Group policies are a powerful and at the same time flexible tool to configure Windows settings and are indispensable means of bringing computers to a single configuration in the Active Directory domain. If there is no domain, single computer settings can be configured using a local group policy. A significant disadvantage of local policies is that they cannot be distributed centrally between computers in the workgroup. As a result, the administrator has to manually configure group policy settings on each computer. If there are many computers and settings to configure, it is not too productive…
It would be appropriate to have one computer in a workgroup with reference settings of local group policies and security settings to be applied to the other computers and after you make any changes you could copy this configuration to other machines.
In this article we’ll consider this scenario. It allows to quickly export and transfer (migrate) local group policy settings from one configured computer to other computers in a workgroup.
- Issues of Local Group Policy Migration between Computers
- How to Install LocalGPO
- How to Export a Local Policy Settings
- How to Import Local GPO Settings
- GPOPack: Deploy Format of Local GPO
- How to Reset All Local GPO Settings
- How to Import a Local GPO to the AD Domain Group Policy
- LGPO.exe: How to Export and Deploy Local GPO Settings
Issues of Local Group Policy Migration between Computers
The easiest way to migrate local GPO settings between computers is to manually copy the contents of %systemroot%\System32\GroupPolicy folder (by default, this directory is hidden) from one computer to another with replacing its contents (after you replaced the files, run policy update manually using the command gpupdate /force or by restarting your PC).
This method is quite simple, but it has some major faults:
- It can’t be used to migrate local Security Templates;
- GPO may not work if the OS version and its build on a source and a target computer differs;
- You can’t create a domain GPO based on a local policy (by importing a policy to Active Directory domain for its further use);
- When copying a policy, you will have to manually correct any references to the local computer name in the settings;
- There are some issues when migrating custom ADMX templates.
To import/export a local GPO created with gpedit.msc, it’s easier and more convenient to use LocalGPO utility, which is a part of Microsoft Security Compliance Manager 3.0. LocalGPO allows not only to quickly create a backup of a local GPO and restore local policy settings, but also to create an executable file GPOPack to migrate (import) the local GPO settings to another machine in one click.
The LocalGPO tool allows you to export all local policy settings, including those from INF, POL, Audit, firewall sections, etc. LocalGPO perfectly suits for use in the companies without domains to distribute GPO template between computers in the workgroup. It is also very useful in conjunction with the Microsoft Deployment Toolkit (MDT) or SCCM.
How to Install LocalGPO
To install LocalGPO on a local computer (in our case, it will be a master image of the local GPO settings):
- Download Security Compliance Manager (SCM) 3.0 (https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx);
- Open Security_Compliance_Manager_Setup.exe as an archive file using any archiver (7Zip or WinRar). Note. We don’t want to perform a full installation of Security Compliance Manager since it’s quite heavy and contains a lot of components we don’t need for our task (SQL Server Express, Microsoft Visual C++ 2010 Redistributable, etc.).
- Extract data.cab from this archive and unpack it as well (e.g., into C:\Distr\data folder);
- In this directory, find GPOMSI file and rename it to GPO.msi;
- Run GPO.msi installation.
Let’s find out how to use LocalGPO. You can manage it only through the console interface (command prompt). Start the command prompt as administrator and go to the folder C:\Program Files\LocalGPO (for x86 systems) or C:\Program Files (x86)\LocalGPO (for x64 systems).
LocalGPO Tool
---------------------------
This tool only runs on Windows XP Professional, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, or Windows Server 2012
The fact is that the LocalGPO utility only supports versions of Windows prior to Windows 8 (Windows Server 2012). In newer Windows versions (Windows 8.1, Windows 10) it is recommended to use the new utility LGPO.exe (see the last section in this article). Although technically, the old LocalGPO.wsf script supports both Windows 10 / 8.1 and Windows Server 2016/2012 R2. In order to make LocalGPO.wsf script run correctly in new OSs, it is enough to change the code of the function of checking the OS version (ChkOSVersion) by adding the following lines:
If(Left(strOpVer,4) = "10.0") and (strProductType = "1") then
strOS = "Win10"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType <> "1") then
strOS = "WS16"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType = "1") then
strOS = "Win81"
How to Export a Local Policy Settings
To export local GPO settings to the C:\GPObackup folder (this directory has to be created in advance), run this command:
cscript LocalGPO.wsf /Path:C:\GPObackup /Export
A new folder with some GPO GUID appears in the target directory. It will contain all local policy settings for this computer.
Actually, we have created a local GPO backup, which can be rolled back to any time we need.
The LocalGPO.wsf utility supports Multiple Local GPO (MLGPO). To export a local policy associated with a specific local group or user, you need to use the following format of using LocalGPO.wsf script:
cscript LocalGPO.wsf /Path:C:\GPObackup /Export /MLGPO:Administrators
or
cscript LocalGPO.wsf /Path:C:\GPObackup /Export /MLGPO:LocalUserName
How to Import Local GPO Settings
To restore Local Group Policy settings from the backup, import them using the following command. Specify the path to the directory containing your backup as an argument:
cscript LocalGPO.wsf /Path:C:\GPObackup\{B6545366-C0B0-4848-BF39-A17F0B4F0E9A}
GPOPack: Deploy Format of Local GPO
With LocalGPO, you can create a GPOPack package which helps to easily deploy local GPO settings to other computers (it doesn’t require installing LocalGPO on the target computer). This format is also convenient to use in OS deployment tasks using Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager (SCCM). To make a portable package, run this command:
cscript LocalGPO.wsf /Path:C:\GPObackup /Export /GPOPack
Copy the folder created in the previous step to another computer, to which these policies have to be applied. To do it, start the command prompt with the administrator privileges and run GPOPack.wsf file.
The message “Applied GPOPack to Local Policy” indicates that the policies have been migrated successfully. Now you only have to restart your system and make sure if the same local GPO settings are applied on this computer.
The full list of arguments for LocalGPO.wsf is available with the parameter /?:
cscript LocalGPO.wsf /?
How to Reset All Local GPO Settings
Using LocalGPO, you can reset all local policy settings to the default values. To do it, run the following command:
cscript LocalGPO.wsf /Restore
How to Import a Local GPO to the AD Domain Group Policy
The policy import format of LocalGPO allows to import local group policy settings to a domain GPO. You can do it using the domain GPO backup and restore feature in GPMC (Group Policy Management Console).
LGPO.exe: How to Export and Deploy Local GPO Settings
The LGPO.exe console tool is designed to automate the management of local group policies and is intended to replace the LocalGPO that is no longer supported. Currently it is recommended to use only this utility. LGPO.exe is included into the Security Compliance Manager (SCM) free tool.
You can download LGPO.exe by the following link https://www.microsoft.com/en-us/download/details.aspx?id=55319.
The LGPO.exe utility has the following features:
- Support of local group policy settings exporting;
- Imports GPO settings from backup. Import of registry.pol files, security templates, CSV files are supported;
- Convert registry.pol files to readable LGPO format and vice versa.
To export the current local GPO settings to the specified directory, run the following command:
LGPO.exe /b c:\tools\GPO
The utility will export all current local policy settings to the folder with the group policy GUID.
To present the current GPO settings in the backup file from the registry.pol file in a text-friendly format, run the command:
lgpo.exe /parse /m "C:\tools\GPO\{6DFFB293-675f-4c32-4AB-FD1234567CE}\DomainSysvol\GPO\Machine\registry.pol">>c:\tools\gpo\lgpo.txt
Open the lgpo.txt text file. As you can see, it contains all registry settings that are applied by this policy.
Make the necessary changes to the lgpo.txt registry settings file and convert it to the registry.pol format:
LGPO.exe /r "C:\tools\GPO\lgpo.txt" /w "C:\tools\GPO\registry_new.pol"
Now import the new local policy settings from the pol file:
LGPO.exe /m "C:\tools\GPO\registry_new.pol"
To import (transfer) local GPO settings from this computer to another, copy the directory with the policy on the target computer and run the command:
LGPO.exe /g C:\tools\GPO\
The LGPO v2.2 version supports Multiple Local Group Policy Objects (MLGPO), which allows you to configure individual policies for different users (available in Windows Vista and later).
As you can see, the LGPO.exe utility is very useful for creating a backup of local policies and transferring GPO settings between computers.
24 comments
This is great for 2008/2008R2, but it does not work in 2012/2012R2. Even after you edit the wsf script to stop it from checking for OS (which, if you leave that in, it will TELL you that it cannot run in 2012), but even after commenting that check out, it will run, but it will not actually import the policy settings.
This tool does not run on windows 10 Pro 64 bit. What is other alternative?
Same problem. I’m trying this tool :
https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/
try LGPO.exe from MS
Dont Work for Windows 8.1. This tool is only for Windows 8 and before.
You can use LGPO.exe, which replaces LocalGPO. It is part of the Security Compliance Manager package
[…] here https://technet.microsoft.com/en-us/library/cc936627.aspx to backup the settings (thanks to https://woshub.com/backupimport-local-group-policy-settings/ for pointing me in this direction). I also created the scheduled task that runs the following on […]
Edit LocalGPO.wsf to replace the ChkOSVersion routine (it will support 8.1, 10, 2k16) :
'****************************'
' Routine Name:
'
' ChkOSVersion
'
' Description :
'
' This routine gets the Operating System's caption,version and Service
' Pack information on the host
'
' Inputs:
'
' None.
'
' Outputs:
'
' None.
'********************************
Sub ChkOSVersion
Dim colOperatingSystems, objOperatingSystem
Dim colComputers, objComputer, strProductType
Set colOperatingSystems = objWMIService.ExecQuery _
("Select * from Win32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystems
strOpSys=objOperatingSystem.Caption
strOpVer=objOperatingSystem.Version
strSPMinorVer=objOperatingSystem.ServicePackMinorVersion
strSPMajorVer=objOperatingSystem.ServicePackMajorVersion
strProductType=objOperatingSystem.ProductType
Next
strComputerRole = NULL
Set colComputers = objWMIService.ExecQuery _
("Select DomainRole from Win32_ComputerSystem")
For Each objComputer in colComputers
Select Case objComputer.DomainRole
Case 0
strComputerRole = "Standalone"
Case 1
strComputerRole = "Member"
Case 2
strComputerRole = "Standalone"
Case 3
strComputerRole = "Member"
End Select
Next
'Checks whether the operating system is Windows XP or _
'Windows Server 2003 or Windows Vista or Windows Server 2008 or _
'Windows 7 or Windows Server 2008 R2 or Windows 8 or Windows Server 8
If(Left(strOpVer,4) = "10.0") and (strProductType = "1") then
strOS = "Win10"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType <> "1") then
strOS = "WS16"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType = "1") then
strOS = "Win81"
ElseIf(Left(strOpVer,3) = "6.2") and (strProductType <> "1") then
strOS = "WS12"
ElseIf(Left(strOpVer,3) = "6.2") and (strProductType = "1") then
strOS = "Win8"
ElseIf(Left(strOpVer,3) = "6.1") and (strProductType <> "1") then
strOS = "WS08R2"
ElseIf(Left(strOpVer,3) = "6.1") and (strProductType = "1") then
strOS = "Win7"
ElseIf(Left(strOpVer,3) = "6.0") and (strProductType <> "1") then
strOS = "WS08"
ElseIf(Left(strOpVer,3) = "6.0") and (strProductType = "1") then
strOS = "VISTA"
ElseIf(Left(strOpVer,3) = "5.2") and (strProductType <> "1") then
strOS = "WS03"
ElseIf(Left(strOpVer,3) = "5.2") and (strProductType = "1") then
strOS = "XP"
ElseIf(Left(strOpVer,3) = "5.1") and (strProductType = "1") then
strOS = "XP"
Else
strMessage = DisplayMessage(conLABEL_CODE002)
Call MsgBox(strMessage, vbOKOnly + vbCritical, strTitle)
Call CleanupandExit
End If
End Sub
🙁 the code is not well copied in the comment :
strProductType “1”
should be
strProductType “1”
(remove the space between )
Hi, thanks for info! I updated your code (this is an old WordPress problem with quotes).
LocalGPO is not working for Windows Server 2016 after editing LocalGPO.wsf with above mentioned code, request you to please provide updated LocalGPO.wsf
Dear Admin,
Awaiting for your response….
Thanks in Advance!!
In Windows 10 and Windows Server 2016 instead of LocalGPO.wsf it is recommended to use lgpo.exe
LocalGPO.wsf is deprecated tool.
Great. Thanks
A question: I have manually modified a GPO policy called “prevent the installation of removable devices”. How do I backup/apply/restore this specific policy GPO with LGPO utility v1.0 (LPGO.exe) and apply the changes without restarting the PC?
You cannot save or restore a separate setting (policy) of a local GPO, only all GPO settings at the same time.
Ok. But how i can reset all gpo?
Dear Admin,
Request you to please let me know how should I identify Windows OS version from LocalGPO Backup file.
I am not able to identify the backup file of Windows version while restoring the backup file.
Also Can I restore Windows7 Group Policy Setting file to Windows10 system??
Is there any OS compatibility issues?
Awaiting for your valuable response.
Thanks in Advance.
Look at this. Any solution? https://superuser.com/questions/1447033/how-to-reset-gpo-rule
Спасибо большое за полезную статью – то что искал!..
Gents [and ladies?]. Why are you looking at LocalGPO? It is outdated. And if something screws up, MS won’t even hep you. Use LGPO.
Hey Admin, many thanks for your advices running LocalGPO on Windows10! I’m searching for a way to export local user related GPOs, but /Export /MLGPO:Username won’t work and lgpo.exe doesn’t have this function 🙁
I mean for a specific user, not the local GPOs for all users
The LGPO tool works even in server 2019 with no issues. I have used it in several environments to deploy policies for other servers after configuring local policy objects for computer, admins, and non-admins
How would you use lgpo.exe to backup non-admin policies as well? It’s only backing up “Local Computer Policy” not “Local Computer\Non-Administrators Policy”.