Group Policies are used to centrally configure settings for computers and users in Windows. If your computers are joined to a Windows domain, you can use domain GPOs to bring all the computers within an Active Directory domain into a single configuration. If you do not have a domain, you can use the local Group Policy to configure the settings for a single computer (the local Group Policy Editor is started with the gpedit.msc command). In this article, we’ll show you how to back up a local GPO and copy the local policy settings to other computers.
If your network is based on a Windows workgroup, you can use local Group Policy to get all of your computers to have the same configuration. To do this, you need to configure local GPO options on the reference computer, and then copy and apply these settings to other computers.
How to Manually Copy Local GPO Settings to Another Computer
There are no built-in tools in Windows to back up, import, export, or migrate local GPO settings. Windows stores local Group Policy administrative template settings in Registry.pol files under the following paths:
%SystemRoot%\System32\GroupPolicy\Machine\%SystemRoot%\System32\GroupPolicy\User\
Therefore, the easiest way to transfer local Group Policy settings between computers is to manually copy and replace the contents of the %systemroot%\System32\GroupPolicy folder from one computer to another. You must manually update the Group Policy settings with the gpupdate /force command or restart Windows after replacing the GPO files.
Main drawbacks of this GPO migration method:
- Settings from local Security Templates are not copied;
- Errors may occur when applying the GPO if the version of Windows on the target computer is different;
- You cannot import local GPO settings into the domain Group Policy Management Console (
gpmc.msc); - There are some issues with the migration of settings from custom ADMX templates.
How to Backup (Export) Local Group Policy with LGPO.exe
Microsoft recommends the use of the LGPO.exe console tool for the backup/import/export and transfer of local Group Policy settings. LGPO (current version 3.0) is included in the Microsoft Security Compliance Toolkit and is available to download here https://www.microsoft.com/en-us/download/details.aspx?id=55319.
The LGPO.exe utility allows you to:
- Export local group policy settings to files;
- Import GPO settings from the backup. Allows to import registry.pol files, security templates, and CSV files;
- Convert registry.pol files to readable LGPO format and vice versa.
To backup (export) the current local GPO settings to the specified directory, use the command:
LGPO.exe /b c:\tools\GPO
The tool saves the local policy settings in a folder with a random GUID name. This directory contains all of the necessary files that are required to restore the local GPO settings or to apply them to a different computer.
Restore-GPO -Name Win10Settings -Path C:\Backup\GPO_W10\
To conveniently view the current GPO settings in the registry.pol file, run the following command:
lgpo.exe /parse /m "C:\Tools\GPO\{985966AD-21BE-4A9C-BF7D-26C879982067}\DomainSysvol\GPO\Machine\registry.pol" >>c:\tools\gpo\lgpo.txt
The target lgpo.txt text file contains the registry settings that are applied by this policy.
You can manually edit the lgpo.txt file and convert it to the registry.pol format:
LGPO.exe /r "C:\tools\GPO\lgpo.txt" /w "C:\tools\GPO\registry_new.pol"
To apply the new settings from the registry_new.pol file to the computer’s current local policy:
LGPO.exe /m "C:\tools\GPO\registry_new.pol"
Import (Restore) Local Group Policy Settings on Windows
To import (restore) local GPO settings from a backup on another computer, you must copy the Policy GUID directory to the target computer and run the command:
LGPO.exe /g C:\tools\GPO\
Some administrators use Multiple Local Group Policies (MLGPO) to apply individual local GPO settings only to specific groups (non-administrators or administrators) or users. By default, the lgpo.exe doesn’t export the MLGPO settings.
The next thing we’ll look at is how to copy the MLGPO settings for specific users or groups to other computers.
When an administrator creates a new Local MLGPO Policy for a specific local user or group (mmc -> Add/Remove Snap-in -> Group Policy Object Editor -> select a local group or a user to apply a policy to: Users, Administrators, Non-Administrators, specific user, etc.), a separate folder is created for that GPO in the C:\Windows\System32\GroupPolicyUsers directory. The SID of the user or group is used as the directory name. For example:
S-1-5-32-545– non-administrators (BUILTIN\USERS)S-1-5-32-544–administrators (BUILTIN\ADMINISTRATORS)
For example, you might want to copy the settings of the local GPO for non-administrators to another computer.
- From the reference computer, copy the Local Policy Settings file from the directory with the required SID (
C:\Windows\System32\GroupPolicyUsers\S-1-5-32-545\User\Registry.pol); - To apply the Registry.pol file for non-administrators on the target computer, run the following command:
lgpo /un "C:\tmp\Registry.pol"
Import MLGPO settings for Non-Administrators from registry.pol
lgpo /ua "C:\tmp\Registry.pol"
Import GPO settings from a file and apply the policy to a specific local user:
lgpo /u:username "C:\tmp\Registry.pol"
Export and Import Group Policy Settings with LocalGPO
Previously, the LocalGPO script (part of Microsoft Security Compliance Manager 3.0) was used to import and export the local Group Policy configuration. The LocalGPO tool allows you to quickly create a backup copy of a local GPO and restore local policy settings from it. It also has an interesting option to create a GPOPack executable file that allows you to migrate (import) local GPO settings to another machine with a single click.
To export local Group Policy settings to the C:\GPObackup directory (the target folder must be created in advance):
cscript LocalGPO.wsf /Path:C:\GPObackup /Export
The LocalGPO utility allows you to export MLGPO settings for a specific group or user to a separate directory. Syntax used:
cscript LocalGPO.wsf /Path:C:\GPObackup /Export /MLGPO:Administrators
or
cscript LocalGPO.wsf /Path:C:\GPObackup /Export /MLGPO:LocalUserName
To restore local Group Policy settings from a previous backup copy:
cscript LocalGPO.wsf /Path:C:\GPObackup\{B6542366-C0C0-4948-AF39-B17F0B1F0E9A}
LocalGPO allows you to reset all current local Group Policy settings to the default:
cscript LocalGPO.wsf /Restore
24 comments
This is great for 2008/2008R2, but it does not work in 2012/2012R2. Even after you edit the wsf script to stop it from checking for OS (which, if you leave that in, it will TELL you that it cannot run in 2012), but even after commenting that check out, it will run, but it will not actually import the policy settings.
This tool does not run on windows 10 Pro 64 bit. What is other alternative?
Same problem. I’m trying this tool :
https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/
try LGPO.exe from MS
Dont Work for Windows 8.1. This tool is only for Windows 8 and before.
You can use LGPO.exe, which replaces LocalGPO. It is part of the Security Compliance Manager package
[…] here https://technet.microsoft.com/en-us/library/cc936627.aspx to backup the settings (thanks to https://woshub.com/backupimport-local-group-policy-settings/ for pointing me in this direction). I also created the scheduled task that runs the following on […]
Edit LocalGPO.wsf to replace the ChkOSVersion routine (it will support 8.1, 10, 2k16) :
'****************************'
' Routine Name:
'
' ChkOSVersion
'
' Description :
'
' This routine gets the Operating System's caption,version and Service
' Pack information on the host
'
' Inputs:
'
' None.
'
' Outputs:
'
' None.
'********************************
Sub ChkOSVersion
Dim colOperatingSystems, objOperatingSystem
Dim colComputers, objComputer, strProductType
Set colOperatingSystems = objWMIService.ExecQuery _
("Select * from Win32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystems
strOpSys=objOperatingSystem.Caption
strOpVer=objOperatingSystem.Version
strSPMinorVer=objOperatingSystem.ServicePackMinorVersion
strSPMajorVer=objOperatingSystem.ServicePackMajorVersion
strProductType=objOperatingSystem.ProductType
Next
strComputerRole = NULL
Set colComputers = objWMIService.ExecQuery _
("Select DomainRole from Win32_ComputerSystem")
For Each objComputer in colComputers
Select Case objComputer.DomainRole
Case 0
strComputerRole = "Standalone"
Case 1
strComputerRole = "Member"
Case 2
strComputerRole = "Standalone"
Case 3
strComputerRole = "Member"
End Select
Next
'Checks whether the operating system is Windows XP or _
'Windows Server 2003 or Windows Vista or Windows Server 2008 or _
'Windows 7 or Windows Server 2008 R2 or Windows 8 or Windows Server 8
If(Left(strOpVer,4) = "10.0") and (strProductType = "1") then
strOS = "Win10"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType <> "1") then
strOS = "WS16"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType = "1") then
strOS = "Win81"
ElseIf(Left(strOpVer,3) = "6.2") and (strProductType <> "1") then
strOS = "WS12"
ElseIf(Left(strOpVer,3) = "6.2") and (strProductType = "1") then
strOS = "Win8"
ElseIf(Left(strOpVer,3) = "6.1") and (strProductType <> "1") then
strOS = "WS08R2"
ElseIf(Left(strOpVer,3) = "6.1") and (strProductType = "1") then
strOS = "Win7"
ElseIf(Left(strOpVer,3) = "6.0") and (strProductType <> "1") then
strOS = "WS08"
ElseIf(Left(strOpVer,3) = "6.0") and (strProductType = "1") then
strOS = "VISTA"
ElseIf(Left(strOpVer,3) = "5.2") and (strProductType <> "1") then
strOS = "WS03"
ElseIf(Left(strOpVer,3) = "5.2") and (strProductType = "1") then
strOS = "XP"
ElseIf(Left(strOpVer,3) = "5.1") and (strProductType = "1") then
strOS = "XP"
Else
strMessage = DisplayMessage(conLABEL_CODE002)
Call MsgBox(strMessage, vbOKOnly + vbCritical, strTitle)
Call CleanupandExit
End If
End Sub
🙁 the code is not well copied in the comment :
strProductType “1”
should be
strProductType “1”
(remove the space between )
Hi, thanks for info! I updated your code (this is an old WordPress problem with quotes).
LocalGPO is not working for Windows Server 2016 after editing LocalGPO.wsf with above mentioned code, request you to please provide updated LocalGPO.wsf
Dear Admin,
Awaiting for your response….
Thanks in Advance!!
In Windows 10 and Windows Server 2016 instead of LocalGPO.wsf it is recommended to use lgpo.exe
LocalGPO.wsf is deprecated tool.
Great. Thanks
A question: I have manually modified a GPO policy called “prevent the installation of removable devices”. How do I backup/apply/restore this specific policy GPO with LGPO utility v1.0 (LPGO.exe) and apply the changes without restarting the PC?
You cannot save or restore a separate setting (policy) of a local GPO, only all GPO settings at the same time.
Ok. But how i can reset all gpo?
Dear Admin,
Request you to please let me know how should I identify Windows OS version from LocalGPO Backup file.
I am not able to identify the backup file of Windows version while restoring the backup file.
Also Can I restore Windows7 Group Policy Setting file to Windows10 system??
Is there any OS compatibility issues?
Awaiting for your valuable response.
Thanks in Advance.
Look at this. Any solution? https://superuser.com/questions/1447033/how-to-reset-gpo-rule
Спасибо большое за полезную статью – то что искал!..
Gents [and ladies?]. Why are you looking at LocalGPO? It is outdated. And if something screws up, MS won’t even hep you. Use LGPO.
Hey Admin, many thanks for your advices running LocalGPO on Windows10! I’m searching for a way to export local user related GPOs, but /Export /MLGPO:Username won’t work and lgpo.exe doesn’t have this function 🙁
I mean for a specific user, not the local GPOs for all users
The LGPO tool works even in server 2019 with no issues. I have used it in several environments to deploy policies for other servers after configuring local policy objects for computer, admins, and non-admins
How would you use lgpo.exe to backup non-admin policies as well? It’s only backing up “Local Computer Policy” not “Local Computer\Non-Administrators Policy”.