How to individually modify and deploy local GPO settings (LGPO)

If you use lgpo.exe to deploy a local group policy “pack” to your client machines, you’ve definitely run into the need to make changes later. You can certainly makes changes to your reference machine, take a new backup, and re-deploy the whole thing to your client machines but that means you are re-deploying every setting you have configured. This makes it a little more impactful to the client due to the number of changes you are re-configuring as well as the fact that older versions of Windows 10 are not compatible with lgpo backups made on newer versions. Here is a way to simply change one or two changes to your client machines without having to re-deploy the entire LGPO pack.

The Process

1. Ensure you have downloaded lgpo.exe from MS’s website here
2. Copy to a folder. I’ll use C:Temp
3. Open cmd prompt as administrator and change directory to c:Temp
4 Make any changes to local group policy via gpedit.msc
5. Take a backup by running this command:
lgpo.exe /b C:\Temp /n “Backup”

Picture

6. This exports the LGPO into a folder with a GUID. I would recommend re-naming to something easier. Example, “LGPO_Backup”
7. Now you are going to want to parse this backup into a text file.
LGPO.exe /parse /m C:\Temp\LGPO_Backup\DomainSysvol\GPO\Machine\registry.pol >> C:\Templgpo.txt

Picture

Note: You can also do this for “user” settings as well by loading the registry.pol in DomainSysvol\GPO\User\registry.pol. This text file will contain every setting configured. Delete the ones you don’t want and then find the ones you do want and edit those. In my example I want to allow users to add applications to the “public” firewall profile as its currently being blocked. I edited by text file to look like this:

9. Once you have made your changes, you will need to build a new registry.pol file that you can use to import. Run this command:
LGPO.exe /r C:\Temp\lgpo.txt /w C:\Temp\registry_new.pol

10. Next, import the settings to ensure the changes have taken effect (flip back the settings in gpedit.msc, run import, and then close/reopen gpedit.msc)
LGPO.exe /m C:\Temp\registry_new.pol

Note that if you are apply user level settings, you will need to use the /u switch.

This Post Has 12 Comments

  1. Pictures are not showing up on the site. We are looking to do the same thing from Workspace One.

    1. Thank you! I just recently migrated platforms and not all the images came over properly. Updating it soon…

  2. Hello,

    I think the links to the pictures are broken on this page.

    1. Thank you! I just recently migrated platforms and not all the images came over properly. Updating it soon…

  3. Note: user policy operations require a /u instead of a /m

    1. Ah yes thanks for pointing this out. Article is updated.

  4. Many thanks for this article, you are a life saver! Our proxy settings were being deleted for some reason, despite having set registry settings or specifying manual settings, using this web page as a guide i was able to parse the pol file and discovered this little nasty command:
    “Software\Policies\Microsoft\Internet Explorer\Control Panel **del.Proxy REG_SZ”

    I am not sure how it got there, but as soon as i deleted it all our proxy setting problems were resolved. You’re a legend!

    1. Great! Glad to hear it has been helpful for you.

  5. Dear Team,
    Currently I am using LGPO tool for Group Policy Backup and Restore.
    I need help on Registry Settings Backup Parameters list.
    I need a complete list of Registry Settings and Group Policy settings which are getting Backed up during Group Policy Backup through LGPO tool. I am creating Registry Dictionary which contains Registry Key and it’s description. I want this list for the same. I have already collected registry list from Registry.pol file but apart from this Machine and User Registry.pol file, I need details of Registry Settings which shall I consider while creating Registry Dictionary.

    May I request you to please do the needful.
    Awaiting for your valuable response.
    Thank you in Advance.

    1. Looking at the lgpo.txt file should give you all of the registry paths that are getting set as part of lgpo. Is that what you are asking?

  6. when i parse i do not see windows settings or admin templates. I am running lgpo as administrator …

    1. Not quite sure what you are asking here. What are you seeing? Is the file empty?

Leave a Reply