LGPO.exe v2.0 PRE-RELEASE: support for MLGPO and REG_QWORD

  • Article

LGPO.exe is a command-line utility to automate the management of local group policy objects (LGPO). Version 1.0 was released last January. The PRE-RELEASE LGPO.exe v2.0 is attached to this blog post, and adds support for Multiple Local Group Policy Objects (MLGPO) and 64-bit REG_QWORD registry values. It also adds support for /e mnemonic options to enable the GP client side extensions for LAPS, Credential Guard, and Device Guard.

Full details are in the LGPO.pdf in the download. For more information about MLGPO, please review this: Step-by-Step Guide to Managing Multiple Local Group Policy Objects.

If these new features are valuable to you, please test them in your environments and let us know through the comments on this blog post how well it meets your needs.

Thanks.

[Update: the latest version of LGPO.exe is here.]

Comments

  • Anonymous
    October 10, 2016
    LGPO.exe should only output errors to the error stream.The command: LGPO.exe 1>out.txt 2>err.txtWrites all its output to err.txt, but it shouldn't write anything to the error stream because it is not an error.[Aaron Margosis] There appear to be different philosophies about that. In my experience it's not unusual for banner, diagnostic, and usage information to be written to stderr, and for results to be written to stdout. For example, when you use the /parse option, you wouldn't want the banner information to be written to stdout, because then you'd have to edit the output before it could be used.Is the output to stderr causing problems for you?
  • Anonymous
    October 17, 2016
    Hi, i would like to use this tool in a commercial product, is this legal? Where can i find the license Informations? Thanks![Aaron Margosis] You should not incorporate it directly. You can have your customers download it separately. Note that the tool is not officially supported at this time, and is "as is," in a manner similar to the Sysinternals utilities. We hope in the near future to give LGPO.exe a more permanent home than blog posts.
  • Anonymous
    October 19, 2016
    The comment has been removed
    • Anonymous
      October 20, 2016
      That works, thanks!
  • Anonymous
    November 02, 2016
    The lgpo.pdf states that "Note that the /b option does not back up MLGPO configuration settings.". So, how can I export my existing MLGPO configuration settings and then import and apply it to a local user on another PC?[Aaron Margosis] Copy out the registry.pol and apply it to the other PC with LGPO.exe and the /ua, /un, or /u:username switches.
  • Anonymous
    December 06, 2016
    Hi,Could it be possible to add the possibility to apply the GP Preferences from a domain GPO Backup?It is possible to enable many client sides extensions as I have multiple different settings in same GPO?Thanks,[Aaron Margosis] No support for Group Policy Preferences at this time. Yes, you can enable as many CSEs as you want. /e zone /e audit /e {guid} ...
    • Anonymous
      January 06, 2017
      Thanks Aaron, this works well.Did you know when the final version will be released? Indeed, I need to put it in production soon for the Windows 2016 Server image deployment.
  • Anonymous
    December 18, 2016
    I currently have "custom" admx files added to my local GPO. One is from Google for Chrome and the other is from Microsoft for Office 2016/Office 365. However, on the computer I am trying to import these polices to it does not import despite the importing computer having the proper admx and adml files installed already. When I check after import the custom admx have all default values. Is there a reason why LGPO does not also backup those custom admx files settings? If not is there a way it can? This would be very important for anyone with extra admx files added. Any help would be very much appreciated.[Aaron Margosis] What are you trying to import? Backed-up GPOs, "LGPO text", or individual GPO files (registry.pol, GptTmpl.inf, audit.csv)?
    • Anonymous
      December 19, 2016
      The comment has been removed
  • Anonymous
    March 16, 2017
    The comment has been removed
    • Anonymous
      March 24, 2017
      Aaron,Thanks for the reply. So is there anyway to clear existing SRP policies before import to prevent this issue I am running into? Can the clear command do this and if so would you mind providing an example? Thanks again for the help, you are great![Aaron Margosis] You're welcome, and thanks for the nice comment.To create a file that just removes the SRP policies, I'd start by getting an LGPO-text file of the existing Machine\Registry.pol:LGPO.exe /parse /m C:\Windows\System32\GroupPolicy\Machine\registry.pol > MyLgpo.txtThe CLEAR command removes subkeys and values, so identify the highest-level keys listed in MyLgpo.txt pertaining to the SRP entries (I think they all have \Safer in their key names). For the each key under which you want to remove all subkeys and values from policy, create an entry like this:ComputerSoftware\Policies\Microsoft\Windows\Safer*CLEARApply it with LGPO.exe /t MyEditedLgpo.txtHope this helps!
      • Anonymous
        March 29, 2017
        The comment has been removed
  • Anonymous
    March 20, 2017
    The comment has been removed
    • Anonymous
      March 21, 2017
      I already have /v. The command I am using is ".\LGPO.exe /g $pwd\RBL_2012_Account_Lock /v > lgpo_1.out 2> lgpo_1.err" in powershell. The links shows the output of the files. https://jpst.it/VUpr and https://jpst.it/VUpK[Aaron Margosis] Can you post the GptTmpl.inf file somewhere? It seems that there might be something unexpected in it.
      • Anonymous
        March 22, 2017
        The comment has been removed
        • Anonymous
          March 22, 2017
          It works now, thanks :D
  • Anonymous
    April 14, 2017
    Thanks very much for releasing V2.0 - It is great to to see a utility that allows targeting of Non-Administrators and Administrators separelty. I am currently working on a fleet of standalone laptops that aren't domain connected which we build via SCCM. I currently have a basic group policy which I have built up through the group policy management tool on our DC which includes a policy for Non-Administrators, Machine Policy & All User Policy. I export the policies from the DC as a backup and use LGPO to import the policy via the registry.pol file to the laptops within the task sequencing targeting Non-Administrators, User & Machine. I find however there are a few security settings such as 'Interactive logon: Message text for users attempting to log on' and password policies that don't get applied part of LGPO and I have had to use SECEDIT to import a separete policy. This is fine, however for anyone else to follow what I have done is confusing. Should this work or am I doing something wrong?[Aaron Margosis] The user policies are all represented in registry.pol files. Many system-wide policies are also represented in registry.pol files, but a number of them are implemented in security templates (gpttmpl.inf) and advanced audit CSV files (audit.csv). LGPO.exe can handle all of these file types, as well as entire GPO backups. See the documentation that comes with the tool.
    • Anonymous
      September 25, 2017
      When I applied these, I found that it actually reset any of the configured items under Security Templates, in particular the Interactive Logon items.
  • Anonymous
    April 19, 2017
    Can this tool be used to apply applocker settings?[Aaron Margosis] Yes.
  • Anonymous
    April 25, 2017
    Thank you so much for this tool!I'd like to see it leave "pre-release" status (my colleagues don't like that I am using a "beta" tool for our production deployments).Suggestion for next version:-> Add support for preferences. Even if you only support registry preferences and only for the computer, it'd be helpful.
  • Anonymous
    May 19, 2017
    The comment has been removed
  • Anonymous
    June 23, 2017
    Thanks so much for this tool! It really comes in handy when configuring kiosk or public-use workstations. There is one piece that I cannot get to work and that is the ability to export Logon/Logoff script settings using MLGPO. I usually approach creating my exports by setting all GPOs in the global context. I then export. It is during import that I send those GPOs to the Non-Admin or User-specific context. With past versions of this utility, I had the best success doing things this way. So, in this case, I have set all my GPOs, including a logoff script setting that points to a logoff script stored in the C:\Program Files path. I export all settings with /b. When I import, using /un and specifying the User registry.pol file from my export, the Logoff script setting is not set. Does this information get recorded elsewhere during the export? Is there a way to successfully export/import logon/logoff script GPOs? Thanks again![Aaron Margosis] The backup captures the registry configuration, but it doesn't capture files referenced by the registry settings. The per-user logoff script should be referenced in Software\Policies\Microsoft\Windows\System\Scripts\Logoff. If you copy the file(s) it references to the corresponding location on the target system, it should work.BTW, note that an updated version has just been released. See above.
  • Anonymous
    August 16, 2017
    Super excited to see the addition of the CLEAR directive! I had commented on this previously, where my only current option was to export the current policy to text, delete the lines to remove, delete the registry.pol, and recreate the registry.pol from my modified export text. The CLEAR option looks like it adds the ability to put a setting back to "Not Configured", so thanks very much for acting on the community feedback!
  • Anonymous
    November 13, 2017
    The comment has been removed
    • Anonymous
      February 22, 2018
      I'm getting the error with auditpol.exe also. Was there any resolution?
  • Anonymous
    December 12, 2017
    Hello,i have problems to export the user logon skripts with the lgpo.exe V1.Other GPO changes are available on the new system, but i miss my user logon skripts of the old system.Is there any solution to export this skrips?[Aaron Margosis] LGPO.exe doesn't include coverage of startup/logon/logoff/shutdown scripts. Such scripts can be in arbitrary locations and tend to have numerous dependencies that LGPO.exe would have a very difficult time tracking.
  • Anonymous
    November 09, 2018
    The comment has been removed