture is > missing to cause you to make a statement such as: > > "Microsoft seem incapable of delivering finished products !" > > The GPMC *does* make it much easier - and I have been a big champion on this > product, and is by far the preferred method. But, before GPMC (6 years > before, in fact) we have survived quite well with Auth Restore, Systems > State resore, and Data backup restores. > > What part of the picture am I missing that would indicate Microsoft missed > the boat on restoring GPOs in your case? > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: Monday, August 18, 2003 3:05 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] authoritative GPO restore > > Darren, thanks for the very informative post reply. > > you seem only to confirm my views of what should be a relatively simple task > is not so - although happy to see this complexity reduced with GPMC does not > nothing to dispel my opinion that Microsoft seem incapable of delivering > finished products ! > > Thanks again > > GT > ----- Original Message ----- > From: "Darren Mar-Elia" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, August 17, 2003 9:30 PM > Subject: RE: [ActiveDir] authoritative GPO restore > > > Graham- > You're absolutely rigth about the dependencies between the AD and SYSVOL > portions of a GPO. As you probably have noticed, the AD portion is stored in > the Domain NC under SYSTEM\POLICIES\<GUID OF GPO> and the SYSVOL part is in > SYSVOL\POLICIES\<GUID OF GPO>. The AD portion, formerly called the Group > Policy Container (GPC) (until MS released the GPMC and decided they didn't > like any of the old names for stuff (!)), contains attributes that reference > the SYSVOL path, the version of the GPO and some other stuff. If for > example, you have used software installation policy to deploy applications > via GPO, then the GPC contains a set of AD object known as the Class Store, > which contains packageRegistration objects for each app deployed. These > objects reference application advertisement scripts (.aas) file stored in > the SYSVOL portion of the GPO (aka the Group Policy Container or GPT). > > In terms of disaster recovery of an individual GPO, you're correct that > authoritative restore isn't very flexible. Your steps below seem reasonable > although I haven't used that mechanism to restore a single GPO before. > Frankly, I think you're better off using Microsoft's free GPMC tool to do > backup/restore of individual GPOs. Its easy to use, scriptable and restores > individual GPOs with their original GUID intact. > This is a lot more flexible than authoritative restore or any other > mechanism that has to try and extract portions of a single GPO from backups > of system state. > > Darren > > > > -----Original Message----- > From: Graham Turner [mailto:[EMAIL PROTECTED] > Sent: Sunday, August 17, 2003 11:42 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] authoritative GPO restore > > > was hoping to get a bit more detail on the procedure of restore of a GPO and > specifically the inter-dependencies of the sysvol folder data and AD data > > it would seem say in the scenario of an inadevertantly modified / deleted > GPO (and which has been replicated throughout the domain) that it is not > simply a matter of restore of the sysvol data, and that indeed it is > required to go through a sequence along the lines of; > > boot into DS restore mode; > restore system state to its original location restore system state to > alternative location > > authoritatively restore the entire database (didn't understand this - i > would have thought at most the object with the GUID of the GPO using restore > subtree ?) > > restart the DC in normal mode and wait for the sysvol to mount > > then a copy of what looks to be like the folder of sysvol / policies with > the GUID of the GPO from the alternative location > > have derived the above from the various papers on disaster recovery et al. > > hoping people can put any of the above right, especially with notes on the > various interdependencies of the directory objects / file system contents > relating to GPO > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/