If you use lgpo.exe to deploy a local group policy “pack” to your client machines, you’ve definitely run into the need to make changes later. You can certainly makes changes to your reference machine, take a new backup, and re-deploy the whole thing to your client machines but that means you are re-deploying every setting you have configured. This makes it a little more impactful to the client due to the number of changes you are re-configuring as well as the fact that older versions of Windows 10 are not compatible with lgpo backups made on newer versions. Here is a way to simply change one or two changes to your client machines without having to re-deploy the entire LGPO pack.
1. Ensure you have downloaded lgpo.exe from MS’s website here
2. Copy to a folder. I’ll use C:Temp
3. Open cmd prompt as administrator and change directory to c:Temp
4 Make any changes to local group policy via gpedit.msc
5. Take a backup by running this command:
lgpo.exe /b C:\Temp /n “Backup”
6. This exports the LGPO into a folder with a GUID. I would recommend re-naming to something easier. Example, “LGPO_Backup”
7. Now you are going to want to parse this backup into a text file.
LGPO.exe /parse /m C:\Temp\LGPO_Backup\DomainSysvol\GPO\Machine\registry.pol >> C:\Templgpo.txt
Note: You can also do this for “user” settings as well by loading the registry.pol in DomainSysvol\GPO\User\registry.pol. This text file will contain every setting configured. Delete the ones you don’t want and then find the ones you do want and edit those. In my example I want to allow users to add applications to the “public” firewall profile as its currently being blocked. I edited by text file to look like this:
9. Once you have made your changes, you will need to build a new registry.pol file that you can use to import. Run this command:
LGPO.exe /r C:\Temp\lgpo.txt /w C:\Temp\registry_new.pol
10. Next, import the settings to ensure the changes have taken effect (flip back the settings in gpedit.msc, run import, and then close/reopen gpedit.msc)
LGPO.exe /m C:\Temp\registry_new.pol
Note that if you are apply user level settings, you will need to use the /u switch.