Posted on July 30, 2015 · Posted in Group Policies

Backup/Import Local Group Policy Settings

Group policies are a powerful and at the same time flexible tool to configure Windows settings and are indispensable means of bringing computers to a single configuration in Active Directory domain. If there is no domain, single computer settings can be configured using a local group policy. A significant drawback of local policies is the lack of means to distribute them between computers in the workgroup. Consequently, the administrator has to manually configure group policy settings on each computer. If there are many computers and configured settings, it is not too productive… 

It would be appropriate to have one computer in a workgroup with reference settings of local group policies and security settings to be applied to the other computers and after you make any changes you could copy this configuration to other machines.

In this article we’ll consider this scenario, which allows to quickly export and migrate local group policy settings from one configured computer to other computers in a workgroup.

Issues of Local Group Policy Migration between Computers

The easiest way to migrate local GPO settings between computers is to manually copy the contents of %systemroot%\System32\GroupPolicy folder (by default, this directory is hidden) from one computer to another by overwriting its contents (After you replaced the files, run policy update manually using the command gpupdate /force or restart your PC).

This method is quite simple, but it has some major faults:

  1. It can’t be used to migrate local Security Templates
  2. GPO may not work if the OS version and its build on a source and a receiver computer differ
  3. You can’t create a domain GPO based on a local policy (by importing a policy to Active Directory domain for its further use)
  4. When copying a policy you will have to manually correct local computer name in the settings
  5. There are some issues when migrating custom ADMX templates

To import/export a local GPO created with gpedit.msc, it’s easier and more convenient to use LocalGPO being a part of Microsoft Security Compliance Manager 3.0. LocalGPO allows not only to quickly create a backup of a local GPO and restore local policy settings, but also to create an executable file GPOPack to migrate (import) the local GPO settings to another machine in one click.

LocalGPO allows to export all local policy settings, including those from INF, POL, Audit, firewall settings, etc. LocalGPO perfectly suits for use in the companies with no domain to distribute GPO template between computers. It is also very useful together with Microsoft Deployment Toolkit (MDT) or SCCM.

How to Install LocalGPO

To install LocalGPO on a local computer (in our case, it will be a master image of the local GPO settings):

  • Download Security Compliance Manager (SCM) 3.0 (
  • Open Security_Compliance_Manager_Setup.exe as an archive file using any archiver (7Zip or WinRar)

    Note. We don’t want to perform a full installation of Security Compliance Manager, since it’s quite heavy and contains a lot of components we don’t need for our task (SQL Server Express, Microsoft Visual C++ 2010 Redistributable, etc.)

    Extract fromSecurity Compliance Manager (SCM) 3.0

  • Extract from this archive and unpack it as well (e.g., into C:\Distr\data)
  • In this directory, find GPOMSI and rename it as GPO.msi GPOMSI
  • Run GPO.msi setup Setup LocalGPO tool

Let’s find out how to use LocalGPO. You can manage it only in command prompt. Start the command prompt under the administrator privileges and go to C:\Program Files\LocalGPO (for x86t systems) or C:\Program Files (x86)\LocalGPO (for x64 systems).

How to Export a Local Policy

To export a local GPO to C:\GPObackup (this directory has to be created in advance), run this command:
cscript LocalGPO.wsf /Path:C:\GPObackup /Export

LocalGPO export local GPO settings

A new folder with some GPO GUID appears in the target directory. It will contain all local policy settings for this computer.

gpo backup folder

Actually, we have created a local GPO backup, which you can roll back to any time we need it.

How to Import Local GPO Settings

To restore Local Group Policy settings from the backup, import them using the following command. Specify the path to the directory containing your backup as an argument:
cscript LocalGPO.wsf /Path:C:\GPObackup\{B6545366-C0B0-4848-BF39-A17F0B4F0E9A}
Import local policy settings from LocalGPO

GPOPack: deploy Format of Local GPO

With LocalGPO, you can create a GPOPack package which helps to easily deploy local GPO settings to other computers (LocalGPO doesn’t need to be installed on a target computer). This format is also convenient to deploy an OS using Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager (SCCM). To make a portable package, run this command:
cscript LocalGPO.wsf /Path:C:\GPObackup /Export /GPOPack

Create GPOPack for deploy
Copy the folder created in the previous step to another computer, to which these policies have to be applied. To do it, start the command prompt with the administrator privileges and run GPOPack.wsf.

The message «Applied GPOPack to Local Policy» means that the policies have been migrated successfully. Now you only have to restart your system and make sure if the same local GPO settings are applied on this computer.

Applied GPOPack to Local Policy

The full list of arguments for LocalGPO.wsf is available with the key /?:
cscript LocalGPO.wsf /?

LocalGPO.wsf arguments

How to Reset Local GPO Settings

Using LocalGPO, you can reset all local policy settings to their default values. To do it, run the following command:
cscript LocalGPO.wsf /Restore

Tip. Earlier we have already shown how to reset the local GPO configuration manually.

How to Import a Local GPO to AD Domain

The policy import format of LocalGPO allows to import local group policy settings to a domain GPO. You can do it using the domain GPO backup and restore feature in GPMC (Group Policy Management Console).

Related Articles