Group policies are a powerful and at the same time flexible tool to configure Windows settings and are indispensable means of bringing computers to a single configuration in the Active Directory domain. If there is no domain, single computer settings can be configured using a local group policy. A significant disadvantage of local policies is that they cannot be distributed centrally between computers in the workgroup. As a result, the administrator has to manually configure group policy settings on each computer. If there are many computers and settings to configure, it is not too productive…
It would be appropriate to have one computer in a workgroup with reference settings of local group policies and security settings to be applied to the other computers and after you make any changes you could copy this configuration to other machines.
In this article we’ll consider this scenario. It allows to quickly export and transfer (migrate) local group policy settings from one configured computer to other computers in a workgroup.
- Issues of Local Group Policy Migration between Computers
- How to Install LocalGPO
- How to Export a Local Policy Settings
- How to Import Local GPO Settings
- GPOPack: Deploy Format of Local GPO
- How to Reset All Local GPO Settings
- How to Import a Local GPO to the AD Domain Group Policy
- LGPO.exe: How to Export and Deploy Local GPO Settings
Issues of Local Group Policy Migration between Computers
The easiest way to migrate local GPO settings between computers is to manually copy the contents of %systemroot%\System32\GroupPolicy folder (by default, this directory is hidden) from one computer to another with replacing its contents (after you replaced the files, run policy update manually using the command gpupdate /force or by restarting your PC).
This method is quite simple, but it has some major faults:
- It can’t be used to migrate local Security Templates;
- GPO may not work if the OS version and its build on a source and a target computer differs;
- You can’t create a domain GPO based on a local policy (by importing a policy to Active Directory domain for its further use);
- When copying a policy, you will have to manually correct any references to the local computer name in the settings;
- There are some issues when migrating custom ADMX templates.
To import/export a local GPO created with gpedit.msc, it’s easier and more convenient to use LocalGPO utility, which is a part of Microsoft Security Compliance Manager 3.0. LocalGPO allows not only to quickly create a backup of a local GPO and restore local policy settings, but also to create an executable file GPOPack to migrate (import) the local GPO settings to another machine in one click.
The LocalGPO tool allows you to export all local policy settings, including those from INF, POL, Audit, firewall sections, etc. LocalGPO perfectly suits for use in the companies without domains to distribute GPO template between computers in the workgroup. It is also very useful in conjunction with the Microsoft Deployment Toolkit (MDT) or SCCM.
How to Install LocalGPO
To install LocalGPO on a local computer (in our case, it will be a master image of the local GPO settings):
- Download Security Compliance Manager (SCM) 3.0 (https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx);
- Open Security_Compliance_Manager_Setup.exe as an archive file using any archiver (7Zip or WinRar).Note. We don’t want to perform a full installation of Security Compliance Manager since it’s quite heavy and contains a lot of components we don’t need for our task (SQL Server Express, Microsoft Visual C++ 2010 Redistributable, etc.).
- Extract data.cab from this archive and unpack it as well (e.g., into C:\Distr\data folder);
- In this directory, find GPOMSI file and rename it to GPO.msi;
- Run GPO.msi installation.
Let’s find out how to use LocalGPO. You can manage it only through the console interface (command prompt). Start the command prompt as administrator and go to the folder C:\Program Files\LocalGPO (for x86 systems) or C:\Program Files (x86)\LocalGPO (for x64 systems).
LocalGPO Tool
---------------------------
This tool only runs on Windows XP Professional, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, or Windows Server 2012
The fact is that the LocalGPO utility only supports versions of Windows prior to Windows 8 (Windows Server 2012). In newer Windows versions (Windows 8.1, Windows 10) it is recommended to use the new utility LGPO.exe (see the last section in this article). Although technically, the old LocalGPO.wsf script supports both Windows 10 / 8.1 and Windows Server 2016/2012 R2. In order to make LocalGPO.wsf script run correctly in new OSs, it is enough to change the code of the function of checking the OS version (ChkOSVersion) by adding the following lines:
If(Left(strOpVer,4) = "10.0") and (strProductType = "1") then
strOS = "Win10"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType <> "1") then
strOS = "WS16"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType = "1") then
strOS = "Win81"
How to Export a Local Policy Settings
To export local GPO settings to the C:\GPObackup folder (this directory has to be created in advance), run this command:
cscript LocalGPO.wsf /Path:C:\GPObackup /Export
A new folder with some GPO GUID appears in the target directory. It will contain all local policy settings for this computer.
Actually, we have created a local GPO backup, which can be rolled back to any time we need.
The LocalGPO.wsf utility supports Multiple Local GPO (MLGPO). To export a local policy associated with a specific local group or user, you need to use the following format of using LocalGPO.wsf script:
cscript LocalGPO.wsf /Path:C:\GPObackup /Export /MLGPO:Administrators
or
cscript LocalGPO.wsf /Path:C:\GPObackup /Export /MLGPO:LocalUserName
How to Import Local GPO Settings
To restore Local Group Policy settings from the backup, import them using the following command. Specify the path to the directory containing your backup as an argument:
cscript LocalGPO.wsf /Path:C:\GPObackup\{B6545366-C0B0-4848-BF39-A17F0B4F0E9A}
GPOPack: Deploy Format of Local GPO
With LocalGPO, you can create a GPOPack package which helps to easily deploy local GPO settings to other computers (it doesn’t require installing LocalGPO on the target computer). This format is also convenient to use in OS deployment tasks using Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager (SCCM). To make a portable package, run this command:
cscript LocalGPO.wsf /Path:C:\GPObackup /Export /GPOPack
Copy the folder created in the previous step to another computer, to which these policies have to be applied. To do it, start the command prompt with the administrator privileges and run GPOPack.wsf file.
The message “Applied GPOPack to Local Policy” indicates that the policies have been migrated successfully. Now you only have to restart your system and make sure if the same local GPO settings are applied on this computer.
The full list of arguments for LocalGPO.wsf is available with the parameter /?:
cscript LocalGPO.wsf /?
How to Reset All Local GPO Settings
Using LocalGPO, you can reset all local policy settings to the default values. To do it, run the following command:
cscript LocalGPO.wsf /Restore
How to Import a Local GPO to the AD Domain Group Policy
The policy import format of LocalGPO allows to import local group policy settings to a domain GPO. You can do it using the domain GPO backup and restore feature in GPMC (Group Policy Management Console).
LGPO.exe: How to Export and Deploy Local GPO Settings
The LGPO.exe console tool is designed to automate the management of local group policies and is intended to replace the LocalGPO that is no longer supported. Currently it is recommended to use only this utility. LGPO.exe is included into the Security Compliance Manager (SCM) free tool.
You can download LGPO.exe by the following link https://www.microsoft.com/en-us/download/details.aspx?id=55319.
The LGPO.exe utility has the following features:
- Support of local group policy settings exporting;
- Imports GPO settings from backup. Import of registry.pol files, security templates, CSV files are supported;
- Convert registry.pol files to readable LGPO format and vice versa.
To export the current local GPO settings to the specified directory, run the following command:
LGPO.exe /b c:\tools\GPO
The utility will export all current local policy settings to the folder with the group policy GUID.
To present the current GPO settings in the backup file from the registry.pol file in a text-friendly format, run the command:
lgpo.exe /parse /m "C:\tools\GPO\{6DFFB293-675f-4c32-4AB-FD1234567CE}\DomainSysvol\GPO\Machine\registry.pol">>c:\tools\gpo\lgpo.txt
Open the lgpo.txt text file. As you can see, it contains all registry settings that are applied by this policy.
Make the necessary changes to the lgpo.txt registry settings file and convert it to the registry.pol format:
LGPO.exe /r "C:\tools\GPO\lgpo.txt" /w "C:\tools\GPO\registry_new.pol"
Now import the new local policy settings from the pol file:
LGPO.exe /m "C:\tools\GPO\registry_new.pol"
To import (transfer) local GPO settings from this computer to another, copy the directory with the policy on the target computer and run the command:
LGPO.exe /g C:\tools\GPO\
The LGPO v2.2 version supports Multiple Local Group Policy Objects (MLGPO), which allows you to configure individual policies for different users (available in Windows Vista and later).
As you can see, the LGPO.exe utility is very useful for creating a backup of local policies and transferring GPO settings between computers.
