none
Group Policy - Backup Account Delegation

    Question

  • I am trying to backup group policies using the System account from a domain controller.

    Note that I cannot use a real user due to compliance requirements. They prevent me from saving the password under the scheduled task. And this is why I opted for using the System account.

    The problem is it only backs up about 20 of the 200 or so policies that I have in my environment. I can find no difference in the rights on the ones that backup and the ones that do not.

    So my question is where should I be checking the rights on the group polices? The only place I can find to check is under the delegation tab (Which is already providing System with edit/delete/mod)

    Thursday, March 19, 2015 1:53 PM

All replies

  • > I am trying to backup group policies using the System account from a
    > domain controller.
     
    How exactly?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, March 19, 2015 4:40 PM
  • Thanks for the reply Martin.

    -Task Scheduler

    -General tab

    -Use the following account, put System in there

    -Run with highest privileges

    Thursday, March 19, 2015 4:45 PM
  • > -Task Scheduler
     
    I didn't mean "how does the task run", but rather "what exactly does
    your script do" :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, March 20, 2015 8:44 AM
  • Oops :p

    I have omitted the actual names but this is the script.

    It performs flawlessly if I run it manually with my 'domain admin' account.

    When it is ran as 'System' from the scheduled task it only backs up about 20 policies (the same 20 policies every time)

    Thank you Martin.

    # import the Group Policy module
    if (-not (Get-Module GroupPolicy)){
        Import-Module GroupPolicy -ErrorAction Stop            
    }
    # remove backups older than 7 days
    $max_days = "-7"
       
    # get the current date
    $curr_date = Get-Date
      
    # determine how far back we go based on current date
    $del_date = $curr_date.AddDays($max_days)
     
    # set the backup path
    $backupRoot = "C:\Omitted\Actual\Path"
     
    # set the email options
    $smtpServer = 'Omitted.actual.server'
    $smtpPort = '25'
    $fromAddy = 'omitted@mail.com'
    $toAddy = 'omitted2@mail.com'
    $mailMsg = "GPO Backup for $curr_date complete. Backups saved in $backupRoot\$((get-date).toString('MM-dd-yyyy'))"
    $mailSubject = "GPO Backup $curr_date"
      
    # create the folder for todays date
    md "$backupRoot\$((get-date).toString('yyyy-MM-dd'))"
     
    # backup the GPOs
    Backup-Gpo -All -Path "$backupRoot\$((get-date).toString('yyyy-MM-dd'))"
     
    # delete the files
    Get-ChildItem $backupRoot -Recurse | Where-Object { $_.LastWriteTime -lt $del_date } | Remove-Item
     
    # send an email stating it was backed up
    Send-MailMessage -SmtpServer $smtpServer -From $fromAddy -To $toAddy -Body $mailMsg -Subject $mailSubject
    

    Friday, March 20, 2015 11:39 AM
  • > When it is ran as 'System' from the scheduled task it only backs up
    > about 20 policies (the same 20 policies every time)
     
    I suppose the backup-gpo cmdlet fails. To track down: Run "psexec -s
    cmd" and run your script from there.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, March 20, 2015 1:02 PM
  • Thanks I'll report the results.
    Monday, March 23, 2015 4:11 PM