LGPO.exe v2.0 PRE-RELEASE: support for MLGPO and REG_QWORD


LGPO.exe is a command-line utility to automate the management of local group policy objects (LGPO). Version 1.0 was released last January. The PRE-RELEASE LGPO.exe v2.0 is attached to this blog post, and adds support for Multiple Local Group Policy Objects (MLGPO) and 64-bit REG_QWORD registry values. It also adds support for /e mnemonic options to enable the GP client side extensions for LAPS, Credential Guard, and Device Guard.

Full details are in the LGPO.pdf in the download. For more information about MLGPO, please review this: Step-by-Step Guide to Managing Multiple Local Group Policy Objects.

If these new features are valuable to you, please test them in your environments and let us know through the comments on this blog post how well it meets your needs.

Thanks.

[Update: the latest version of LGPO.exe is here.]


Comments (21)

  1. Pete says:

    LGPO.exe should only output errors to the error stream.
    The command:
    LGPO.exe 1>out.txt 2>err.txt
    Writes all its output to err.txt, but it shouldn't write anything to the error stream because it is not an error.

    [Aaron Margosis] There appear to be different philosophies about that. In my experience it's not unusual for banner, diagnostic, and usage information to be written to stderr, and for results to be written to stdout. For example, when you use the /parse option, you wouldn't want the banner information to be written to stdout, because then you'd have to edit the output before it could be used.

    Is the output to stderr causing problems for you?

  2. RSH_SBS says:

    Hi, i would like to use this tool in a commercial product, is this legal? Where can i find the license Informations? Thanks!

    [Aaron Margosis] You should not incorporate it directly. You can have your customers download it separately. Note that the tool is not officially supported at this time, and is "as is," in a manner similar to the Sysinternals utilities. We hope in the near future to give LGPO.exe a more permanent home than blog posts.
  3. Andrew Underwood says:

    I seem to be having difficulty using the "/b" option to create a backup of local policy. I've used both the v2 pre-release and v1 versions of LGPO, a server 2012R2 machine and a Win 10 machine, and they all get the same error. I've also made sure I'm running the tool from an elevated command prompt. The machines are not joined to a domain.

    So say I run "LGPO.exe /b test" I get the error "Invalid directory name for GPO backup: test"
    If I "mkdir test" then run the command again, I get the error:
    Creating LGPO backup in "test\{DB9CC139-43C6-4196-9C19-FAEC4294DA1F}"
    Unable to create subdirectory:

    The specified path is invalid.

    (Error # 161 = 0x000000a1)

    I'm running this in my Downloads folder, I have write access to the directory. Am I doing something wrong?

    [Aaron Margosis] Try specifying a full path instead of a relative path.
    1. Andrew Underwood says:

      That works, thanks!

  4. Felix says:

    The lgpo.pdf states that "Note that the /b option does not back up MLGPO configuration settings.". So, how can I export my existing MLGPO configuration settings and then import and apply it to a local user on another PC?

    [Aaron Margosis] Copy out the registry.pol and apply it to the other PC with LGPO.exe and the /ua, /un, or /u:username switches.
  5. Davidinfo says:

    Hi,
    Could it be possible to add the possibility to apply the GP Preferences from a domain GPO Backup?
    It is possible to enable many client sides extensions as I have multiple different settings in same GPO?
    Thanks,

    [Aaron Margosis] No support for Group Policy Preferences at this time. Yes, you can enable as many CSEs as you want. /e zone /e audit /e {guid} ...
    1. Davidinfo says:

      Thanks Aaron, this works well.
      Did you know when the final version will be released? Indeed, I need to put it in production soon for the Windows 2016 Server image deployment.

  6. Dave says:

    I currently have "custom" admx files added to my local GPO. One is from Google for Chrome and the other is from Microsoft for Office 2016/Office 365. However, on the computer I am trying to import these polices to it does not import despite the importing computer having the proper admx and adml files installed already. When I check after import the custom admx have all default values. Is there a reason why LGPO does not also backup those custom admx files settings? If not is there a way it can? This would be very important for anyone with extra admx files added. Any help would be very much appreciated.

    [Aaron Margosis] What are you trying to import? Backed-up GPOs, "LGPO text", or individual GPO files (registry.pol, GptTmpl.inf, audit.csv)?
    1. Dave says:

      Aaron,

      I figured out the reason. The antvirus solution was blocking some of the functions of the LGPO.exe so it was only importing some of the elements. Once I whitelisted LGPO.exe it was importing all the GPO settings properly including the custom admx templates settings. Thanks for getting back to me and just wanted to let you know the outcome. Also thank you for LGPO it is a life saver for those without an AD server.

  7. Dave says:

    I have noticed that if there are pre-existing security policies e.g. Software Restriction Policies, those policies do not get removed on LGPO import "/g", but remain after a new import. For example I have a manually added SRP path disallowed for "C:\Windows\Temp". When I import a policy that was exported by LGPO from a different system that does not have that particular SRP the computer still has C:\Windows\Temp listed. So the old/existing policies on the computer you are importing to remain even though the new policy does not have them. Is there anyway around this? Or should I run a policy clear command such as secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose first before importing?

    [Aaron Margosis] LGPO.exe does not clear existing local policies, other than /ac which clears advanced auditing policies before applying new ones, and anything you explicitly remove with a "CLEAR" command in an LGPO-text file.
    1. Dave says:

      Aaron,

      Thanks for the reply. So is there anyway to clear existing SRP policies before import to prevent this issue I am running into? Can the clear command do this and if so would you mind providing an example? Thanks again for the help, you are great!

      [Aaron Margosis] You're welcome, and thanks for the nice comment.

      To create a file that just removes the SRP policies, I'd start by getting an LGPO-text file of the existing Machine\Registry.pol:
      LGPO.exe /parse /m C:\Windows\System32\GroupPolicy\Machine\registry.pol > MyLgpo.txt
      The CLEAR command removes subkeys and values, so identify the highest-level keys listed in MyLgpo.txt pertaining to the SRP entries (I think they all have
      \Safer in their key names). For the each key under which you want to remove all subkeys and values from policy, create an entry like this:

      Computer
      Software\Policies\Microsoft\Windows\Safer
      *
      CLEAR


      Apply it with LGPO.exe /t MyEditedLgpo.txt

      Hope this helps!

      1. Dave says:

        That makes sense. I did attempt to use CLEAR with my file per your suggestion, but an error was produced. I tried using DELETEALLVALUES instead and it worked, but with the local security policies they were not cleared out from secpol.msc. Does the clear command do something special not registry related to clear these values out? If so, I also wonder why clear was producing the error below. Thank you in advance!

        Apply registry-based settings from LGPO text file: C:\Program Files\GPO\clearsafer.txt
        Format error - invalid action: CLEAR
        Policy processing aborted due to file format error

        [Aaron Margosis] Make sure you're using the v2 version on this blog post and not the LGPO.exe v1, which didn't include support for the "CLEAR" action.
  8. Dayne says:

    Hi, I am getting the error below when I GPO template that only has Account Lock Duration, Account lockout threshold and Reset Account lockout counter after. From a default pc that has no GPO settings, after running my GPO setting using LGPO, I would get this error and the options are put to the default values compared to what I want it to be. Please assist.
    "The task has completed with an error.
    SECEDIT.EXE exited with exit code 1 "

    [Aaron Margosis] Add /v to the LGPO.exe command line. That should capture detailed secedit.exe output.
    1. Dayne says:

      I already have /v. The command I am using is ".\LGPO.exe /g $pwd\RBL_2012_Account_Lock /v > lgpo_1.out 2> lgpo_1.err" in powershell. The links shows the output of the files. https://jpst.it/VUpr and https://jpst.it/VUpK

      [Aaron Margosis] Can you post the GptTmpl.inf file somewhere? It seems that there might be something unexpected in it.
      1. Dayne says:

        Here is it. https://jpst.it/VYHJ

        [Aaron Margosis] This line is invalid:
        LockoutDuration=0
        If you want to set an infinite lockout, it should be LockoutDuration=-1. If you set 0 in the security policy editor, it actually writes -1 into the template.
        1. Dayne says:

          It works now, thanks 😀

  9. Alex says:

    Thanks very much for releasing V2.0 - It is great to to see a utility that allows targeting of Non-Administrators and Administrators separelty. I am currently working on a fleet of standalone laptops that aren't domain connected which we build via SCCM. I currently have a basic group policy which I have built up through the group policy management tool on our DC which includes a policy for Non-Administrators, Machine Policy & All User Policy. I export the policies from the DC as a backup and use LGPO to import the policy via the registry.pol file to the laptops within the task sequencing targeting Non-Administrators, User & Machine. I find however there are a few security settings such as 'Interactive logon: Message text for users attempting to log on' and password policies that don't get applied part of LGPO and I have had to use SECEDIT to import a separete policy. This is fine, however for anyone else to follow what I have done is confusing. Should this work or am I doing something wrong?

    [Aaron Margosis] The user policies are all represented in registry.pol files. Many system-wide policies are also represented in registry.pol files, but a number of them are implemented in security templates (gpttmpl.inf) and advanced audit CSV files (audit.csv). LGPO.exe can handle all of these file types, as well as entire GPO backups. See the documentation that comes with the tool.
  10. Tony says:

    Can this tool be used to apply applocker settings?

    [Aaron Margosis] Yes.
  11. Tony says:

    Thank you so much for this tool!

    I'd like to see it leave "pre-release" status (my colleagues don't like that I am using a "beta" tool for our production deployments).

    Suggestion for next version:
    -> Add support for preferences. Even if you only support registry preferences and only for the computer, it'd be helpful.

  12. Maxim Khitrov says:

    The conversion input.pol -> lgpo.txt -> output.pol does not produce binary-identical files if the input contains MULTISZ data. It's a minor thing, but it would be nice to generate exactly the same output.

    The issue is the number of null bytes generated for the data field. An empty MULTISZ entry in the input (created with gpedit) contains 2 null bytes for data and a size of 2. Converting this to lgpo.txt produces "MULTISZ:\0" on the action line. Converting that action back to binary format produces 6 null bytes for data. If the action line is changed to "MULTISZ:" (no '\0'), then the binary version will contain 4 null bytes.

    Is there a difference between 2, 4, and 6 null bytes in the data for MULTISZ fields? Which is the normalized version? If 2 is acceptable, then I think that's what LGPO.exe should generate, and I would also leave out '\0' from the action line if that one null character is implicit.

    [Aaron Margosis] I've spent a bit of time working on this one. Ultimately I don't think it matters in terms of functionality, as the MSDN documentation indicates that REG_MULTI_SZ doesn't support zero-length strings. It is possible to set a multi-sz value to lots of nulls using APIs, but the interactive Regedit tool will alter it. Having the extra pair of null bytes might help with some programs, as the documentation also implies that the minimum size will be four bytes ("two terminating [Unicode] null characters").
  13. Adam says:

    Thanks so much for this tool! It really comes in handy when configuring kiosk or public-use workstations. There is one piece that I cannot get to work and that is the ability to export Logon/Logoff script settings using MLGPO. I usually approach creating my exports by setting all GPOs in the global context. I then export. It is during import that I send those GPOs to the Non-Admin or User-specific context. With past versions of this utility, I had the best success doing things this way. So, in this case, I have set all my GPOs, including a logoff script setting that points to a logoff script stored in the C:\Program Files path. I export all settings with /b. When I import, using /un and specifying the User registry.pol file from my export, the Logoff script setting is not set. Does this information get recorded elsewhere during the export? Is there a way to successfully export/import logon/logoff script GPOs? Thanks again!

    [Aaron Margosis] The backup captures the registry configuration, but it doesn't capture files referenced by the registry settings. The per-user logoff script should be referenced in Software\Policies\Microsoft\Windows\System\Scripts\Logoff. If you copy the file(s) it references to the corresponding location on the target system, it should work.

    BTW, note that an updated version has just been released. See above.

Skip to main content