Friday, 28 September 2012

Backup and restore the Local GPO

In this post, I would like to introduce the method to backup and restore the Local GPO.
LOCALGPO, A handy tool to apply security setting to non-domain joined computers or Local GPO in your organization.
  1. You may download Security Compliance Manager (SCM) from Microsoft.
  2. Extract "Security_Compliance_Manager_Setup.exe" to a new folder A via 7zip or WinRAR.
  3. Extract the "" to a new folder B.
  4. In the new folder B, add the .msi extension to file named "LocalGPO"
  5. Install the new MSI Installer "LocalGPO.msi"
  6. Launch command-line here.cmd from C:\Program Files\LocalGPO on 32-bit systems or C:\Program Files (x86)\LocalGPO on 64-bit systems
Export Policy
cscript LocalGPO.wsf /Path:C:\GPObackups /Export
- Exports a GPO Backup based on the Local Policy configuration to a folder in the specified path.
-New GPO GUID folder was created
Import Policy
cscript LocalGPO.wsf /Path:C:\GPObackups\{GPO Backup GUID}
- Applies the contents of the GPO Backup stored in the specified path to the Local Policy of a Windows computer.
Create GPOPack to deploy via Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager (SCCM)
cscript LocalGPO.wsf /Path:C:\GPObackups /Export /GPOPack
- Creates a GPOPack and stores it in the specified path. GPOPacks can be copied to other computers, and applied by double-clicking GPOPack.wsf.
Copy the folder and double click GPOPack.wsf from other machine to apply the same policy.clip_image006
You may notice that you get a pop-up message when you run this command.
This can be suppressed by adding the “/silent” switch
Script to deploy via MDT and SCCM
GPOPack.wsf /silent
Restore Policy to default
cscript LocalGPO.wsf /Restore
- Restores the entire Local Policy to its default configuration.
It’s FREE!
You can get your hand on the LocalGPO tool right now as part of the Microsoft Security Compliance Manager

Update 18/10/2012
Download LocalGPO.msi

1 comment:

  1. Is it possible to import a GPO pack and not overwrite the existing polices on the machine?