LGPO.exe - Local Group Policy Object Utility, v1.0
LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools.
Features:
- Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files.
- Export local policy to a GPO backup.
- Parse a Registry Policy (registry.pol) file to readable "LGPO text" directly to the console or redirected to a file which can edited and imported into local policy.
- Build a new Registry Policy (registry.pol) file from "LGPO text".
- Enable group policy client side extensions for local policy processing.
The zip file attached to this post includes LGPO.exe and full documentation. This is the command line syntax:
LGPO.exe v1.00 - Local Group Policy Object utility
LGPO.exe has four modes:
* Import and apply policy settings;
* Export local policy to a GPO backup;
* Parse a registry.pol file to "LGPO text" format;
* Build a registry.pol file from "LGPO text".
To apply policy settings:
LGPO.exe command [...]
where "command" is one or more of the following (each of which can be repeated):
/g path import settings from one or more GPO backups under "path"
/m path\registry.pol import settings from registry.pol into machine config
/u path\registry.pol import settings from registry.pol into user config
/s path\GptTmpl.inf apply security template
/a[c] path\Audit.csv apply advanced auditing settings; /ac to clear policy first
/t path\lgpo.txt apply registry commands from LGPO text
/e <name>|<guid> enable GP extension for local policy processing; specify a
GUID, or one of these names:
* "zone" for IE zone mapping extension
* "mitigation" for mitigation options, including font blocking
* "audit" for advanced audit policy configuration
/boot reboot after applying policies
/v verbose output
/q quiet output (no headers)
To create a GPO backup from local policy:
LGPO.exe /b path [/n GPO-name]
/b path Create GPO backup in "path"
/n GPO-name Optional GPO display name (use quotes if it contains spaces)
To parse a Registry.pol file to LGPO text (stdout):
LGPO.exe /parse [/q] {/m|/u} path\registry.pol
/m path\registry.pol parse registry.pol as machine config commands
/u path\registry.pol parse registry.pol as user config commands
/q quiet output (no headers)
To build a Registry.pol file from LGPO text:
LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v]
/r path\lgpo.txt Read input from LGPO text file
/w path\registry.pol Write new registry.pol file
(See the documentation for more information and examples.)
[Update: the latest version of LGPO.exe is here.]
Comments
Anonymous
January 21, 2016
Why is there no Support for MLGPO? [Aaron Margosis] I've never had a need for it, and no one in any of the customer spaces I've worked with has ever asked me to add that.Anonymous
January 25, 2016
Hi,
with the deprecated LocalGPO tool you could create the LocalGPO Packs and apply those from the commandline to specific users. i think im talking about the same this as the poster above.
This was really handy in some situations before.
So even if it is not implemented yet is it possible to integrate this in the future to apply registry.pol files or LGPO Texts to specific user accounts only?Anonymous
January 26, 2016
Hi,
Thank you for your excellent work. We make heavy use of the mlgpo function as well, it adds a flexibility I cannot find an easy replacement for. Any chance of adding that functionality back in? [Aaron Margosis] I'll raise the priority. Note also that while LocalGPO is not being maintained, it can still be downloaded with the SCM. Can you describe in more detail how you use MLGPO and the value it provides? Thanks.Anonymous
January 27, 2016
Any chance the LGPO source code will be posted as with the old tools? It makes it way easier for software to be approved for use if the source is available. [Aaron Margosis] Probably not this time. This one is digitally signed, though.Anonymous
February 09, 2016
The comment has been removedAnonymous
February 10, 2016
The comment has been removedAnonymous
February 16, 2016
The comment has been removedAnonymous
February 17, 2016
The comment has been removedAnonymous
February 17, 2016
The comment has been removedAnonymous
February 17, 2016
The comment has been removedAnonymous
February 25, 2016
In using LGPO's "Exporting local policy to a GPO backup" the files Backup.xml and Bkupinfo.xml have "Contoso.test" in all of the domain name references. The local policy that was backed up came from a domain workstation at work. Maybe I don't fully understand how GPO backup (and restore) works, but should these two files be referencing contoso or should the real domain name be stored in those two files? [Aaron Margosis] The "real domain name" in this case would be the local computer name, which wouldn't be of any interest on any other computer.Anonymous
February 26, 2016
Thanks for the quick reply, Aaron. Apologies -- I should have stated my whole concern in the first post. I'd like to take this LGPO backup from a test suite and import it into a production suite. How do those references to domain "Contoso.test" resolve when restoring this backup into a different domain? Or, is some kind of manual editing needed to make the LGPO backup suitable for restoring in a different domain? Thanks again. [Aaron Margosis] From what I've seen, it's not an issue. I pretty much copied what the older LocalGpo tool did in this regard, and I don't remember hearing of any problems with it. If I remember correctly, the way I've seen this work is to create a new GPO in AD, then choose Import Settings and pick the local backup. I don't think the "Contoso" designations matter at that point - I believe the import picks up only the settings.Anonymous
March 08, 2016
Hi Aaron,
We basically came across your Tool as our requirements lead us to get around 200+ Workgroup Servers in our DMZs to apply a Set of Settings from Local Group Policies.
So as I understand that right, i will just take a GPO from our Domain, Export it and Import it with LGPO.exe /g Path - so thats straight Forward.
What i miss here (or have i missed it?) is the possibility to reset the Settings to Default - as when i Import an previously exported "empty" GPO, that won't Change anything.
As you can imagine - when I deploy those Settings to a couple of hundred Servers, I do need a way back ;-)
Thanks! [Aaron Margosis] It depends on the settings. On the whole, you should capture a backup before you apply the new settings. Note though that some settings that can be applied through a security template don't show up in backups. Advanced Auditing settings shouldn't be a problem. For the registry.pol settings (Administrative Templates and a few others), you could probably delete the registry.pol files and apply the ones you captured in a backup. FWIW, I never trusted the "restore OS default" mechanism that the old LocalGPO script implemented, and I opted not to try to implement it in LGPO.exe.Anonymous
March 09, 2016
The comment has been removedAnonymous
March 11, 2016
I'd also like to add my request to have MLGPO functionality added. In our organization we'd like to be able to apply specific policies to select users on workstations and kiosks so this functionality is very useful. Thank you.Anonymous
April 06, 2016
Is there any ability to remove a setting from Registry.pol (i.e. changing to "Not Configured") using the LGPO text format?
According to the PDF, the "DELETE" action behaves as "Deletes the value (reverting a policy to "Not Configured" - but the behavior I see from trying to remove the value HKLMSoftwareTestNewValue from management is that the "SoftwareTest;**del.NewValue;%01;%04;" directive is added to Registry.pol, so the value is removed from the Registry each time Group Policy is reapplied. That's not equivalent to "Not Configured", that's actually "Managed Removal of Registry Key".
What I'm looking for is an ability to "Un-Do" the management of a registry key value, to have no reference to that key remaining in Registry.pol. Is there a better option than 1) Dump current registry.pol to text 2) Delete the reference in the text export 3) Delete registry.pol 4) import the modified text? [Aaron Margosis] I think that's probably the best way. LGPO.exe doesn't have the ability to edit the registry.pol file directly.Anonymous
April 12, 2016
Consider this another vote for MLGPO support. The GPOPack.wsf from SCM / MDT can copy to MLGPO, but unfortunately does not merge settings, it only overwrites them. Having a single tool that can handle all the forms of Local Group Policy would be great.Anonymous
April 18, 2016
Aaron,
We could use LocalGPO.wsf to make "MSS:" settings editable: Cscript LocalGPO.wsf /ConfigSCE. You stated that LogalGPO tool won't be supported any longer. What should we use as a replacement in order to be able to work with "MSS:"?
Thank you. [Aaron Margosis] We included a replacement in the Win10 baselines in the form of a custom ADMX and ADML file. Install those files in the appropriate locations and then find the settings in your Group Policy editor in Computer Configuration | Administrative Templates | MSS (Legacy).Anonymous
May 11, 2016
Hi Aaron,thank you very much for your good work.We`re using LGPO.exe quite often for exporting local machine / user policy's .After that we deploy/import them on other system.One question... Is it possible to empty/clear/reset a local machine/user config ?So that every local policy is set to "not configured" ?Thanks in advanceAnonymous
May 20, 2016
The comment has been removed- Anonymous
May 20, 2016
My apologies, the error I mentioned before states that the LGPO.exe isn't found/cannot be located.[Aaron Margosis] In the zip file, LGPO.exe is in the "Windows 10 TH2 Security Baselines\Local_Script\Tools" folder.
- Anonymous
Anonymous
June 08, 2016
The comment has been removed- Anonymous
June 09, 2016
LGPO doesn't report any errors when we do an import (using /g). It's only evident that a problem has occurred on reboot (gpupdate /force doesn't cause it to fail). Yes we are applying AppLocker rules so I will double check those. It does look like the audit.csv is causing the problem though since replacing the exported audit.csv with the one held on the local machine appears to fix the problem.
- Anonymous
Anonymous
June 10, 2016
Can this executable be redistributed in a commercial product? I didn't see any license information in the documentation.[Aaron Margosis] No. Please link back to this site. Thanks.Anonymous
June 21, 2016
The comment has been removedAnonymous
June 22, 2016
Consider this another vote for MLGPO support, I work in a library and all of our Public workstations are on a completely separate network far away from our Domain server. I use MLGPO on all of these public workstations to limit what the users have access to on these machines.[Aaron Margosis] Vote acknowledged. Thanks for the feedback.Anonymous
June 26, 2016
You forgot to inhibit that LGPO.exe can be run on Windows Vista, Windows 7 and Windows Server 2008 [R2] when KB2533623 is not installed there!CWE-426 and CWE-427 should really be well-known after 15+ years now![Aaron Margosis] Can you provide repro steps for an actual compromise? When LGPO.exe starts external processes, it always specifies the full path. LGPO.exe cannot enforce that the system is up to date, nor that it is not in a user-writeable directory and has not been modified.- Anonymous
June 27, 2016
The comment has been removed - Anonymous
June 27, 2016
Please eat your own dogfood!Call one of the new Win32 APIs introduced with KB2533623, for example (really: best) SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32)This removes the "application directory" from the DLL search path.DEFENSE IN DEPTH -- the !Microsoft way - Anonymous
June 27, 2016
The comment has been removed- Anonymous
July 08, 2016
If you're starting LGPO.exe in a directory the attacker controls, the attacker can also modify LGPO.exe directly. And if the attacker can write arbitrary content into the System32 directory, it's already game over.- Anonymous
July 09, 2016
LGPO.exe is digitally signed with a Microsoft certificate, tampering with the binary invalidates it signature.The unmodified, signed and trusted binary but loads and executes untrusted code when run from an untrusted location.Default installations of Windows allow users to write to System32, WITHOUT triggering an UAC prompt!Is this "game over" enough?[Aaron Margosis] That's not true, and you should already know that. Good night. - Anonymous
July 09, 2016
If you start LGPO.exe under Windows 7 (this is the Windows version with the biggest market share) from a trusted directory it will load api-ms-win-core-fibers-l1-1-1.dll, api-ms-win-core-localization-l1-2-1.dll, api-ms-win-appmodel-runtime-l1-1-1.dll and ext-ms-win-kernel32-package-current-l1-1-0.dll from the PATHGET A CLUE!- Anonymous
July 09, 2016
Mr. Current: not only are you the rudest troll to infect any blog I've worked on, you're also not as clever as you think you are. Ordinarily, I'd patiently explain why you're mistaken, but I'm not going to waste any more of my time on you. And all future ill-mannered comments from you get deleted. Good night.- Anonymous
July 12, 2016
[Aaron Margosis] In case anyone was wondering, yes, Mr. Current became only more insulting, so those follow-ups have been unpublished. There's absolutely no call for rudeness, disrespect, or insults, and I won't allow it on any blog I control. You are free to disagree with me, and to prove me wrong about a technical issue, as long as we are engaged in respectful and civil conversation. I don't care how ugly the rest of the internet is, ugly's not happening here.
- Anonymous
- Anonymous
- Anonymous
- Anonymous
- Anonymous
Anonymous
June 26, 2016
The comment has been removed- Anonymous
June 27, 2016
| Are you actually implementing SAFER rules?Of course, since more than 12 years, on all versions and editions of Windows.| I haven’t seen anyone use those in well over a decade.Better look at the bright side of life.-P| I created a new format because .inf syntax was insufficient to replicate the full set of commands that can be represented in a registry.pol file, including creating a key without values,That's FLG_REG_KEYONLY, 0x10| deleting a value,That's FLG_ADDREG_DELVAL, 0x4| and deleting all values in a key.Please dare to extend the existing format as necessary: you can always introduce new flags.My proposal is to reuse the existing and well-known "AddReg" syntax:,[],[],[,]- Anonymous
June 27, 2016
The comment has been removed
- Anonymous
- Anonymous
August 30, 2016
I too am using Software Restriction Policies (Safer) and am having trouble with LGPO's lack of qword functionality. By failing to import the "LastModified" qword value, but still importing the remaining Software Restriction Policies, I end up with machines that not only fail SRP, but also cannot produce Group Policy Results from either the GPMC wizard or gpresult /h. Instead I get a message "object reference not set to an instance of an object"[Aaron Margosis] OK. I'll add it to the list. I didn't think anyone was still using SRP. What does it give you that you can't get from AppLocker and/or Device Guard?- Anonymous
October 24, 2016
The comment has been removed
- Anonymous
- Anonymous
Anonymous
July 01, 2016
The comment has been removed- Anonymous
July 08, 2016
Re "reset": If you mean to revert to "Not Configured," no, not really. One way I've done it is to export the existing Registry.pol settings to a text file, edit the text file to remove the unwanted settings, delete the registry.pol file, then import the text file using LGPO.exe. The other way is to explicitly set the policies you want to remove to enforce the defaults. - Anonymous
July 09, 2016
SAFER reads its rules and settings only from the registry, not from the registry.pol file.The registry.pol is maintained via secpol.msc and local security policies or group policies only, policies defined there will periodically be (re)written to the registryIf you don't use secpol.msc or GPO you can modify the registry on demand.
- Anonymous
Anonymous
July 09, 2016
This is... EXACTLY what I was looking for a long time now.It's a good thing that you replaced that messed up LocalGPO with all those scripts and unnecessary additions, with this neat and straight forward tool that does it all.Thanks in advance. I really appreciate it!Anonymous
July 19, 2016
The comment has been removedAnonymous
July 21, 2016
Can this handle policies with group policy registry preferences? I don't see any syntax to apply a registry.xml as created by a preference.[Aaron Margosis] No, LGPO.exe doesn't currently handle Group Policy Preferences.Anonymous
August 01, 2016
Truly appreciate all the hard work on this!Ignore the trolls, and I vote to delete ALL posts by that dude.Lastly, PLEASE add support for MLGPO. I use it every week.Anonymous
August 03, 2016
Hi Aaron,I have seen that LGPO adjusts settings of my hardening template when configuring user rights.Is there a way to force the application of settings ?And, have you a list of settings which can be adjusted by LGPO ? Only user rights or are there other settings?ThanksRegardsGreg[Aaron Margosis] Were you able to find the documentation? It can manage security template settings, advanced audit settings, administrative template (ADMX) settings, and anything else that lands in registry.pol.Anonymous
August 10, 2016
The comment has been removed- Anonymous
August 24, 2016
The comment has been removed - Anonymous
March 30, 2017
I have the same Problem by using LGPO tool. I always get "Configuring the current system with this template in the /overwrite mode will result in losing the existing security records in the database specified.Do you want to continue this operation ? [y/n]". What is the correct soloution? I don't use MDT.[Aaron Margosis] Try the updated version here: https://blogs.technet.microsoft.com/secguide/2016/09/23/lgpo-exe-v2-0-pre-release-support-for-mlgpo-and-reg_qword/
- Anonymous
Anonymous
August 16, 2016
Is there a way to enable the MSS hidden entries with this tool? The option for LocalGPO was /ConfigSCE. My GPO backup has some of these entries set but they do not show on my Windows 10 testing. Thanks.[Aaron Margosis] We moved the ancient "MSS" settings from Security Options to a custom Administrative Template. The mechanism that had been used to expose the MSS settings in Security Options had become unsupportable. The new custom ADMX and ADML establish the same registry settings, if you choose to configure them, but in a manner that is supportable. That custom template is included with the newer baselines, such as this one. Install those files in the appropriate locations and then find the settings in your Group Policy editor in Computer Configuration | Administrative Templates | MSS (Legacy).- Anonymous
October 25, 2017
- Download the policy templates to a location on your local machine (in my example the policy template came in the form of a zip file)2. Extract the .admx or .adml file(s) to a location on your local machine3. Copy .admx files to '%systemroot%\policyDefinitions'4. Copy the corresponding language .adml files related to the .admx files to '%windir%\PolicyDefinitions\en-us'5. After you have done the above steps, you can test to see if the group policy object templates settings you imported are viewable6. Open up run [Windows key + r]7. Type in: gpedit.msc8. Press the enter key, on the keyboard9. The local group policy object editor will be open10. Browse to where the administrative template should be. Go to: local computer policy>computer configuration>administrative templates, and expand administrative templates, by click on the arrow next to the folder name. The MSS (Legacy) folder should be there, and you can expand it to view the group policy settings11. Confirm the administrative template is there12. Done Note: The Group Policy Object Editor will automatically read all ADMX files stored in the %systemroot%\PolicyDefinitions\ directory. This procedure assumes this machine is not joined to a domain with an ADMX central store.
- Anonymous
Anonymous
August 20, 2016
I know I'm late, but regarding MLGPO, I found this folder to be very interesting: %WinDir%\System32\GroupPolicyUsersHere we have sid folders for user(s) who have their own gpo.To get sid: wmic useraccount get name,sidAnonymous
September 20, 2016
Aaron,Thank you for creating this tool. I am using it to create hardened baseline security configurations on standalone systems and I am exporting those security baselines to other standalone workstations. I have run into an issue though, when I export the LGPO policy, the GptTmpl "inf" file [file security] SACL are missing. I have to turn on auditing on several files and folders and I can't seem to export the INF file template with the [File Security] settings.The LGPO "backup" feature depends on "secedit.exe /export" for the security template content, and "secedit.exe /export" doesn't include file security settings. GptTmpl.inf is a text file, so I would suggest either copying your original GptTmpl.inf into the backup, or hand-editing the resulting GptTmpl.inf file to add in the file security content.Anonymous
October 04, 2016
Am I missing something, or does this exe write to stderr instead of stdout?Entering the following in a cmd window:LGPO.exe 1>out.txt 2>err.txtwrites all the output to err.txt instead of out.txt.This is the same for other calls to to LGPO.exe, e.g. using /g[Aaron Margosis] It writes banner text, diagnostic and progress information, and usage help text to stderr. It writes output including verbose logs (/v) and "LGPO text" (/parse) to stdout.[Aaron Margosis] BTW, have you tried the LGPO.exe v2.0 pre-release? Let us know whether it's ready or still needs work.Anonymous
November 02, 2016
Hi, is this tool can help me to import export group policy that I took from Active directory to local group policy in windows 7/10??[Aaron Margosis] Absolutely!Anonymous
November 14, 2016
The comment has been removed- Anonymous
November 14, 2016
It is on an English system and I have tried and I have tried with Version 2 and get the same error. This is on a Windows 7 system that was upgraded to Windows 10 in place.[Aaron Margosis] There was a bug in Windows 10 v1507 and v1511 (that I believe is fixed in v1607) in which the fullprivilegeauditing registry value in HKLM\System\CurrentControlSet\Control\Lsa was set to 0x80 instead of to 0x00 or 0x01, which caused both Auditpol.exe /get and Auditpol.exe /backup to report the same error you mentioned. LGPO.exe has code that works around that error. Perhaps there's another registry value with a similar problem on your system. Can you post the results of this command in your next comment? Thanks.reg.exe query hklm\system\currentcontrolset\control\lsa- Anonymous
November 15, 2016
Here you go sir.HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa auditbasedirectories reg_dword 0x0 auditbaseobjects reg_dword 0x0 bounds reg_binary 0030000000200000 limitblankpassworduse reg_sword 0x1 nolmhash reg_dwors 0x1 notification packages reg_multi_sz scecli authentication packages reg_multi_sz msv1_0 crashonauditfail reg_dword 0x0 disabledomaincreds reg_dword 0x0 everyoneincludesanonymous reg_dword 0x0 forceguest reg_dword 0x0 fullprivilegeauditing reg_binary 3000 lmcompatibilitylevel reg_dword 0x1 lsapid reg_dword 0x29c producttype reg_dword 0x4 restrictanonymous reg_dword 0x1 restrictanonymoussam reg_dword 0x1 scenoapplylegacyauditpolicy reg_dword 0x1 secureboot reg_dword 0x1 security packages reg_multi_sz kerberous\0msv1_0\0schannel\0wdigest\0tspkg\0pku2uHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\accessprovidersHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\auditHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\centralizedaccesspoliciesHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\credsspHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\dataHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\fipsalgorithmpolicyHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\gbgHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\jdHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\kerberosHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\msv1_0HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\osconfigHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\skew1HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\ssoHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\sspicache- Anonymous
November 15, 2016
It appears to be fullprivilegeauditing. If I set that to 00 instead of 3000, LGPO completes the backup without error.[Aaron Margosis] Wow. I never saw an instance where that REG_BINARY value was more than one byte, and LGPO.exe corrects only for a misconfigured single byte. Have you seen this on other systems or just this one?- Anonymous
November 15, 2016
It seems to be that way on all of you workstations. What is it for? Is it something that has been improperly set in a group policy?[Aaron Margosis] From everything I can tell, it should be just one byte -- not two or more -- and the value should be 0x00 or 0x01. I've seen it get set to 0x80 in v1507 and v1511, which causes Auditpol.exe to fail. I haven't seen it set to anything else, nor heard of that happening. Perhaps the best approach is to use auditpol.exe /set one time across all machines to set it to a correct value.
- Anonymous
- Anonymous
- Anonymous
- Anonymous
Anonymous
December 14, 2016
Aaron,Just a suggestion, but with the pre-release of 2.0 maybe put a link to that in the header summary for easy finding? Especially if you want to start deprecating the 1.0 version.Cheers,Mark[Aaron Margosis] I like the idea, but URLs change all the time.Anonymous
January 05, 2017
Hi. great work. When I import GPO policies to a new computer (with LGPO.exe /g path), GPO apply correctly (And appear in gpedit.msc), but in regedit I can not find the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy ObjectsWhere is the new GPO security template imported into regedit? thanks[Aaron Margosis] As far as I know, that key is populated only when a Group Policy editor is open, and contains the data that eventually lands in registry.pol files.Anonymous
January 09, 2017
Hi Aaron,Would the lgpo tool be able to process local GPO preferences with the /e option? I've created a gpo with a preference that sets a reg key, but I can't get it to work. Could be me. Hope you can help me out in understanding.[Aaron Margosis] LGPO.exe doesn't support GPP at this time. That looks like it's going to be a major development effort.Anonymous
February 03, 2017
It would be great if there was a backup option that went straight to an LGPO text file. My use case is just backing up registry-based LGPO stuff, and I want a nice diffable format. Right now I have to backup to a folder and then parse the .pol files and merge to get a single LGPO text. The LGPO text can be imported, so it would be great to be able to output it as well.Anonymous
March 06, 2017
I may have encountered an obscure bug. I had instances wherelgpo.exe /t path\lgpo.txt
appeared to not import machine-level settings on a few hosts, and eventually found it was updating \windows\syswow64\grouppolicy\machine\registry.pol rather than \windows\system32\grouppolicy\machine\registry.pol. I don't know how the syswow64 version of registry.pol was created (on only a few machines in my environment), but I've found it to be reproducible that if I copy system32\GroupPolicy to syswow64\GroupPolicy, that subsequent runs of lgpo.exe will begin updating the syswow64 version rather than the system32 version of registry.pol.I will attempt to workaround by finding and removing syswow64\GroupPolicy\Machine and syswow64\GroupPolicy\User. Are there any cases where a syswow64 copy of the GroupPolicy folder should be kept rather than removed?Thanks again Aaron for the great tool, it continues to be useful for me daily!- Anonymous
March 06, 2017
Another quick test - if the Windows\SysWOW64\GroupPolicy\Machine folder is present, lgpo.exe /t file.inf will create a new registry.pol file in the syswow64 path. So I don't need an existing registry.pol file, just the existence of a SysWOW64\GroupPolicy\Machine folder is enough to trigger this issue for me.[Aaron Margosis] LGPO.exe is an x86 executable, so it could be redirected from System32 to SysWOW64 - it will certainly load DLLs from SysWOW64 rather than System32. But it uses documented Windows interfaces and doesn't look for the System32\GroupPolicy folder explicitly, so my guess is that this is a Windows anomaly rather than anything specific to LGPO.exe. Are there any "normal" situations in which a SysWOW64\GroupPolicy directory might get created?
- Anonymous
Anonymous
March 21, 2017
Hi! Thanks for the great work!But...How do I export MLGPOs on a Win10Enterprise Machine and how do I import them, or create an GPOPack (which are the compatible files, which need to be included in the export directory... GPOPack.wsf/LocalPol.exe/LocalSecurityDB.sdb?)?I would highly appreciate an answer to solve this week-lasting problem. :)[Aaron Margosis] Backup of MLGPO is going to be somewhat manual. E.g., copy out the registry.pol someplace, or convert it to "LGPO text" using LGPO.exe /parse /ua or /un. Apply it to a new system in the reverse manner: LGPO.exe /t lgpo-text-file, or LGPO.exe /ua path-to-registry.pol. FWIW, I don't think LocalGPO.wsf handled backup/restore of MLGPO either.Oh, and you need LGPO v2 for this. https://blogs.technet.microsoft.com/secguide/2016/09/23/lgpo-exe-v2-0-pre-release-support-for-mlgpo-and-reg_qword/Anonymous
April 12, 2017
Hi, I'm trying to disable Windows 10's Cortana using the text policy file below.ComputerSOFTWARE\Policies\Microsoft\Windows\Windows SearchAllowCortanaDWORD:0The command that I'm using is lgpo.exe /t cortana.txt /vThe Result is this:Apply registry-based settings from LGPO text file: cortana.txtPROCESSING INPUT FILE FOR REGISTRY-BASED POLICY: cortana.txtComputer Config SOFTWARE\Policies\Microsoft\Windows\Windows Search AllowCortana REG_DWORD 0The problem is that the policy never seems to actually get applied if I check the registry or using gpedit.Am I missing something?Thanks[Aaron Margosis] Is there a domain policy overriding the local policy?- Anonymous
May 18, 2017
Hi Aaron, I'm just getting back into trying to configure policies again. I looked into Domain policies but I don't think that's the case. I'm rolling out Win 10 Enterprise x64 1703 and LGPO policies just don't take effect. We have 2 domains. I tried our new one, our old one, I tried different OUs, and I tried totally taking the client machine out of the domain, nothing works. The weird thing is that I have another Win 10 machine that's part of our old domain. That one was setup manually and is build 1607. Any idea what could be going on? The group policy operational log reports error event 7016 when I run the command.- Anonymous
May 18, 2017
I didn't complete my statement above, the machine that was rolled out "manually" does apply my Cortana policy successfully using LGPO.EXE.
- Anonymous
- Anonymous
Anonymous
April 12, 2017
I have installed the Windows-10-RS1 and Server 2016-Baselines which use LGPO for their installation. When I install the Member server, I see the custom templates referenced in the article (eg. MS Security Guide) when I run Gpedit.msc. When I do the same thing on a W10 1607 LTSB system, I see nothing in GPEdit. The strange part is that the settings are actually there. Specifically the "Apply UAC restrictions to local accounts on network logons" is enabled if I check the registry. Also if I change the registry to zero and then reboot, it is set back to 1. Am I missing something or do Custom Templates just not show in the client GP Editor? If not how to I change the policies or use the other legacy policies that have been added? Thanks[Aaron Margosis] For the client editor bit: are you sure the custom ADMX and ADML were copied into the correct PolicyDefinition directories? For the registry editing: that's not surprising - when the GPO applies again after reboot, it will overwrite any manual registry edits.Anonymous
June 12, 2017
I'm struggling with this.I have 10-12 settings I want to deploy to a machine. Prior to importing I take a backup which has no configured settings. I then import my settings from a folder and I can see that they are present using GPedit. Now, if I want to remove these settings I feel that I should simply be able to restore or import the previous backup but I'm seeing that, If I perform the restore I see no change. I've run "gpupdate /target:computer /force" and I've even rebooted but the settings remain. What am I missing?[Aaron Margosis] Local-GPO backup is of limited use. I added this paragraph to the v2.2 documentation:ALSO NOTE: if you apply settings to local policy and then export local policy, the security template and advanced auditing portions of the exported policy will almost certainly be different from the policy you applied. “Auditpol.exe /backup” reports all advanced auditing settings, not just the ones you applied. Similarly, “secedit.exe /export” reports most local security settings whether they were defaults, applied through a security template, or changed through other means. Secedit.exe also has some other quirks. For example, it won’t report user rights assignments that are empty, and reports only a subset of the sections that might appear in a security template. It won’t report file security settings, registry security settings, service settings, or restricted groups. For these reasons, local policy backups might be of limited value.Anonymous
September 01, 2017
The comment has been removedAnonymous
October 04, 2017
Where can I download the version 2 of the LGPO tool supporting Windows Server 2016? I can't find a download link.[Aaron Margosis] https://www.microsoft.com/en-us/download/details.aspx?id=55319Anonymous
November 13, 2017
The comment has been removedAnonymous
November 22, 2017
I'm assuming path in "LGPO.exe /b path" is {path} then "LGPO.exe /b ." doesn't work as "." is a valid path and so ".."[Aaron Margosis] Dot should work but apparently it doesn't. Best to specify the absolute path.Anonymous
January 20, 2018
Hello Aaron!I used LocalGPO Tool in 2008R2 Servers to create and work with MSS Settings in Group Policy Settings.Now I have a question, how to make these MSS Settings in 2012R2 Servers using your utility?[Aaron Margosis] We came up with a better solution: See https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/Anonymous
January 27, 2019
I get the following LGPO.exe import error: No mapping between account names and security IDs was done. The task has completed with an error. SECEDIT.EXE exited with exit code 1. Importing updated group policy on the same machine after reverting to an older restore point. LGPO.exe will not throw any error if you edit {----}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf and remove the "[Privilege Rights]" section completely. This means "User Rights Assignments" is the only section not importing or rather, not being properly mapped after import. Deleting the section removes the errors. Is there any solutions to this error code, does this really matter, is this a security threat? Does lgpo.exe skip the import of 'user rights assignments', or does windows re-map the ID's itself upon import/reboot, I would be very grateful to know. Thank you!!![Aaron Margosis] Are you putting names or SIDs into your security template that don't resolve? Or perhaps applying it to an older OS that doesn't recognize all the same names/SIDs?