LGPO.exe v2.0 PRE-RELEASE: support for MLGPO and REG_QWORD


LGPO.exe is a command-line utility to automate the management of local group policy objects (LGPO). Version 1.0 was released last January. The PRE-RELEASE LGPO.exe v2.0 is attached to this blog post, and adds support for Multiple Local Group Policy Objects (MLGPO) and 64-bit REG_QWORD registry values. It also adds support for /e mnemonic options to enable the GP client side extensions for LAPS, Credential Guard, and Device Guard.

Full details are in the LGPO.pdf in the download. For more information about MLGPO, please review this: Step-by-Step Guide to Managing Multiple Local Group Policy Objects.

If these new features are valuable to you, please test them in your environments and let us know through the comments on this blog post how well it meets your needs.

Thanks.

LGPOv2-PRE-RELEASE


Comments (16)

  1. Pete says:

    LGPO.exe should only output errors to the error stream.
    The command:
    LGPO.exe 1>out.txt 2>err.txt
    Writes all its output to err.txt, but it shouldn’t write anything to the error stream because it is not an error.

    [Aaron Margosis] There appear to be different philosophies about that. In my experience it’s not unusual for banner, diagnostic, and usage information to be written to stderr, and for results to be written to stdout. For example, when you use the /parse option, you wouldn’t want the banner information to be written to stdout, because then you’d have to edit the output before it could be used.

    Is the output to stderr causing problems for you?

  2. RSH_SBS says:

    Hi, i would like to use this tool in a commercial product, is this legal? Where can i find the license Informations? Thanks!

    [Aaron Margosis] You should not incorporate it directly. You can have your customers download it separately. Note that the tool is not officially supported at this time, and is “as is,” in a manner similar to the Sysinternals utilities. We hope in the near future to give LGPO.exe a more permanent home than blog posts.
  3. Andrew Underwood says:

    I seem to be having difficulty using the “/b” option to create a backup of local policy. I’ve used both the v2 pre-release and v1 versions of LGPO, a server 2012R2 machine and a Win 10 machine, and they all get the same error. I’ve also made sure I’m running the tool from an elevated command prompt. The machines are not joined to a domain.

    So say I run “LGPO.exe /b test” I get the error “Invalid directory name for GPO backup: test”
    If I “mkdir test” then run the command again, I get the error:
    Creating LGPO backup in “test\{DB9CC139-43C6-4196-9C19-FAEC4294DA1F}”
    Unable to create subdirectory:

    The specified path is invalid.

    (Error # 161 = 0x000000a1)

    I’m running this in my Downloads folder, I have write access to the directory. Am I doing something wrong?

    [Aaron Margosis] Try specifying a full path instead of a relative path.
    1. Andrew Underwood says:

      That works, thanks!

  4. Felix says:

    The lgpo.pdf states that “Note that the /b option does not back up MLGPO configuration settings.”. So, how can I export my existing MLGPO configuration settings and then import and apply it to a local user on another PC?

    [Aaron Margosis] Copy out the registry.pol and apply it to the other PC with LGPO.exe and the /ua, /un, or /u:username switches.
  5. Davidinfo says:

    Hi,
    Could it be possible to add the possibility to apply the GP Preferences from a domain GPO Backup?
    It is possible to enable many client sides extensions as I have multiple different settings in same GPO?
    Thanks,

    [Aaron Margosis] No support for Group Policy Preferences at this time. Yes, you can enable as many CSEs as you want. /e zone /e audit /e {guid}
    1. Davidinfo says:

      Thanks Aaron, this works well.
      Did you know when the final version will be released? Indeed, I need to put it in production soon for the Windows 2016 Server image deployment.

  6. Dave says:

    I currently have “custom” admx files added to my local GPO. One is from Google for Chrome and the other is from Microsoft for Office 2016/Office 365. However, on the computer I am trying to import these polices to it does not import despite the importing computer having the proper admx and adml files installed already. When I check after import the custom admx have all default values. Is there a reason why LGPO does not also backup those custom admx files settings? If not is there a way it can? This would be very important for anyone with extra admx files added. Any help would be very much appreciated.

    [Aaron Margosis] What are you trying to import? Backed-up GPOs, “LGPO text”, or individual GPO files (registry.pol, GptTmpl.inf, audit.csv)?
    1. Dave says:

      Aaron,

      I figured out the reason. The antvirus solution was blocking some of the functions of the LGPO.exe so it was only importing some of the elements. Once I whitelisted LGPO.exe it was importing all the GPO settings properly including the custom admx templates settings. Thanks for getting back to me and just wanted to let you know the outcome. Also thank you for LGPO it is a life saver for those without an AD server.

  7. Dave says:

    I have noticed that if there are pre-existing security policies e.g. Software Restriction Policies, those policies do not get removed on LGPO import “/g”, but remain after a new import. For example I have a manually added SRP path disallowed for “C:\Windows\Temp”. When I import a policy that was exported by LGPO from a different system that does not have that particular SRP the computer still has C:\Windows\Temp listed. So the old/existing policies on the computer you are importing to remain even though the new policy does not have them. Is there anyway around this? Or should I run a policy clear command such as secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose first before importing?

    [Aaron Margosis] LGPO.exe does not clear existing local policies, other than /ac which clears advanced auditing policies before applying new ones, and anything you explicitly remove with a “CLEAR” command in an LGPO-text file.
    1. Dave says:

      Aaron,

      Thanks for the reply. So is there anyway to clear existing SRP policies before import to prevent this issue I am running into? Can the clear command do this and if so would you mind providing an example? Thanks again for the help, you are great!

      [Aaron Margosis] You’re welcome, and thanks for the nice comment.

      To create a file that just removes the SRP policies, I’d start by getting an LGPO-text file of the existing Machine\Registry.pol:
      LGPO.exe /parse /m C:\Windows\System32\GroupPolicy\Machine\registry.pol > MyLgpo.txt
      The CLEAR command removes subkeys and values, so identify the highest-level keys listed in MyLgpo.txt pertaining to the SRP entries (I think they all have
      \Safer in their key names). For the each key under which you want to remove all subkeys and values from policy, create an entry like this:

      Computer
      Software\Policies\Microsoft\Windows\Safer
      *
      CLEAR


      Apply it with LGPO.exe /t MyEditedLgpo.txt

      Hope this helps!

      1. Dave says:

        That makes sense. I did attempt to use CLEAR with my file per your suggestion, but an error was produced. I tried using DELETEALLVALUES instead and it worked, but with the local security policies they were not cleared out from secpol.msc. Does the clear command do something special not registry related to clear these values out? If so, I also wonder why clear was producing the error below. Thank you in advance!

        Apply registry-based settings from LGPO text file: C:\Program Files\GPO\clearsafer.txt
        Format error – invalid action: CLEAR
        Policy processing aborted due to file format error

        [Aaron Margosis] Make sure you’re using the v2 version on this blog post and not the LGPO.exe v1, which didn’t include support for the “CLEAR” action.
  8. Dayne says:

    Hi, I am getting the error below when I GPO template that only has Account Lock Duration, Account lockout threshold and Reset Account lockout counter after. From a default pc that has no GPO settings, after running my GPO setting using LGPO, I would get this error and the options are put to the default values compared to what I want it to be. Please assist.
    “The task has completed with an error.
    SECEDIT.EXE exited with exit code 1 ”

    [Aaron Margosis] Add /v to the LGPO.exe command line. That should capture detailed secedit.exe output.
    1. Dayne says:

      I already have /v. The command I am using is “.\LGPO.exe /g $pwd\RBL_2012_Account_Lock /v > lgpo_1.out 2> lgpo_1.err” in powershell. The links shows the output of the files. https://jpst.it/VUpr and https://jpst.it/VUpK

      [Aaron Margosis] Can you post the GptTmpl.inf file somewhere? It seems that there might be something unexpected in it.
      1. Dayne says:

        Here is it. https://jpst.it/VYHJ

        [Aaron Margosis] This line is invalid:
        LockoutDuration=0
        If you want to set an infinite lockout, it should be LockoutDuration=-1. If you set 0 in the security policy editor, it actually writes -1 into the template.
        1. Dayne says:

          It works now, thanks 😀

Skip to main content