LGPO.exe v2.0 PRE-RELEASE: support for MLGPO and REG_QWORD


LGPO.exe is a command-line utility to automate the management of local group policy objects (LGPO). Version 1.0 was released last January. The PRE-RELEASE LGPO.exe v2.0 is attached to this blog post, and adds support for Multiple Local Group Policy Objects (MLGPO) and 64-bit REG_QWORD registry values. It also adds support for /e mnemonic options to enable the GP client side extensions for LAPS, Credential Guard, and Device Guard.

Full details are in the LGPO.pdf in the download. For more information about MLGPO, please review this: Step-by-Step Guide to Managing Multiple Local Group Policy Objects.

If these new features are valuable to you, please test them in your environments and let us know through the comments on this blog post how well it meets your needs.

Thanks.

LGPOv2-PRE-RELEASE


Comments (9)

  1. Pete says:

    LGPO.exe should only output errors to the error stream.
    The command:
    LGPO.exe 1>out.txt 2>err.txt
    Writes all its output to err.txt, but it shouldn’t write anything to the error stream because it is not an error.

    [Aaron Margosis] There appear to be different philosophies about that. In my experience it’s not unusual for banner, diagnostic, and usage information to be written to stderr, and for results to be written to stdout. For example, when you use the /parse option, you wouldn’t want the banner information to be written to stdout, because then you’d have to edit the output before it could be used.

    Is the output to stderr causing problems for you?

  2. RSH_SBS says:

    Hi, i would like to use this tool in a commercial product, is this legal? Where can i find the license Informations? Thanks!

    [Aaron Margosis] You should not incorporate it directly. You can have your customers download it separately. Note that the tool is not officially supported at this time, and is “as is,” in a manner similar to the Sysinternals utilities. We hope in the near future to give LGPO.exe a more permanent home than blog posts.
  3. Andrew Underwood says:

    I seem to be having difficulty using the “/b” option to create a backup of local policy. I’ve used both the v2 pre-release and v1 versions of LGPO, a server 2012R2 machine and a Win 10 machine, and they all get the same error. I’ve also made sure I’m running the tool from an elevated command prompt. The machines are not joined to a domain.

    So say I run “LGPO.exe /b test” I get the error “Invalid directory name for GPO backup: test”
    If I “mkdir test” then run the command again, I get the error:
    Creating LGPO backup in “test\{DB9CC139-43C6-4196-9C19-FAEC4294DA1F}”
    Unable to create subdirectory:

    The specified path is invalid.

    (Error # 161 = 0x000000a1)

    I’m running this in my Downloads folder, I have write access to the directory. Am I doing something wrong?

    [Aaron Margosis] Try specifying a full path instead of a relative path.
    1. Andrew Underwood says:

      That works, thanks!

  4. Felix says:

    The lgpo.pdf states that “Note that the /b option does not back up MLGPO configuration settings.”. So, how can I export my existing MLGPO configuration settings and then import and apply it to a local user on another PC?

    [Aaron Margosis] Copy out the registry.pol and apply it to the other PC with LGPO.exe and the /ua, /un, or /u:username switches.
  5. Davidinfo says:

    Hi,
    Could it be possible to add the possibility to apply the GP Preferences from a domain GPO Backup?
    It is possible to enable many client sides extensions as I have multiple different settings in same GPO?
    Thanks,

    [Aaron Margosis] No support for Group Policy Preferences at this time. Yes, you can enable as many CSEs as you want. /e zone /e audit /e {guid}
    1. Davidinfo says:

      Thanks Aaron, this works well.
      Did you know when the final version will be released? Indeed, I need to put it in production soon for the Windows 2016 Server image deployment.

  6. Dave says:

    I currently have “custom” admx files added to my local GPO. One is from Google for Chrome and the other is from Microsoft for Office 2016/Office 365. However, on the computer I am trying to import these polices to it does not import despite the importing computer having the proper admx and adml files installed already. When I check after import the custom admx have all default values. Is there a reason why LGPO does not also backup those custom admx files settings? If not is there a way it can? This would be very important for anyone with extra admx files added. Any help would be very much appreciated.

    [Aaron Margosis] What are you trying to import? Backed-up GPOs, “LGPO text”, or individual GPO files (registry.pol, GptTmpl.inf, audit.csv)?
    1. Dave says:

      Aaron,

      I figured out the reason. The antvirus solution was blocking some of the functions of the LGPO.exe so it was only importing some of the elements. Once I whitelisted LGPO.exe it was importing all the GPO settings properly including the custom admx templates settings. Thanks for getting back to me and just wanted to let you know the outcome. Also thank you for LGPO it is a life saver for those without an AD server.

Skip to main content