Share via


Utilities for automating Local Group Policy management

Update, 21 January 2016:

LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools.

Features:

  • Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files.
  • Export local policy to a GPO backup.
  • Parse a Registry Policy (registry.pol) file to readable “LGPO text” directly to the console or redirected to a file which can edited and imported into local policy.
  • Build a new Registry Policy (registry.pol) file from “LGPO text”.
  • Enable group policy client side extensions for local policy processing.

LGPO.exe can be downloaded from the Security Guidance blog: https://blogs.technet.com/b/secguide/archive/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0.aspx

 

This page has the most recent versions of utilities for automating the management of Local Group Policy Objects (LGPOs). [Update, Jan 15, 2010:  Instead of linking to another page containing the latest versions of the utilities, the utilities will always be attached to this page.]   Because the software hosting this blog allows only one attachment per page, the source code will be posted on another page, with the updated link below.

 

Set_FDCC_LGPO -- applies all the FDCC Group Policies published by NIST on their web site to the Local Group Policy of the Windows XP or Windows Vista computer you run the utility on.

 

 

    • Latest version, Q1 2009 [updated 2009-09-15]

 

  • Webcast:  [getting this fixed]

 

Apply_LGPO_Delta -- automates custom changes to local policy and security settings on the Windows computer you run the utility on.

 

 

    • Latest version (2.1) [updated 2010-01-15]

 

 

ImportRegPol -- reads content from a registry policy (registry.pol) file, and imports it into local policy on the current computer, and/or writes its content to a log file in a format that Apply_LGPO_Delta can use.

 

 

  • Latest version (1.1) [2010-01-15]

 

The latest source code for these utilities is here:  https://blogs.technet.com/fdcc/archive/2010/01/15/updated-lgpo-utility-sources.aspx LGPO-Utilities.zip

Comments

  • Anonymous
    May 07, 2008
    PingBack from http://blogs.technet.com/fdcc/archive/2008/05/07/apply-lgpo-delta-1-0.aspx

  • Anonymous
    May 30, 2008
    In case I actually have any fans that are interested in things I've written outside of this blog (must

  • Anonymous
    April 15, 2009
    [2009-04-15: Attachment removed. Bookmark this page for the latest versions of these utilities.] The

  • Anonymous
    April 15, 2009
    Set_FDCC_LGPO utility updated to conform to NIST's 2008 Q3 update (FDCC Major Version 1.0). Set_FDCC_LGPO is a utility to apply FDCC settings to Local Group Policy.

  • Anonymous
    April 15, 2009
    Set_FDCC_LGPO utility updated to conform to NIST's 2008 Q1 update. Set_FDCC_LGPO is a utility to apply FDCC settings to Local Group Policy.

  • Anonymous
    April 15, 2009
    Published: Set_FDCC_LGPO utility to apply FDCC settings to local group policy.

  • Anonymous
    March 23, 2010
    Can someone tell me where the original copy of the LGPO-Utilities.zip is located? The link from this page only contains the utilities and none of the supporting documentation. [Aaron Margosis]  Updated and improved sample files here: http://blogs.technet.com/fdcc/archive/2010/03/24/sample-files-for-apply-lgpo-delta.aspx The documentation is still there in the Utilities download - look for the .htm files.

  • Anonymous
    April 13, 2012
    Does you tool also import the advanced audit settings. I cannot seem to get them to inport. they are in a .csv file and i do not see that extension mentioned in your readme. [Aaron Margosis] The tools I have written don't include support for the advanced audit settings.  This is because there are no documented/supported interfaces for manipulating those settings, and I am reluctant to apply a reverse-engineering approach, directly modifying the .csv files, etc.  The LocalGPO utility that ships in the Security Compliance Manager includes support for managing those settings.

  • Anonymous
    April 27, 2012
    I'm applying our baseline GPO and win2003-specific GPO as localGPOs with importregpol and applydelta.  If there is overlap, say there are registry settings that are present on both registry.pol files (and resulting text file with importregpol), and I apply both at the sametiem with applygpodelta, will the one that is specified 2nd be the "effective" setting?   [Aaron Margosis]  Yes, whichever is applied last is the one that should "win".

  • Anonymous
    July 03, 2012
    The comment has been removed

  • Anonymous
    July 24, 2012
    I'm using ImportRegPol.exe and Apply_LGPO_Delta.exe in the context of "Creating a Steady State by Using Microsoft Technologies". (www.microsoft.com/.../details.aspx) That document describes the new "multiple LGPOs" capability of Windows 7, where I can use the Group Policy Object Editor (not gpedit.msc) to create a local user GPO for just Administrators, a local user GPO for just non-admins, and a local user GPO for just one account. When I do this manually, it works fine. But when I capture the local user GPO with ImportRegPol.exe -u then restore it with Apply_LGPO_Delta.exe, all the policies apply to all users, not just the groups I created them for. In other words, it looks like "multiple LGPOs" are incompatible with the LGPO utilities. Is this true, or am I doing something wrong? Is there a way to make this work? [Aaron Margosis]  I haven't had a chance yet to add support for multiple LGPOs in these tools.  No estimated date.  None of my customers have asked for it so far.

  • Anonymous
    August 10, 2012
    Can I freely use the source for these tools as part of another product (Kiosk software)?  What are the licensing terms on the source code? [Aaron Margosis]  You can use the source code the way you would any MSDN sample code.

  • Anonymous
    August 23, 2012
    I'm experiencing issues when using Apply_LGPO_Delta to edit list items.  I can add items to a LGPO list but they do not always take effect.  The new list items only work after another item is manually added through GPEdit.msc and GPUpdate /Force is run.  Even that solution is only intermittently effective. I'm adding domains to the Site  to Zone Assignment list with the following entries: Computer SoftwarePoliciesMicrosoftWindowsCurrentVersionInternet Settings ListBox_Support_ZoneMapKey DWORD:1 Computer SoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMapKey *.us.army.mil SZ:2 A second issue with LGPO lists occurs when I configure a site to be deleted, but the DELETE entry remains in LGPO instead of just removing the entry.  This issue doesn't seem to have any negative effects so it's not nearly as serious as the zones not applying. Is anyone else experiencing these issues with LGPO lists and Apply_LGPO_Delta?

  • Anonymous
    October 29, 2012
    Amazing Tool. Not sure how I overlooked it for so long.

  • Anonymous
    February 23, 2013
    Check out LocalGPO.msi which can be found with the Security Compliance Manager v3.0 - recently released. Nice part is you can create GPOPacks which can be applied to your image as part of the MDT Task Sequence... You can also import/export local GPO's. [Aaron Margosis]  Yes, the LocalGPO utility that ships with the Security Compliance Manager has a lot of nice features that these tools don't have.  There are a few things these tools can do that aren't as easy with LocalGPO, but LocalGPO is usually the right way to go.  FWIW, they used some of my source code to build it. :)

  • Anonymous
    September 26, 2013
    The comment has been removed

  • Anonymous
    December 29, 2013
    Pingback from Set_FDCC_LGPO for Windows 7??? - Windows Virtualization Team Blog - TechNetKlub

  • Anonymous
    December 29, 2013
    Along with the release of official government guidance for Windows 7, NIST has rebranded the Federal

  • Anonymous
    December 29, 2013
    Pingback from Set_FDCC_LGPO for Windows 7??? - Microsoft U.S. Partner Team - Partner Community - Microsoft Dynamics Community

  • Anonymous
    December 29, 2013
    Pingback from FDCC is now USGCB - Microsoft U.S. Partner Team - Partner Community - Microsoft Dynamics Community

  • Anonymous
    August 26, 2014
    If you are serious about checking compliance in your System Center Configuration Manager 2012 managed

  • Anonymous
    October 28, 2014
    Utilities for automating Local Group Policy management - Microsoft's USGCB Tech Blog - Site Home - TechNet Blogs