Export and Import LGPOs and MLGPOs for Windows 10 in MDT 2013 Update 2 or SCCM

By | August 10, 2016
Share

Scenario: Customer needed to lock down a specific user account in Windows 10, without effecting the local Administrator account. Unit was not going to be joining a Domain. LGPO was the only available free alternative.

The new LGPO tool (https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) does NOT support MLGPOs (Multiple Local Group Policy Objects).

The old LocalGPO.wsf script (https://gallery.technet.microsoft.com/LocalGPOmsi-Excellent-MS-2593b2eb) does, but it doesn’t “technically” support Windows 10. So you must first edit this script to force it to support Windows 10. Here are my edits (but you don’t have to edit it yourself, the download link is listed below):

 

So next I used LocalGPO.wsf script to export my desired LGPO, which included settings I specified for the “Non-Administrators” group.

Here are the steps I took to set up the MLGPO:

Command: cscript LocalGPO.wsf /Path:C:\MLGPO /Export

Download my MLGPO app package and adjust it to deploy your captured MLGPO folder (should have been exported to C:\MLGPO\{GUID}): https://drive.google.com/open?id=0BwHI1r8k8A75MU1lbjBfX2NxeEE
* package was wrapped using http://psappdeploytoolkit.com/ and tested on SCCM 2012 and MDT 2013 Update 2.

/BG

7 thoughts on “Export and Import LGPOs and MLGPOs for Windows 10 in MDT 2013 Update 2 or SCCM

  1. Lorenzo

    Hi, When you say adjust it to deploy your captured MLGPO folder, Do you have a step-by-step rpocedure? Thanks.

    Reply
  2. Lorenzo

    One last thing, how do I use this in MDT 2013 U2 TS? Many thanks in advance.

    Reply
  3. CxMan

    I think this method does not work. In fact, the script backs up the local policy but not the other local user policies. The only working technique I found is to copy and replace file registry.pol (in user node) from a backup with the MLGPO Non-Administrators, ie “GroupPolicyUsers \ S-1-5-32-545 \ User \ registry.pol”
    LocalGPO.wsf does not support /mlgpo switch with /export, only with /import
    Thanks a lot for this sharing

    Reply
  4. Marcus Castor

    This is…. GREAT!
    Now I´m trying to export my Non-Admin GPOs…
    Tried to import my export, didn´t got the Non-Admin GPOs set.
    It helps a lot to know, that the LocalGPO.wsf doesn´t support the MLGPO export.
    Try to get this working throught MDT 2013… 🙂

    Thanks for this post!

    -MC

    Reply
    1. Marcus Castor

      Just tried to replace the ZTIApplyGPOPack.wsf with the LocalGPO.wsf, which is able to import MLGPO via shell.
      It applied all user settings, but it did that without flagging them only for Non-Administrators…
      Still troubleshooting…
      -MC

      Reply
      1. Marcus Castor

        I found a way to solve this Problem:
        1. Just create your MLGPOs
        2. Copy folder “C:\Windows\System32\GroupPolicyUsers\S-1-5-32-545”
        > In this Folder (Well known SID) are all Administrations MLGPO Settings stored.
        3. Paste folder to target machine
        You are also able to edit your MLGPOs via MMC on the target machine.
        This solves my problem.

        Cheers!

        Reply

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.