Utilities for automating Local Group Policy management


Update, 21 January 2016:

LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools.

Features:

  • Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files.
  • Export local policy to a GPO backup.
  • Parse a Registry Policy (registry.pol) file to readable “LGPO text” directly to the console or redirected to a file which can edited and imported into local policy.
  • Build a new Registry Policy (registry.pol) file from “LGPO text”.
  • Enable group policy client side extensions for local policy processing.

LGPO.exe can be downloaded from the Security Guidance blog:

http://blogs.technet.com/b/secguide/archive/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0.aspx

 

This page has the most recent versions of utilities for automating the management of Local Group Policy Objects (LGPOs). [Update, Jan 15, 2010:  Instead of linking to another page containing the latest versions of the utilities, the utilities will always be attached to this page.]  Because the software hosting this blog allows only one attachment per page, the source code will be posted on another page, with the updated link below.

 

Set_FDCC_LGPO — applies all the FDCC Group Policies published by NIST on their web site to the Local Group Policy of the Windows XP or Windows Vista computer you run the utility on.

 

 

    • Latest version, Q1 2009 [updated 2009-09-15]

 

  • Webcast:  [getting this fixed]

 

Apply_LGPO_Delta — automates custom changes to local policy and security settings on the Windows computer you run the utility on.

 

 

    • Latest version (2.1) [updated 2010-01-15]

 

 

ImportRegPol — reads content from a registry policy (registry.pol) file, and imports it into local policy on the current computer, and/or writes its content to a log file in a format that Apply_LGPO_Delta can use.

 

 

  • Latest version (1.1) [2010-01-15]

 

The latest source code for these utilities is here:  http://blogs.technet.com/fdcc/archive/2010/01/15/updated-lgpo-utility-sources.aspx

LGPO-Utilities.zip

Comments (22)

  1. Anonymous says:

    In case I actually have any fans that are interested in things I’ve written outside of this blog (must

  2. Anonymous says:

    [2009-04-15: Attachment removed. Bookmark this page for the latest versions of these utilities.] The

  3. Anonymous says:

    Set_FDCC_LGPO utility updated to conform to NIST’s 2008 Q3 update (FDCC Major Version 1.0). Set_FDCC_LGPO is a utility to apply FDCC settings to Local Group Policy.

  4. Anonymous says:

    Set_FDCC_LGPO utility updated to conform to NIST’s 2008 Q1 update. Set_FDCC_LGPO is a utility to apply FDCC settings to Local Group Policy.

  5. Anonymous says:

    Published: Set_FDCC_LGPO utility to apply FDCC settings to local group policy.

  6. Louis0015 says:

    Can someone tell me where the original copy of the LGPO-Utilities.zip is located? The link from this page only contains the utilities and none of the supporting documentation.

    [Aaron Margosis]  Updated and improved sample files here:

    http://blogs.technet.com/fdcc/archive/2010/03/24/sample-files-for-apply-lgpo-delta.aspx

    The documentation is still there in the Utilities download – look for the .htm files.

  7. april says:

    Does you tool also import the advanced audit settings. I cannot seem to get them to inport. they are in a .csv file and i do not see that extension mentioned in your readme.

    [Aaron Margosis] The tools I have written don’t include support for the advanced audit settings.  This is because there are no documented/supported interfaces for manipulating those settings, and I am reluctant to apply a reverse-engineering approach,
    directly modifying the .csv files, etc.  The LocalGPO utility that ships in the Security Compliance Manager includes support for managing those settings.

  8. Jonathan says:

    I’m applying our baseline GPO and win2003-specific GPO as localGPOs with importregpol and applydelta.  If there is overlap, say there are registry settings that are present on both registry.pol files (and resulting text file with importregpol), and I apply
    both at the sametiem with applygpodelta, will the one that is specified 2nd be the "effective" setting?  

    [Aaron Margosis]  Yes, whichever is applied last is the one that should "win".

  9. Riley says:

    I’ve noticed that when exoprting configuration from ImportRegPol always generates "Configuration" as "User" even for Machine settings.  Thus when trying to apply these via Apply_LPGO_Delta  the registry keys are generated under the incorrect hive.  If "configuration"
    is manually written as "Computer" the application works as expected.

    I am on a Windows 2008 R2 server.  Anyone else seeing this behavior?

    [Aaron Margosis]  Registry.pol files don’t specify the hive they should be applied to — they only list subkeys, values, data, commands, etc.  That’s why ImportRegPol makes you specify either -m or -u before the path to the file.  If you’re always getting
    "User" then it’s because you’re specifying "-u" on the command line.  You should specify "-m" for a registry.pol that contains Computer Configuration settings.

  10. Sande says:

    I’m using ImportRegPol.exe and Apply_LGPO_Delta.exe in the context of "Creating a Steady State by Using Microsoft Technologies". (http://www.microsoft.com/…/details.aspx)
    That document describes the new "multiple LGPOs" capability of Windows 7, where I can use the Group Policy Object Editor (not gpedit.msc) to create a local user GPO for just Administrators, a local user GPO for just non-admins, and a local user GPO for just
    one account. When I do this manually, it works fine.

    But when I capture the local user GPO with ImportRegPol.exe -u then restore it with Apply_LGPO_Delta.exe, all the policies apply to all users, not just the groups I created them for. In other words, it looks like "multiple LGPOs" are incompatible with the
    LGPO utilities. Is this true, or am I doing something wrong? Is there a way to make this work?

    [Aaron Margosis]  I haven’t had a chance yet to add support for multiple LGPOs in these tools.  No estimated date.  None of my customers have asked for it so far.

  11. Mark says:

    Can I freely use the source for these tools as part of another product (Kiosk software)?  What are the licensing terms on the source code?

    [Aaron Margosis]  You can use the source code the way you would any MSDN sample code.

  12. william.dear@qinetiq-na.com says:

    I'm experiencing issues when using Apply_LGPO_Delta to edit list items.  I can add items to a LGPO list but they do not always take effect.  The new list items only work after another item is manually added through GPEdit.msc and GPUpdate /Force is run.  Even that solution is only intermittently effective.

    I'm adding domains to the Site  to Zone Assignment list with the following entries:

    Computer

    SoftwarePoliciesMicrosoftWindowsCurrentVersionInternet Settings

    ListBox_Support_ZoneMapKey

    DWORD:1

    Computer

    SoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMapKey

    *.us.army.mil

    SZ:2

    A second issue with LGPO lists occurs when I configure a site to be deleted, but the DELETE entry remains in LGPO instead of just removing the entry.  This issue doesn't seem to have any negative effects so it's not nearly as serious as the zones not applying.

    Is anyone else experiencing these issues with LGPO lists and Apply_LGPO_Delta?

  13. Matt says:

    Amazing Tool. Not sure how I overlooked it for so long.

  14. Robert says:

    Check out LocalGPO.msi which can be found with the Security Compliance Manager v3.0 – recently released.

    Nice part is you can create GPOPacks which can be applied to your image as part of the MDT Task Sequence… You can also import/export local GPO’s.

    [Aaron Margosis]  Yes, the LocalGPO utility that ships with the Security Compliance Manager has a lot of nice features that these tools don’t have.  There are a few things these tools can do that aren’t as easy with LocalGPO, but LocalGPO is usually
    the right way to go.  FWIW, they used some of my source code to build it. :)

  15. kajmak says:

    Thank you. These are very useful tools. I have recently started using these in production – better late than ever :) . As usually I read the source code to get a better understanding how things work.

    I have, however,  found an error in the latest source code that I want to share.

    LocalGPO.cpp :

    1) HRESULT hrUser = m_pLGPO->Save(FALSE, TRUE, &RegistryId, &ThisAdminToolGuid);

    2) if ( hrSharingViolation == hrUser )

    3) {

    4) for (int retry = 0; retry < retries; ++retry)

    5) {

    6) Sleep(retryDelay_ms);

    7) hrUser = m_pLGPO->Save(TRUE, TRUE, &RegistryId,

    &ThisAdminToolGuid);

    8) if ( hrSharingViolation != hrUser )

    9) break;

    }

    }

    Line 7 should be: hrUser = m_pLGPO->Save(FALSE, TRUE, &RegistryId, &ThisAdminToolGuid);

    Happy coding :)

    [Aaron Margosis]  Good catch.  It’s obviously a copy/paste error from the previous block that saved machine settings.  The bug will manifest if the tool ever hits a sharing violation while applying user policies.  Hopefully that’s never hit anyone, but
    odds are it either has or will someday.  I’ll try to post updates.  Thanks.

  16. Anonymous says:

    Pingback from Set_FDCC_LGPO for Windows 7??? – Windows Virtualization Team Blog – TechNetKlub

  17. Anonymous says:

    Along with the release of official government guidance for Windows 7, NIST has rebranded the Federal

  18. Anonymous says:

    Pingback from Set_FDCC_LGPO for Windows 7??? – Microsoft U.S. Partner Team – Partner Community – Microsoft Dynamics Community

  19. Anonymous says:

    Pingback from FDCC is now USGCB – Microsoft U.S. Partner Team – Partner Community – Microsoft Dynamics Community

  20. Anonymous says:

    If you are serious about checking compliance in your System Center Configuration Manager 2012 managed

  21. Anonymous says:

    Utilities for automating Local Group Policy management – Microsoft’s USGCB Tech Blog – Site Home – TechNet Blogs