Windows OS Hub / Group Policies / Backup/Restore and Export Local Group Policy Settings to Another Computer

October 9, 2018 Group Policies

Backup/Restore and Export Local Group Policy Settings to Another Computer

Group policies are a powerful and at the same time flexible tool to configure Windows settings and are indispensable means of bringing computers to a single configuration in the Active Directory domain. If there is no domain, single computer settings can be configured using a local group policy. A significant disadvantage of local policies is that they cannot be distributed centrally between computers in the workgroup. As a result, the administrator has to manually configure group policy settings on each computer. If there are many computers and settings to configure, it is not too productive…

It would be appropriate to have one computer in a workgroup with reference settings of local group policies and security settings to be applied to the other computers and after you make any changes you could copy this configuration to other machines.

In this article we’ll consider this scenario. It allows to quickly export and transfer (migrate) local group policy settings from one configured computer to other computers in a workgroup.

Contents:

Issues of Local Group Policy Migration between Computers

The easiest way to migrate local GPO settings between computers is to manually copy the contents of %systemroot%\System32\GroupPolicy folder (by default, this directory is hidden) from one computer to another with replacing its contents (after you replaced the files, run policy update manually using the command gpupdate /force or by restarting your PC).

This method is quite simple, but it has some major faults:

  1. It can’t be used to migrate local Security Templates;
  2. GPO may not work if the OS version and its build on a source and a target computer differs;
  3. You can’t create a domain GPO based on a local policy (by importing a policy to Active Directory domain for its further use);
  4. When copying a policy, you will have to manually correct any references to the local computer name in the settings;
  5. There are some issues when migrating custom ADMX templates.

To import/export a local GPO created with gpedit.msc, it’s easier and more convenient to use LocalGPO utility, which is a part of Microsoft Security Compliance Manager 3.0. LocalGPO allows not only to quickly create a backup of a local GPO and restore local policy settings, but also to create an executable file GPOPack to migrate (import) the local GPO settings to another machine in one click.

Important note. The LocalGPO utility is now deprecated and not officially supported by Microsoft. In addition, it doesn’t work in modern Windows 10 and Windows Server 2016 (although this limitation can be bypassed by modifying the script code, which is described below). To export, import and transfer local GPO settings between computers, it is recommended to use the tool LGPO.exe (examples of using this utility can be found in the last section of this article).

The LocalGPO tool allows you to export all local policy settings, including those from INF, POL, Audit, firewall sections, etc. LocalGPO perfectly suits for use in the companies without domains to distribute GPO template between computers in the workgroup. It is also very useful in conjunction with the Microsoft Deployment Toolkit (MDT) or SCCM.  

How to Install LocalGPO

To install LocalGPO on a local computer (in our case, it will be a master image of the local GPO settings):

  • Download Security Compliance Manager (SCM) 3.0 (https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx);
  • Open Security_Compliance_Manager_Setup.exe as an archive file using any archiver (7Zip or WinRar).
    Note. We don’t want to perform a full installation of Security Compliance Manager since it’s quite heavy and contains a lot of components we don’t need for our task (SQL Server Express, Microsoft Visual C++ 2010 Redistributable, etc.).
    Extract data.cab fromSecurity Compliance Manager (SCM) 3.0
  • Extract data.cab from this archive and unpack it as well (e.g., into C:\Distr\data folder);
  • In this directory, find GPOMSI file and rename it to GPO.msi;GPOMSI
  • Run GPO.msi installation.Setup LocalGPO tool

Let’s find out how to use LocalGPO. You can manage it only through the console interface (command prompt). Start the command prompt as administrator and go to the folder C:\Program Files\LocalGPO (for x86 systems) or C:\Program Files (x86)\LocalGPO (for x64 systems).

Note. If you try to use the LocalGPO utility to migrate local group policies in Windows 10, you will get an error:

LocalGPO Tool
---------------------------
This tool only runs on Windows XP Professional, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, or Windows Server 2012

LocalGPO Tool This tool only runs on Windows XP Professional, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, or Windows Server 2012

The fact is that the LocalGPO utility only supports versions of Windows prior to Windows 8 (Windows Server 2012). In newer Windows versions (Windows 8.1, Windows 10) it is recommended to use the new utility LGPO.exe (see the last section in this article). Although technically, the old LocalGPO.wsf script supports both Windows 10 / 8.1 and Windows Server 2016/2012 R2. In order to make LocalGPO.wsf script run correctly in new OSs, it is enough to change the code of the function of checking the OS version (ChkOSVersion) by adding the following lines:

If(Left(strOpVer,4) = "10.0") and (strProductType = "1") then
strOS = "Win10"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType <> "1") then
strOS = "WS16"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType = "1") then
strOS = "Win81"

modify ChkOSVersion function in LocalGPO.wsf to support windows 10

How to Export a Local Policy Settings

To export local GPO settings to the C:\GPObackup folder (this directory has to be created in advance), run this command:

cscript LocalGPO.wsf /Path:C:\GPObackup /Export

LocalGPO export local GPO settings

A new folder with some GPO GUID appears in the target directory. It will contain all local policy settings for this computer.

gpo backup folder

Actually, we have created a local GPO backup, which can be rolled back to any time we need.

The LocalGPO.wsf utility supports Multiple Local GPO (MLGPO). To export a local policy associated with a specific local group or user, you need to use the following format of using LocalGPO.wsf script:

cscript LocalGPO.wsf /Path:C:\GPObackup /Export /MLGPO:Administrators
or
cscript LocalGPO.wsf /Path:C:\GPObackup /Export /MLGPO:LocalUserName

How to Import Local GPO Settings

To restore Local Group Policy settings from the backup, import them using the following command. Specify the path to the directory containing your backup as an argument:
cscript LocalGPO.wsf /Path:C:\GPObackup\{B6545366-C0B0-4848-BF39-A17F0B4F0E9A}
Import local policy settings from LocalGPO

GPOPack: Deploy Format of Local GPO

With LocalGPO, you can create a GPOPack package which helps to easily deploy local GPO settings to other computers (it doesn’t require installing LocalGPO on the target computer). This format is also convenient to use in OS deployment tasks using Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager (SCCM). To make a portable package, run this command:

cscript LocalGPO.wsf /Path:C:\GPObackup /Export /GPOPack

Create GPOPack for deploy

Copy the folder created in the previous step to another computer, to which these policies have to be applied. To do it, start the command prompt with the administrator privileges and run GPOPack.wsf file.

The message “Applied GPOPack to Local Policy” indicates that the policies have been migrated successfully. Now you only have to restart your system and make sure if the same local GPO settings are applied on this computer.

Applied GPOPack to Local Policy

The full list of arguments for LocalGPO.wsf is available with the parameter /?:
cscript LocalGPO.wsf /?

LocalGPO.wsf arguments

How to Reset All Local GPO Settings

Using LocalGPO, you can reset all local policy settings to the default values. To do it, run the following command:
cscript LocalGPO.wsf /Restore

Tip. Earlier we have already shown how to reset the local GPO configuration manually.

How to Import a Local GPO to the AD Domain Group Policy

The policy import format of LocalGPO allows to import local group policy settings to a domain GPO. You can do it using the domain GPO backup and restore feature in GPMC (Group Policy Management Console).

LGPO.exe: How to Export and Deploy Local GPO Settings

The LGPO.exe console tool is designed to automate the management of local group policies and is intended to replace the LocalGPO that is no longer supported. Currently it is recommended to use only this utility. LGPO.exe is included into the Security Compliance Manager (SCM) free tool.

You can download LGPO.exe by the following link https://www.microsoft.com/en-us/download/details.aspx?id=55319.

download lgpo.exe tool

The LGPO.exe utility has the following features:

  • Support of local group policy settings exporting;
  • Imports GPO settings from backup. Import of registry.pol files, security templates, CSV files are supported;
  • Convert registry.pol files to readable LGPO format and vice versa.

To export the current local GPO settings to the specified directory, run the following command:

LGPO.exe /b c:\tools\GPO

lgpo.exe create localgpo backup

The utility will export all current local policy settings to the folder with the group policy GUID.
To present the current GPO settings in the backup file from the registry.pol file in a text-friendly format, run the command:

lgpo.exe /parse /m "C:\tools\GPO\{6DFFB293-675f-4c32-4AB-FD1234567CE}\DomainSysvol\GPO\Machine\registry.pol">>c:\tools\gpo\lgpo.txt

Open the lgpo.txt text file. As you can see, it contains all registry settings that are applied by this policy.

convert registry.pol file to lgpo text format

Make the necessary changes to the lgpo.txt registry settings file and convert it to the registry.pol format:

LGPO.exe /r "C:\tools\GPO\lgpo.txt" /w "C:\tools\GPO\registry_new.pol​"

Now import the new local policy settings from the pol file:

LGPO.exe /m "C:\tools\GPO\registry_new.pol​"

lgpo import registry.pol file

To import (transfer) local GPO settings from this computer to another, copy the directory with the policy on the target computer and run the command:

LGPO.exe /g C:\tools\GPO\

import lgpo settings on another computer

The LGPO v2.2 version supports Multiple Local Group Policy Objects (MLGPO), which allows you to configure individual policies for different users (available in Windows Vista and later).

As you can see, the LGPO.exe utility is very useful for creating a backup of local policies and transferring GPO settings between computers.

20 comments
1
Facebook Twitter Google + Pinterest

Related Reading

Changing Default File Associations in Windows 10 via...

January 21, 2020

Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

December 24, 2019

How to Delete Old User Profiles Using GPO...

November 19, 2019

Managing Windows 10 Start Menu Layout and Taskbar...

November 8, 2019

How to Deploy Printers to Users/Groups/Computers with GPO?

November 5, 2019

20 comments

TonyR October 23, 2015 - 5:51 pm

This is great for 2008/2008R2, but it does not work in 2012/2012R2. Even after you edit the wsf script to stop it from checking for OS (which, if you leave that in, it will TELL you that it cannot run in 2012), but even after commenting that check out, it will run, but it will not actually import the policy settings.

Reply
detroy July 16, 2016 - 12:32 pm

This tool does not run on windows 10 Pro 64 bit. What is other alternative?

Reply
up January 27, 2017 - 3:50 pm

try LGPO.exe from MS

Reply
kyetoy October 10, 2017 - 9:38 pm

Dont Work for Windows 8.1. This tool is only for Windows 8 and before.

Reply
admin October 11, 2017 - 5:42 am

You can use LGPO.exe, which replaces LocalGPO. It is part of the Security Compliance Manager package

Reply
Creating a scheduled task and a local policy for BitLocker to back up the recovery key to Active Directory – System Center Configuration Manager Notes June 13, 2018 - 4:30 pm

[…] here https://technet.microsoft.com/en-us/library/cc936627.aspx to backup the settings (thanks to http://woshub.com/backupimport-local-group-policy-settings/ for pointing me in this direction).  I also created the scheduled task that runs the following on […]

Reply
Vincent Duvernet July 12, 2018 - 9:07 am

Edit LocalGPO.wsf to replace the ChkOSVersion routine (it will support 8.1, 10, 2k16) :

'****************************
'
' Routine Name:
'
' ChkOSVersion
'
' Description :
'
' This routine gets the Operating System's caption,version and Service
' Pack information on the host
'
' Inputs:
'
' None.
'
' Outputs:
'
' None.
'********************************
Sub ChkOSVersion

Dim colOperatingSystems, objOperatingSystem
Dim colComputers, objComputer, strProductType

Set colOperatingSystems = objWMIService.ExecQuery _
("Select * from Win32_OperatingSystem")

For Each objOperatingSystem in colOperatingSystems
strOpSys=objOperatingSystem.Caption
strOpVer=objOperatingSystem.Version
strSPMinorVer=objOperatingSystem.ServicePackMinorVersion
strSPMajorVer=objOperatingSystem.ServicePackMajorVersion
strProductType=objOperatingSystem.ProductType
Next

strComputerRole = NULL

Set colComputers = objWMIService.ExecQuery _
("Select DomainRole from Win32_ComputerSystem")
For Each objComputer in colComputers
Select Case objComputer.DomainRole
Case 0
strComputerRole = "Standalone"
Case 1
strComputerRole = "Member"
Case 2
strComputerRole = "Standalone"
Case 3
strComputerRole = "Member"
End Select
Next

'Checks whether the operating system is Windows XP or _
'Windows Server 2003 or Windows Vista or Windows Server 2008 or _
'Windows 7 or Windows Server 2008 R2 or Windows 8 or Windows Server 8

If(Left(strOpVer,4) = "10.0") and (strProductType = "1") then
strOS = "Win10"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType <> "1") then
strOS = "WS16"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType = "1") then
strOS = "Win81"
ElseIf(Left(strOpVer,3) = "6.2") and (strProductType <> "1") then
strOS = "WS12"
ElseIf(Left(strOpVer,3) = "6.2") and (strProductType = "1") then
strOS = "Win8"
ElseIf(Left(strOpVer,3) = "6.1") and (strProductType <> "1") then
strOS = "WS08R2"
ElseIf(Left(strOpVer,3) = "6.1") and (strProductType = "1") then
strOS = "Win7"
ElseIf(Left(strOpVer,3) = "6.0") and (strProductType <> "1") then
strOS = "WS08"
ElseIf(Left(strOpVer,3) = "6.0") and (strProductType = "1") then
strOS = "VISTA"
ElseIf(Left(strOpVer,3) = "5.2") and (strProductType <> "1") then
strOS = "WS03"
ElseIf(Left(strOpVer,3) = "5.2") and (strProductType = "1") then
strOS = "XP"
ElseIf(Left(strOpVer,3) = "5.1") and (strProductType = "1") then
strOS = "XP"
Else
strMessage = DisplayMessage(conLABEL_CODE002)
Call MsgBox(strMessage, vbOKOnly + vbCritical, strTitle)
Call CleanupandExit
End If
End Sub

Reply
Vincent Duvernet July 12, 2018 - 9:09 am

🙁 the code is not well copied in the comment :
strProductType “1”
should be
strProductType “1”
(remove the space between )

Reply
admin July 13, 2018 - 6:15 am

Hi, thanks for info! I updated your code (this is an old WordPress problem with quotes).

Reply
Shantaram Gawade February 14, 2019 - 6:58 am

LocalGPO is not working for Windows Server 2016 after editing LocalGPO.wsf with above mentioned code, request you to please provide updated LocalGPO.wsf

Reply
Shantaram Gawade February 18, 2019 - 9:15 am

Dear Admin,

Awaiting for your response….
Thanks in Advance!!

Reply
admin March 5, 2019 - 12:28 pm

In Windows 10 and Windows Server 2016 instead of LocalGPO.wsf it is recommended to use lgpo.exe
LocalGPO.wsf is deprecated tool.

Reply
acg June 10, 2019 - 4:11 pm

Great. Thanks
A question: I have manually modified a GPO policy called “prevent the installation of removable devices”. How do I backup/apply/restore this specific policy GPO with LGPO utility v1.0 (LPGO.exe) and apply the changes without restarting the PC?

Reply
admin July 8, 2019 - 5:25 am

You cannot save or restore a separate setting (policy) of a local GPO, only all GPO settings at the same time.

Reply
Acg July 8, 2019 - 12:25 pm

Ok. But how i can reset all gpo?

Reply
Shantaram Gawade July 8, 2019 - 6:49 am

Dear Admin,
Request you to please let me know how should I identify Windows OS version from LocalGPO Backup file.
I am not able to identify the backup file of Windows version while restoring the backup file.

Also Can I restore Windows7 Group Policy Setting file to Windows10 system??
Is there any OS compatibility issues?
Awaiting for your valuable response.

Thanks in Advance.

Reply
acg July 8, 2019 - 1:34 pm

Look at this. Any solution? https://superuser.com/questions/1447033/how-to-reset-gpo-rule

Reply
Ozi January 7, 2020 - 7:53 pm

Спасибо большое за полезную статью – то что искал!..

Reply
Gisabun January 14, 2020 - 1:59 pm

Gents [and ladies?]. Why are you looking at LocalGPO? It is outdated. And if something screws up, MS won’t even hep you. Use LGPO.

Reply

Leave a Comment