Group insurance policies are a robust and on the similar time versatile software to configure Windows settings and are indispensable technique of bringing computer systems to a single configuration within the Active Directory area. If there isn’t any area, single pc settings could be configured utilizing a neighborhood group coverage. A major drawback of native insurance policies is that they can’t be distributed centrally between computer systems within the workgroup. As a outcome, the administrator has to manually configure group coverage settings on every pc. If there are lots of computer systems and settings to configure, it’s not too productive…
It can be applicable to have one pc in a workgroup with reference settings of native group insurance policies and safety settings to be utilized to the opposite computer systems and after you make any modifications you can copy this configuration to different machines.
In this text we’ll think about this state of affairs. It permits to shortly export and switch (migrate) native group coverage settings from one configured pc to different computer systems in a workgroup.
Issues of Local Group Policy Migration between Computers
The simplest way to migrate native GPO settings between computer systems is to manually copy the contents of %systemroot%System32GroupPolicy folder (by default, this listing is hidden) from one pc to one other with changing its contents (after you changed the recordsdata, run coverage replace manually utilizing the command gpupdate /drive or by restarting your PC).
This technique is kind of easy, nevertheless it has some main faults:
- It can’t be used to migrate native Security Templates;
- GPO might not work if the OS model and its construct on a supply and a goal pc differs;
- You can’t create a site GPO primarily based on a neighborhood coverage (by importing a coverage to Active Directory area for its additional use);
- When copying a coverage, you’ll have to manually right any references to the native pc title within the settings;
- There are some points when migrating customized ADMX templates.
To import/export a neighborhood GPO created with gpedit.msc, it’s simpler and extra handy to use LocalGPO utility, which is part of Microsoft Security Compliance Manager three.zero. LocalGPO permits not solely to shortly create a backup of a neighborhood GPO and restore native coverage settings, but in addition to create an executable file GPOPack to migrate (import) the native GPO settings to one other machine in a single click on.
Important be aware. The LocalGPO utility is now deprecated and not formally supported by Microsoft. In addition, it doesn’t work in trendy Windows 10 and Windows Server 2016 (though this limitation could be bypassed by modifying the script code, which is described beneath). To export, import and switch native GPO settings between computer systems, it is strongly recommended to use the software LGPO.exe (examples of utilizing this utility could be discovered within the final part of this text).
The LocalGPO software permits you to export all native coverage settings, together with these from INF, POL, Audit, firewall sections, and so on. LocalGPO completely fits to be used within the firms with out domains to distribute GPO template between computer systems within the workgroup. It can be very helpful along with the Microsoft Deployment Toolkit (MDT) or SCCM.
How to Install LocalGPO
To set up LocalGPO on a neighborhood pc (in our case, it is going to be a grasp picture of the native GPO settings):
- Download Security Compliance Manager (SCM) three.zero (https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx);
- Open Security_Compliance_Manager_Setup.exe as an archive file utilizing any archiver (7Zip or WinRar).Note. We don’t need to carry out a full set up of Security Compliance Manager because it’s fairly heavy and incorporates loads of parts we don’t want for our job (SQL Server Express, Microsoft Visual C++ 2010 Redistributable, and so on.).
- Extract information.cab from this archive and unpack it as properly (e.g., into C:Distrdata folder);
- In this listing, discover GPOMSI file and rename it to GPO.msi;
- Run GPO.msi set up.
Let’s learn the way to use LocalGPO. You can handle it solely via the console interface (command immediate). Start the command immediate as administrator and go to the folder C:Program FilesLocalGPO (for x86 techniques) or C:Program Files (x86)LocalGPO (for x64 techniques).
Note. If you attempt to use the LocalGPO utility to migrate native group insurance policies in Windows 10, you’ll get an error:
This software solely runs on Windows XP Professional, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows eight, or Windows Server 2012
The reality is that the LocalGPO utility solely helps variations of Windows prior to Windows eight (Windows Server 2012). In newer Windows variations (Windows eight.1, Windows 10) it is strongly recommended to use the brand new utility LGPO.exe (see the final part on this article). Although technically, the outdated LocalGPO.wsf script helps each Windows 10 / eight.1 and Windows Server 2016/2012 R2. In order to make LocalGPO.wsf script run appropriately in new OSs, it’s sufficient to change the code of the operate of checking the OS model (ChkOSVersion) by including the next strains:
If(Left(strOpVer,four) = "10.zero") and (strProductType = "1") then
strOS = "Win10"
ElseIf(Left(strOpVer,three) = "6.three") and (strProductType <> "1") then
strOS = "WS16"
ElseIf(Left(strOpVer,three) = "6.three") and (strProductType = "1") then
strOS = "Win81"
How to Export a Local Policy Settings
To export native GPO settings to the C:GPObackup folder (this listing has to be created prematurely), run this command:
cscript LocalGPO.wsf /Path:C:GPObackup /Export
A brand new folder with some GPO GUID seems within the goal listing. It will comprise all native coverage settings for this pc.
Actually, we now have created a neighborhood GPO backup, which could be rolled again to any time we want.
The LocalGPO.wsf utility helps Multiple Local GPO (MLGPO). To export a neighborhood coverage related to a selected native group or consumer, you want to use the next format of utilizing LocalGPO.wsf script:
cscript LocalGPO.wsf /Path:C:GPObackup /Export /MLGPO:Administrators
cscript LocalGPO.wsf /Path:C:GPObackup /Export /MLGPO:LocalUserName
How to Import Local GPO Settings
To restore Local Group Policy settings from the backup, import them utilizing the next command. Specify the trail to the listing containing your backup as an argument:
cscript LocalGPO.wsf /Path:C:GPObackup
GPOPack: Deploy Format of Local GPO
With LocalGPO, you may create a GPOPack bundle which helps to simply deploy native GPO settings to different computer systems (it doesn’t require putting in LocalGPO on the goal pc). This format can be handy to use in OS deployment duties utilizing Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager (SCCM). To make a transportable bundle, run this command:
cscript LocalGPO.wsf /Path:C:GPObackup /Export /GPOPack
Copy the folder created within the earlier step to one other pc, to which these insurance policies have to be utilized. To do it, begin the command immediate with the administrator privileges and run GPOPack.wsf file.
The message «Applied GPOPack to Local Policy» signifies that the insurance policies have been migrated efficiently. Now you solely have to restart your system and ensure that if the identical native GPO settings are utilized on this pc.
The full checklist of arguments for LocalGPO.wsf is on the market with the parameter /?:
cscript LocalGPO.wsf /?
How to Reset All Local GPO Settings
Using LocalGPO, you may reset all native coverage settings to the default values. To do it, run the next command:
cscript LocalGPO.wsf /Restore
How to Import a Local GPO to the AD Domain Group Policy
The coverage import format of LocalGPO permits to import native group coverage settings to a site GPO. You can do it utilizing the area GPO backup and restore function in GPMC (Group Policy Management Console).
LGPO.exe: How to Export and Deploy Local GPO Settings
The LGPO.exe console software is designed to automate the administration of native group insurance policies and is meant to exchange the LocalGPO that’s now not supported. Currently it is strongly recommended to use solely this utility. LGPO.exe is included into the Security Compliance Manager (SCM) free software.
You can obtain LGPO.exe by the next hyperlink https://www.microsoft.com/en-us/obtain/particulars.aspx?id=55319.
The LGPO.exe utility has the next options:
- Support of native group coverage settings exporting;
- Imports GPO settings from backup. Import of registry.pol recordsdata, safety templates, CSV recordsdata are supported;
- Convert registry.pol recordsdata to readable LGPO format and vice versa.
To export the present native GPO settings to the required listing, run the next command:
LGPO.exe /b c:toolsGPO
The utility will export all present native coverage settings to the folder with the group coverage GUID.
To current the present GPO settings within the backup file from the registry.pol file in a text-friendly format, run the command:
lgpo.exe /parse /m "C:toolsGPODomainSysvolGPOMachineregistry.pol">>c:toolsgpolgpo.txt
Open the lgpo.txt textual content file. As you may see, it incorporates all registry settings which might be utilized by this coverage.
Make the mandatory modifications to the lgpo.txt registry settings file and convert it to the registry.pol format:
LGPO.exe /r "C:toolsGPOlgpo.txt" /w "C:toolsGPOregistry_new.pol"
Now import the brand new native coverage settings from the pol file:
LGPO.exe /m "C:toolsGPOregistry_new.pol"
To import (switch) native GPO settings from this pc to one other, copy the listing with the coverage on the goal pc and run the command:
LGPO.exe /g C:toolsGPO
The LGPO v2.2 model helps Multiple Local Group Policy Objects (MLGPO), which permits you to configure particular person insurance policies for various customers (obtainable in Windows Vista and later).
As you may see, the LGPO.exe utility may be very helpful for making a backup of native insurance policies and transferring GPO settings between computer systems.