Cannot backup GPO from 2012, 2012 R2 using either GPMC or Powershell

Hello everybody,

I have a very strange error regarding backing-up my GPOs. I can backup my GPOs using WIN 7 SP1, Windows 2008 R2 Standard and powershell version 2 and 3. I successfully backed up my GPOs using powershell and the GPMC console.

The problem I have is that it does not work with 2012 and 2012 R2. I don't know yet if it is related to 2012 or if it is just a coincidence but none of the two methods worked (powershell / GPMC).

Here are the errors I got:

Backup-GPO : Object reference not set to an instance of an object.
At line:1 char:1
+ Backup-GPO -Name "MyGPO" -Path "myBackupDirectory"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Backup-GPO], NullReferenceException
    + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.GroupPolicy.Commands.BackupGpoCommand

or

Backup of GPO failed. Error [Invalid pointer
].
 Details -
     Source GPO:
          DisplayName: myGPO
          ID: {xxxxx}
          Domain: myDomain.me
  
      Backup:
         Directory: myBackupDirectory
         Instance : {xxxxxx}
         Comment  : 
 
 

Thanks everybody!



  • Edited by Aldo9 Tuesday, October 14, 2014 3:32 PM
October 2nd, 2014 9:27pm

Hi,

You could backup gpo using GPMC or powershell  in Windows server 2012:

Back Up a Group Policy Object

http://technet.microsoft.com/en-us/library/cc770536.aspx

Backup-GPO

http://technet.microsoft.com/en-us/library/hh967480.aspx

Regards.

Free Windows Admin Tool Kit Click here and download it now
October 3rd, 2014 7:43am

To back up a Group Policy object

  1. In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest and domain containing the Group Policy object (GPO) to back up.

  2. To back up a single GPO, right-click the GPO, and then click Back Up . To back up all GPOs in the domain, right-click Group Policy objects and click Back Up All .

  3. In the Backup Group Policy object dialog box, in the Location box, enter the path for the location in which you want to store the GPO backups, or click Browse , locate the folder in which you want to store the GPO backups, and then click OK .

  4. In the Description box, type a description for the GPOs that you want to back up, and then click Back Up . If you are backing up multiple GPOs, the description will apply to all GPOs you back up.

  5. After the operation completes, click OK .

October 3rd, 2014 8:20am

Hello,

Thanks for your answer. I did not say I don't know how to backup GPO in 2012. I am saying that backing up GPO using either Powershell or GPMC console does not work on Windows 2012. As you probably read I added the error messages I got when trying a backup using both methods.

Thanks

Free Windows Admin Tool Kit Click here and download it now
October 3rd, 2014 3:38pm

Also, my AD schema version is 69 which is Windows Server 2012 R2 and I am trying to backup from 2012 R2 Datacenter edition.

Thanks all!

October 3rd, 2014 9:26pm

When you try to perform a backup of a Group Policy object or of multiple Group Policy objects by using the Microsoft Group Policy Management Console, you receive the following error message in the notification area of the Backup window: GPO: <var style="line-height:18.4599990844727px;box-sizing:border-box;margin:0px;padding:0px;">Group_Policy_Name</var>...Failed

Invalid pointer

CAUSE

This behavior occurs if a user or a group name that is referenced in a Group Policy object corresponds to an abbreviation that is defined for a built-in group that is used by the Security Descriptor Definition Language (SDDL) format. For example, this behavior occurs if you name a user or a group "SA." The "SA" abbreviation corresponds to the SDDL security identifier (SID) string that represents the built-in Schema Admins group.

If a user name or a group name matches an SDDL abbreviation that is defined for a built-in group, a function that is called by the Group Policy Management Console treats the user name or the group name as a SID. Therefore, the backup fails and you receive the error message that is mentioned in the "Symptoms" section.

RESOLUTION

To resolve the behavior, use the Active Directory Users and Computers snap-in to change the name of the user or the group that corresponds to one of the abbreviations that is used by SDDL.
Free Windows Admin Tool Kit Click here and download it now
October 4th, 2014 1:55pm

Hello!
 

Thanks a lot for your answer. When you say: "This behavior occurs if a user or a group name that is referenced in a Group Policy object", does it mean a user or a group explicitly added to one of the GPO settings? (ex: I have a user account name AU for some reasons and this user account has been added to the local group "backup operator" of all domain clients  through the GPO I am trying to backup?)

If that is what it means, then this is not the cause because:
the backup fails with an empty GPO
the backup works from a server that runs Windows 2008, Windows 2008 R2 and (also Win 7 SP1).

If that is not what it means, then could I get a little bit more guidance? That would be really great!

Also, please see some logs from gpmgmt.log (Hope that helps!):

[1160.10c0] 10/06/2014 09:02:27:205  [VERBOSE] CGPMBackupData::PutSID: Domain : myDomain.me Domain Netbios : MYDOMAIN
[1160.10c0] 10/06/2014 09:02:27:205  [VERBOSE] CGPMBackupData::AddKnownSecurityPrincipal: SecurityPrincipal Added is MYDOMAIN\one_admin
[1160.10c0] 10/06/2014 09:02:27:205  [VERBOSE] CGPMBaseNode::PutSecurityDescriptorInfo: ACE 2 String Sid is S-1-5-21-2025429265-616249376-725345543-1692467.
[1160.10c0] 10/06/2014 09:02:27:205  [VERBOSE] ResolveTrustee(): Resolving account <S-1-5-21-2025429265-616249376-725345543-1692467> Domain Controller <(null)>.
[1160.10c0] 10/06/2014 09:02:27:221  [VERBOSE] ResolveTrustee(): Account name is <myGroup>
[1160.10c0] 10/06/2014 09:02:27:221  [VERBOSE] CGPMBackupData::AddKnownSecurityPrincipal: SecurityPrincipal Added is MYDOMAIN\myGroup
[1160.10c0] 10/06/2014 09:02:27:221  [VERBOSE] CSecurityGroupBatchQuery::GetLdapBatchQuery :: found a match
[1160.10c0] 10/06/2014 09:02:27:221  [VERBOSE] CGPMBaseNode::PutSecurityDescriptorInfo: ACE 3 String Sid is S-1-5-21-2025429265-616249376-725345543-1648799.
[1160.10c0] 10/06/2014 09:02:27:221  [VERBOSE] ResolveTrustee(): Resolving account <S-1-5-21-2025429265-616249376-725345543-1648799> Domain Controller <(null)>.
[1160.10c0] 10/06/2014 09:02:27:221  [VERBOSE] ResolveTrustee(): Account name is <myGroup1>
[1160.10c0] 10/06/2014 09:02:27:221  [VERBOSE] CGPMBackupData::AddKnownSecurityPrincipal: SecurityPrincipal Added is MYDOMAIN\myGroup1
[1160.10c0] 10/06/2014 09:02:27:221  [VERBOSE] CSecurityGroupBatchQuery::GetLdapBatchQuery :: found a match
[1160.10c0] 10/06/2014 09:02:27:221  [VERBOSE] CGPMBaseNode::PutSecurityDescriptorInfo: ACE 4 String Sid is S-1-5-21-2025429265-616249376-725345543-1692467.
...
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMCoreNode::process: ++++++++++++++++++++++++
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::CheckCancelFlag: Checking cancel flag. m_bCancel = 0
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyObject: Node processing completed
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyObject: Processing children...
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyObject: Number of children = 22
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyObject: Handling child 1 of 22
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: No reevaluate function
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: Encountered element GroupPolicyCoreSettings
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyCoreSettings: Starting node processing...
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyCoreSettings: Node processing completed
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyCoreSettings: Processing children...
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyCoreSettings: Number of children = 10
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyCoreSettings: Handling child 1 of 10
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: No reevaluate function
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: Encountered element ID
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: ID: Starting node processing...
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: ID: Node processing completed
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: ID: Processing children...
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: ID: Number of children = 1
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: ID: Handling child 1 of 1
[1160.10c0] 10/06/2014 09:02:27:283  [VERBOSE] CGPMBackupData::XMLTreeRecurse: ID: Done
...
[1160.10c0] 10/06/2014 09:02:27:314  [VERBOSE] CGPMBackupData::XMLTreeRecurse: UserExtensionGuids: Done
[1160.10c0] 10/06/2014 09:02:27:314  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyCoreSettings: Handling child 10 of 10
[1160.10c0] 10/06/2014 09:02:27:314  [VERBOSE] CGPMBackupData::XMLTreeRecurse: No reevaluate function
[1160.10c0] 10/06/2014 09:02:27:314  [VERBOSE] CGPMBackupData::XMLTreeRecurse: Encountered element WMIFilter
...
[1160.10c0] 10/06/2014 09:02:27:314  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyObject: Handling child 2 of 22
[1160.10c0] 10/06/2014 09:02:27:314  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyObject: Handling child 3 of 22
[1160.10c0] 10/06/2014 09:02:27:314  [VERBOSE] CGPMBackupData::XMLTreeRecurse: No reevaluate function

[1160.10c0] 10/06/2014 09:02:27:330  [VERBOSE] CGPMFSObjectNode::process: From GPOs
[1160.10c0] 10/06/2014 09:02:27:330  [VERBOSE] CGPMBackupData::XMLTreeRecurse: FSObjectFile: Done
[1160.10c0] 10/06/2014 09:02:27:330  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyExtension: Handling child 3 of 7
[1160.10c0] 10/06/2014 09:02:27:330  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyExtension: Handling child 4 of 7
[1160.10c0] 10/06/2014 09:02:27:330  [VERBOSE] CGPMBackupData::XMLTreeRecurse: No reevaluate function
[1160.10c0] 10/06/2014 09:02:27:330  [VERBOSE] CGPMBackupData::XMLTreeRecurse: Encountered element FSObjectFile
...
[1160.10c0] 10/06/2014 09:02:27:393  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyObject: Handling child 22 of 22
[1160.10c0] 10/06/2014 09:02:27:393  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyObject: Done
[1160.10c0] 10/06/2014 09:02:27:393  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyBackupScheme: Handling child 3 of 3
[1160.10c0] 10/06/2014 09:02:27:393  [VERBOSE] CGPMBackupData::XMLTreeRecurse: GroupPolicyBackupScheme: Done
[1160.10c0] 10/06/2014 09:02:27:393  [VERBOSE] CGPMBackupData::Initialise(gpo): Created FilePaths Node
[1160.10c0] 10/06/2014 09:02:27:393  [VERBOSE] GetDomainDN: Domain FQDN of domain myDomain.me = DC=myDomain,DC=me

[1160.10c0] 10/06/2014 09:02:27:393  [VERBOSE] CLdapBatchedQuery::GetQueryString: The query string is <(|(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b241f0e00>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b33d31900>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b9f281900>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b00020000>))>
[1160.10c0] 10/06/2014 09:02:48:393  [WARNING] LdapConnectServer: ldap_connect failed with 0x8007003a.
[1160.10c0] 10/06/2014 09:02:48:393  [WARNING] CLDAPSearch::Open: failed to connect to server myDomain.me with 0x8007003a.
[1160.10c0] 10/06/2014 09:02:48:393  [WARNING] CLdapBatchedQuery::ExecuteQuery: Open on ldapSearch failed with 0x8007003a.
[1160.10c0] 10/06/2014 09:02:48:393  [WARNING] CSecurityGroupBatchQuery::ExecuteQueries : ExecuteQuery of pLdapBatchedQuery failed. hr 0x8007003a

[1160.10c0] 10/06/2014 09:02:48:393  [VERBOSE] CLdapBatchedQuery::GetQueryString: The query string is <(|(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b241f0e00>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b33d31900>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b9f281900>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b00020000>))>
[1160.10c0] 10/06/2014 09:02:48:393  [VERBOSE] CGPMBackupData::CreateSecurityGroupsNode :: Starting to create security group nodes for Unknown security principals
[1160.10c0] 10/06/2014 09:02:48:393  [VERBOSE] CGPMBackupData::CreateSecurityGroupsNode :: Starting to create security group nodes for Known security principals
[1160.10c0] 10/06/2014 09:02:48:393  [VERBOSE] CGPMBackupData::CreateSingleSecurityGrpNode :: Input acctName : [Domain Admins] type: [GlobalGroup] Domain Netbios: [MYDOMAIN] Domain DNS: [myDomain.me] UPN: [Domain Admins@myDomain.me]
[1160.10c0] 10/06/2014 09:02:48:393  [VERBOSE] CGPMBackupData::CreateSingleSecurityGrpNode :: sid : S-1-5-21-2025429265-616249376-725345543-512 acctName : Domain Admins type: GlobalGroup Domain Netbios: MYDOMAIN Domain DNS: myDomain.me Source: 1
[1160.10c0] 10/06/2014 09:02:48:393  [VERBOSE] CGPMBackupData::CreateSingleSecurityGrpNode :: Input acctName : [myGroup1] type: [UniversalGroup] Domain Netbios: [MYDOMAIN] Domain DNS: [myDomain.me] UPN: [myGroup1@myDomain.me]
[1160.10c0] 10/06/2014 09:02:48:393  [VERBOSE] CGPMBackupData::CreateSingleSecurityGrpNode :: sid : S-1-5-21-2025429265-616249376-725345543-1648799 acctName : myGroup1 type: UniversalGroup Domain Netbios: MYDOMAIN Domain DNS: myDomain.me Source: 1
[1160.10c0] 10/06/2014 09:02:48:393  [VERBOSE] CGPMBackupData::CreateSingleSecurityGrpNode :: Input acctName : [myGroup] type: [GlobalGroup] Domain Netbios: [MYDOMAIN] Domain DNS: [myDomain.me] UPN: [myGroup@myDomain.me]
[1160.10c0] 10/06/2014 09:02:48:393  [VERBOSE] CGPMBackupData::CreateSingleSecurityGrpNode :: sid : S-1-5-21-2025429265-616249376-725345543-1692467 acctName : myGroup type: GlobalGroup Domain Netbios: MYDOMAIN Domain DNS: myDomain.me Source: 1
[1160.10c0] 10/06/2014 09:02:48:393  [VERBOSE] CGPMBackupData::CreateSingleSecurityGrpNode :: Input acctName : [one_admin] type: [User] Domain Netbios: [MYDOMAIN] Domain DNS: [myDomain.me] UPN: [one_admin@myDomain.me]
[1160.10c0] 10/06/2014 09:02:48:393  [VERBOSE] CGPMBackupData::CreateSingleSecurityGrpNode :: sid : S-1-5-21-2025429265-616249376-725345543-925476 acctName : one_admin type: User Domain Netbios: MYDOMAIN Domain DNS: myDomain.me Source: 1
[1160.10c0] 10/06/2014 09:02:48:408  [VERBOSE] CLDAPSearch::NextPage : cookie indicates search is done
[1160.10c0] 10/06/2014 09:02:48:408  [WARNING] CLDAPSearch::Next : Connection is not opened yet
[1160.10c0] 10/06/2014 09:02:48:408  [WARNING] CLdapBatchedQuery::GetNextMessage : Next on ldapSearch failed
[1160.10c0] 10/06/2014 09:02:48:408  [WARNING] CGPMBackupData::CreateSecurityGroupsNode :: GetNextMessage failed. hr 0x80004003

[1160.10c0] 10/06/2014 09:02:48:408  [WARNING] CGPMBackupData::Initialise(gpo): CreateSecurityGroupsNode Failed 0x80004003
[1160.10c0] 10/06/2014 09:02:48:408  [WARNING] CGPOOperations::DoBackup : Initialise Failed 0x80004003
[1160.10c0] 10/06/2014 09:02:48:408  [VERBOSE] CGPMBackupData::CheckCancelFlag: Checking cancel flag. m_bCancel = 0
[1160.10c0] 10/06/2014 09:02:48:408  [VERBOSE] WaitForFileAccess(): Did not find C:\Users\me\backupDirGpo\manifest.xml in the exclusive file access map
[1160.10c0] 10/06/2014 09:02:48:408  [VERBOSE] WaitForFileAccess(): Inserted C:\Users\me\backupDirGpo\manifest.xml in the exclusive file access map with reference count = 1

[1160.10c0] 10/06/2014 09:02:48:408  [VERBOSE] ValidateXMLAgainstSchema: Loaded document successfully
[1160.10c0] 10/06/2014 09:02:48:408  [VERBOSE] CGPMBackupDir::Remove(): No matching instance found.
[1160.10c0] 10/06/2014 09:02:48:408  [VERBOSE] ReleaseFileAccess(): Found C:\Users\me\backupDirGpo\manifest.xml in the exclusive file access map & reference count = 1
[1160.10c0] 10/06/2014 09:02:48:408  [VERBOSE] ReleaseFileAccess(): Closed the mutex for C:\Users\me\backupDirGpo\manifest.xml in the exclusive file access map
[1160.10c0] 10/06/2014 09:02:48:408  [VERBOSE] Delnode_Recurse: Entering, lpDir = <\\?\C:\Users\me\backupDirGpo\{72D6E836-F466-4801-A9C3-9DE9960DB964}>
[1160.1510] 10/06/2014 09:02:48:408  [VERBOSE] CCollection::get_Item: m_pEnumProvider is empty

  • Edited by Aldo9 Monday, October 06, 2014 3:21 PM
October 6th, 2014 5:11pm

> [1160.10c0] 10/06/2014 09:02:48:393  [WARNING] LdapConnectServer: ldap_connect failed with 0x8007003a.    MSG_E_CA_CERT_EXPIRED certlog.mc # A certificate in the chain for CA certificate %3 for %1 has # expired.  %2.   ERROR_BAD_NET_RESP winerror.h # The specified server cannot perform the requested # operation.   I'm unsure if it really is a cert issue :) So the second error seems to be the culprit, but I have no clue what your server cannot perform and which server it is.   You might do a check through dsquery:   dsquery * -s <servername> -filter "(|(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b241f0e00>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b33d31900>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b9f281900>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b00020000>))"   (entered on one line, of course)   Replace <servername> with every computer that "dsquery server" reports. And verify that "nslookup <domain>" matches the server list from dsquery.  
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2014 12:08pm

Hello Martin,

Thanks a lot for your help! I tried what you suggested but the list of SIDs in dsquery query is actually referring to users and groups. 

Not too sure if that helps... 

Thank you!
 -A

October 14th, 2014 6:04pm

> SIDs in dsquery query is actually referring to users and groups.   Yes, that's expected. I took this query from the log you provided:   [1160.10c0] 10/06/2014 09:02:27:393  [VERBOSE] CLdapBatchedQuery::GetQueryString: The query string is <(|(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b241f0e00>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b33d31900>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b9f281900>)(distinguishedName=<SID=0105000000000005150000001199b9782038bb2407e53b2b00020000>))> [1160.10c0] 10/06/2014 09:02:48:393  [WARNING] LdapConnectServer: ldap_connect failed with 0x8007003a.  
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2014 6:29pm

Aldo9 - did you ever come up with a solution to your issue.  I am seeing the exact same thing.  I'm also not able to backup a GPO from within GPMC

Thanks in advance

January 21st, 2015 12:08am

Hi,

Use this :-

import-module grouppolicy

Backup-GPO -All -Path <string> [-Comment <string>] [-Domain <string>] [-Server <string>] [<CommonParameters>]

Free Windows Admin Tool Kit Click here and download it now
January 21st, 2015 7:13am

Thanks for the input but I have tried that and it doesn't work.  Typing get-module while in PowerShell shows that the GroupPolicy module is loaded.  Also as I stated I'm also not able to back-up a GPO from within GPMC so this is not isolated to PowerShell.

Thanks

January 21st, 2015 8:17am

Simply try to migrate the ADDS on a new server and repair the old one than you can able to access.
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2015 1:39am

This is a multi domain controller domain and I'm having the issue from all of the DCs.  I have even tried it from a newly build 2012R2 server with RSAT installed and I still have the same issue. 
January 22nd, 2015 6:34am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics