declarative-ad-framework/gpo/Restore-GPOBaseline.ps1

# Restore-GPOBaseline.ps1
# Interactive restore script for GPO backups.
#
# Usage:
#   .\Restore-GPOBaseline.ps1                                              # List all backups
#   .\Restore-GPOBaseline.ps1 -GPOName 'Admins-01'                        # List backups for one GPO
#   .\Restore-GPOBaseline.ps1 -GPOName 'Admins-01' -Timestamp '20260214-153000'  # Restore

[CmdletBinding()]
param(
    [string]$GPOName,
    [string]$Timestamp,
    [switch]$Force
)

$ErrorActionPreference = 'Stop'
$ScriptRoot = $PSScriptRoot

. (Join-Path $ScriptRoot 'lib\GPOHelper.ps1')

# -------------------------------------------------------------------
# List mode (no Timestamp specified)
# -------------------------------------------------------------------
if (-not $Timestamp) {
    Write-Host 'Available GPO backups:' -ForegroundColor Cyan
    Write-Host ''

    $backups = Get-GPOBackups -GPOName $GPOName
    if ($backups.Count -eq 0) {
        Write-Host 'No backups found.' -ForegroundColor Yellow
        if ($GPOName) {
            Write-Host "Run without -GPOName to see all GPOs." -ForegroundColor DarkGray
        }
        exit 0
    }

    $backups | Format-Table GPOName, Timestamp, Admin, Version -AutoSize
    Write-Host ''
    Write-Host 'To restore, run:' -ForegroundColor DarkGray
    Write-Host "  .\Restore-GPOBaseline.ps1 -GPOName '<name>' -Timestamp '<timestamp>'" -ForegroundColor DarkGray
    exit 0
}

# -------------------------------------------------------------------
# Restore mode (Timestamp specified)
# -------------------------------------------------------------------
if (-not $GPOName) {
    Write-Host '-GPOName is required when specifying -Timestamp.' -ForegroundColor Red
    exit 1
}

$safeName = $GPOName -replace '[^\w\-]', '_'
$backupRoot = Join-Path $ScriptRoot 'backups'
$backupPath = Join-Path $backupRoot "$safeName\$Timestamp"

if (-not (Test-Path $backupPath)) {
    Write-Host "Backup not found: $backupPath" -ForegroundColor Red
    Write-Host 'Run without -Timestamp to see available backups.' -ForegroundColor DarkGray
    exit 1
}

# Confirmation
if (-not $Force) {
    $meta = Get-Content (Join-Path $backupPath 'metadata.json') -Raw | ConvertFrom-Json
    Write-Host "About to restore GPO '$GPOName' to state from $($meta.Timestamp)" -ForegroundColor Yellow
    Write-Host "  Backup admin: $($meta.Admin)" -ForegroundColor Yellow
    Write-Host "  Backup version: $($meta.VersionNumber)" -ForegroundColor Yellow
    Write-Host ''
    $confirm = Read-Host 'Type YES to proceed'
    if ($confirm -ne 'YES') {
        Write-Host 'Aborted.' -ForegroundColor DarkGray
        exit 0
    }
}

Restore-GPOState -BackupPath $backupPath
Write-Host ''
Write-Host 'TIP: Run Apply-GPOBaseline.ps1 -TestOnly to verify the restored state.' -ForegroundColor DarkGray