First published on TechNet on Jan 21, 2016
LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools.
Features:
-
Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files.
-
Export local policy to a GPO backup.
-
Parse a Registry Policy (registry.pol) file to readable "LGPO text" directly to the console or redirected to a file which can edited and imported into local policy.
-
Build a new Registry Policy (registry.pol) file from "LGPO text".
-
Enable group policy client side extensions for local policy processing.
The zip file attached to this post includes LGPO.exe and full documentation. This is the command line syntax:
LGPO.exe v1.00 - Local Group Policy Object utility
LGPO.exe has four modes:
* Import and apply policy settings;
* Export local policy to a GPO backup;
* Parse a registry.pol file to "LGPO text" format;
* Build a registry.pol file from "LGPO text".
To apply policy settings:
LGPO.exe command [...]
where "command" is one or more of the following (each of which can be repeated):
/g path import settings from one or more GPO backups under "path"
/m path\registry.pol import settings from registry.pol into machine config
/u path\registry.pol import settings from registry.pol into user config
/s path\GptTmpl.inf apply security template
/a[c] path\Audit.csv apply advanced auditing settings; /ac to clear policy first
/t path\lgpo.txt apply registry commands from LGPO text
/e <name>|<guid> enable GP extension for local policy processing; specify a
GUID, or one of these names:
* "zone" for IE zone mapping extension
* "mitigation" for mitigation options, including font blocking
* "audit" for advanced audit policy configuration
/boot reboot after applying policies
/v verbose output
/q quiet output (no headers)
To create a GPO backup from local policy:
LGPO.exe /b path [/n GPO-name]
/b path Create GPO backup in "path"
/n GPO-name Optional GPO display name (use quotes if it contains spaces)
To parse a Registry.pol file to LGPO text (stdout):
LGPO.exe /parse [/q] {/m|/u} path\registry.pol
/m path\registry.pol parse registry.pol as machine config commands
/u path\registry.pol parse registry.pol as user config commands
/q quiet output (no headers)
To build a Registry.pol file from LGPO text:
LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v]
/r path\lgpo.txt Read input from LGPO text file
/w path\registry.pol Write new registry.pol file
(See the documentation for more information and examples.)
[Update: the latest version of LGPO.exe is
here
.]
