# Local Group Policy Object Utility (Windows EXE) ## What Local Group Policy Object Utility or LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply\_LGPO\_Delta and ImportRegPol tools. ## When/Why Many of the features help import required settings to your devices meeting organization policies for security compliance. Features: - Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files. - Export local policy to a GPO backup. - Parse a Registry Policy (registry.pol) file to readable "LGPO text" directly to the console or redirected to a file which can edited and imported into local policy. - Build a new Registry Policy (registry.pol) file from "LGPO text". - Enable group policy client side extensions for local policy processing. ## How The zip file contains the LGPO installer: [LGPO.zip](https://kb.filewave.com/attachments/442) LGPO.exe v3.0 - Local Group Policy Object utility LGPO.exe has four modes: 1. Import and apply policy settings; 2. Export local policy to a GPO backup; 3. Parse a registry.pol file to "LGPO text" format; 4. Build a registry.pol file from "LGPO text". To apply policy settings, use the LGPO.exe commands below, where one or more of the following (each of which can be repeated): ``` /g path              import settings from one or more GPO backups under "path" /m path\registry.pol  import settings from registry.pol into machine config /u path\registry.pol  import settings from registry.pol into user config /s path\GptTmpl.inf   apply security template /a[c] path\Audit.csv  apply advanced auditing settings; /ac to clear policy first /t path\lgpo.txt      apply registry commands from LGPO text /e |      enable GP extension for local policy processing; specify a GUID, or one of these names: ** "zone" for IE zone mapping extension ** "mitigation" for mitigation options, including font blocking ** "audit" for advanced audit policy configuration /boot                 reboot after applying policies /v                    verbose output /q                    quiet output (no headers) ``` Some example GPO policies are listed below to use. Be sure you are updating the correct path and names for your GPOs. To create a GPO backup from local policy: ``` LGPO.exe /b path [/n GPO-name] /b path               Create GPO backup in "path" /n GPO-name           Optional GPO display name (use quotes if it contains spaces) ``` To parse a Registry.pol file to LGPO text (stdout): ``` LGPO.exe /parse [/q] {/m|/u} path\registry.pol /m path\registry.pol  parse registry.pol as machine config commands /u path\registry.pol  parse registry.pol as user config commands /q                    quiet output (no headers) ``` To build a Registry.pol file from LGPO text: ``` LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v] /r path\lgpo.txt       Read input from LGPO text file /w path\registry.pol  Write new registry.pol file ``` ## Related Content - [Microsoft Download Security Compliance Toolkit and Baselines](https://www.microsoft.com/en-us/download/details.aspx?id=55319) ## Digging Deeper - [Microsoft Security Compliance Toolkit Documentation](https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10)