• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Local Group Policy - Backup and Restore in Windows


Brink

Administrator
Administrator
mvp
Posts
23,008
Local Group Policy - Backup and Restore in Windows
This tutorial will show you how to back up local group policy (GPO) settings in Windows, and restore to the same or any Windows computer.
Published by Brink
#1
ByLine
How to Back Up and Restore Local Group Policy in Windows
Synopsis
This tutorial will show you how to back up local group policy (GPO) settings in Windows, and restore to the same or any Windows computer.
How to Back Up and Restore Local Group Policy in Windows


information   Information
The Local Group Policy Editor is a Microsoft Management Console (MMC) snap-in that provides a single user interface through which all the Computer Configuration and User Configuration settings of Local Group Policy objects can be managed for your computer.

This tutorial will show you how to back up local group policy (GPO) settings in Windows, and restore to the same or any Windows computer.

You must be signed in as an administrator to be able to do the steps in this tutorial.

Note   Note
In Vista, the Local Group Policy Editor will only be available to back up and restore in the Business, Ultimate, and Enterpise editions.

In Windows 7, the Local Group Policy Editor will only be available to back up and restore in the Professional, Ultimate, and Enterpise editions.

In Windows 8, RT, and 8.1, the Local Group Policy Editor will only be available to back up and restore in the Pro and Enterpise editions.


By default, local group policy settings are saved in the two hidden folders below. This is what this tutorial will be backing up and restoring for you using a .vbs file.

(Computer Configuration)
%SystemRoot%\System32\GroupPolicy\Machine

(User Configuration)
%SystemRoot%\System32\GroupPolicy\User

(User/Group Specific GPOs Configuration)
%SystemRoot%\System32\GroupPolicyUsers

warning   Warning
This will not include security policies from the Computer Configuration and User Configuration -> Windows Settings -> Security Settings.


EXAMPLE: Local Group Policy Editor

Local_Group_Policy_Editor.jpg





OPTION ONE
To Back Up Local Group Policy Editor Settings


1. Click/tap on the Download button below to download the .vbs file below.

Backup_Local_Group_Policy.vbs

download


2. Save the .vbs file to your desktop, and run it.

3. If prompted, click/tap on Open.
NOTE: If you like, you can stop getting the Open prompt by unblocking the downloaded .vbs file.[/SIZE]

4. Click/tap on Yes (Windows 7/8) or Continue (Vista) for UAC prompt.

5. You will now have a Local-Group-Policy-Backup folder on your desktop that is the backup of the local group policies on this PC.

6. Move this folder to where you like for safe keeping.
NOTE: Do not rename this folder since it must remain the exact same name to be able to use it in OPTION TWO below to restore them with.





OPTION TWO
To Restore Local Group Policy Editor Settings


1. Move or copy the Local-Group-Policy-Backup folder created from OPTION ONE above to your desktop.

2. Click/tap on the Download button below to download the .vbs file below.

Restore_Local_Group_Policy.vbs

download


3. Save the .vbs file to your desktop, and run it.

4. If prompted, click/tap on Open.
NOTE: If you like, you can stop getting the Open prompt by unblocking the downloaded .vbs file.

5. Click/tap on Yes (Windows 7/8) or Continue (Vista) for UAC prompt.

6. When both Computer and User policy update has completed successfully, you can close the command prompt. (see screenshot below)

Successful_Command.jpg


That's it,
Shawn


 
Last edited:

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS Maximus X Code Z370
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    3 x 27" Asus VE278Q
    Screen Resolution
    1920x1080
    Hard Drives
    250GB Samsung 960 EVO M.2,
    256GB OCZ Vector,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master
    Internet Speed
    300 Mb/s Download and 30 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Arris SB6190 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Lumia 1520 phone
Posts
6
#3
Hi.
For some reason I could not get it to work.

Backup:
Logged into Win 8.1 on computer 1 as admin user.
I copied the backup vbs-file to the desktop.
I ran the backup vbs-file by right click and open with command line.
I looked into the folder and it was not much files there.

I have locked the local group policy to a specific user called Kiosk.
I could not see anything in the copied user folder (even with all hidden files showing).
Checked the original folder (user) in in the win32 folder.
I could not see any file there in the user folder either.

Can anyone post a screenshots of the content for a spesific user.
I do not know whats wrong. :shock:

Update:
Î tried the neighbour folder GroupPolicyUsers and copied the content.
Noticed the folder names was filled with numbers.
And they were different.
Copied the content from the newest folder to the oldest folder.
Still no luck.

Yeah... :confused:

Update2:
Blah, I seem to have done it...

On the computer you want to import to:
Login as admin.
Win key + R
Type "mmc"
Add new snapin module -> Local policy
Lock mit to user ("Kiosk" user in my example).
Save mmc file to desktop.
Navigate to system32 in Windows folder.
Find the hidden folder GroupPolicyUsers.
Check that another hidden folder with many characters exits.
Copy the content from the similar folder on another computer to this folder.
Overwrite all files.
Run a gpupdate /force on the admin commandline.
I needed to restart twice then it was good.

Blah, going home to relax and watch some Netflix... ;)
 
Last edited:

My Computer

System One

  • OS
    Win8.1
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    HP Prodesk 600 G1
    Browser
    Opera/Firefox/IE

Brink

Administrator
Administrator
mvp
Posts
23,008
#4
Hello Norway,

I've updated the .vbs files in the tutorial to help. Please download and try the new versions to see how they work for you now. :)
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS Maximus X Code Z370
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    3 x 27" Asus VE278Q
    Screen Resolution
    1920x1080
    Hard Drives
    250GB Samsung 960 EVO M.2,
    256GB OCZ Vector,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master
    Internet Speed
    300 Mb/s Download and 30 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Arris SB6190 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Lumia 1520 phone
Posts
6
#5
Hi.
Regarding this folder: %SystemRoot%\System32\GroupPolicyUsers
(User/Group Specific GPOs Configuration)

I tried to copy a folder in this folder.
It had a lot of numbers in it.
I pasted it in the "GroupPolicyUsers" folder on another computer.
And ran a gpupdate /force and a restart.
That did not work.
I came to think this was a unique folder name for that computer.
I ran MMC, added the snapin, connected to the user "Kiosk" which is a local computer account.
I saved a empty gpo profile and it then made a similar folder, but with a slight different name.
Copied all the content from the old folder to the new folder.
Ran a gpupdate /force and had to restart at least two times.
This time it worked.

So please be observant of this. :)
 
Last edited:

My Computer

System One

  • OS
    Win8.1
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    HP Prodesk 600 G1
    Browser
    Opera/Firefox/IE

Brink

Administrator
Administrator
mvp
Posts
23,008
#6
Great news Norway. Thank you for posting back with your results. :)
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS Maximus X Code Z370
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    3 x 27" Asus VE278Q
    Screen Resolution
    1920x1080
    Hard Drives
    250GB Samsung 960 EVO M.2,
    256GB OCZ Vector,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master
    Internet Speed
    300 Mb/s Download and 30 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Arris SB6190 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Lumia 1520 phone

dprather

New Member
Posts
1
#7
Thanks Shawn! Fixed a very messed up PC! Group Policy was successfully copied from a known good computer to a computer with a corrupted Local Group Policy and now works like a Champ. Much appreciated! Windows Update and Windows Defender are now working.
 

My Computer

System One

  • OS
    Windows 7 Ulitimate/ Windows 8 Pro/Win 10 Pro
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Self Build(s)
    CPU
    i7 3770k(several)
    Motherboard
    Asus

Brink

Administrator
Administrator
mvp
Posts
23,008
#8
You're most welcome dprather. I'm glad it could help. :)
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS Maximus X Code Z370
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    3 x 27" Asus VE278Q
    Screen Resolution
    1920x1080
    Hard Drives
    250GB Samsung 960 EVO M.2,
    256GB OCZ Vector,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master
    Internet Speed
    300 Mb/s Download and 30 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Arris SB6190 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Lumia 1520 phone

PaulAV

New Member
Posts
1
#9
Brink, thanks for helping me to gain a basic understanding of Local Group Policy. I just wanted to share my experience using your method above to copy LGP from one computer to another.

Using these scripts to copy Local Group Policy from one Windows 7 Ultimate computer to another only partially worked. My policy had computer, user and group settings in it. Only the group settings were being applied. The computer and user settings were not being applied. 'gpresult /r' reported the reason as:

The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)

After doing some exhaustive investigation it appears that the gpt.ini file has some pertinent information about the policy.

https://technet.microsoft.com/en-us/library/cc978247.aspx

Also, I've read that Domain based GPOs will not be applied if the permissions are not set correctly ( How to Implement Group Policy Security Filtering :: Windows 2003 :: Articles & Tutorials :: WindowsNetworking.com ). The Local Group Policy Editor does not have an ACL editor so I saved the ACLs from the computer I setup the LGP on and restored them after copying the entire GroupPolicy and GroupPolicyUsers directories to the destination computer. You can forgo transferring ACLs if you are copying these directories via a NTFS formatted drive (the ACLs will be preserved). Unfortunately I must use a CD to install the LGP onto the destination computers so I have to do this to preserve the ACLs.

So to transfer LGP from one computer to another I did the following. First, I copied GroupPolicy and GroupPolicyUsers to %userprofile%\Desktop\Local-Group-Policy-Backup. This can be done via Windows Explorer or command line via xcopy ('xcopy /c /e /h /k /x /o /i /q /y %SystemRoot%\System32\GroupPolicy %userprofile%\Desktop\Local-Group-Policy-Backup\GroupPolicy'). Note, I copied the entire GroupPolicy directory not just the subdirectories as the Backup script above does. Second, I saved the ACLs of the GroupPolicy and GroupPolicyUsers directories and contents (files and subdirectories) using 'icacls "%userprofile%\Desktop\Local-Group-Policy-Backup\*" /save AclFile'. Third, I burned the Local-Group-Policy-Backup directory along with the AclFile onto a CD (one could use a removable drive or a network to copy the files directly). I then copied GroupPolicy and GroupPolicyUsers onto the destination computer. The ACLs were restored to the copied files/directories using 'icacls "%SystemRoot%\System32" /restore AclFile'. Finally, I ran 'gpupdate /force'. All of the LGP settings were applied. 'gpresult /r' was showing no policies "not applied".

I hope this helps others that may experience the same problems using Brink's method.
 
Last edited:

My Computer

System One

  • OS
    Windows 7 and Windows 10

Brink

Administrator
Administrator
mvp
Posts
23,008
#10
Thank you for sharing Paul, and welcome to Eight Forums. :)
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS Maximus X Code Z370
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    3 x 27" Asus VE278Q
    Screen Resolution
    1920x1080
    Hard Drives
    250GB Samsung 960 EVO M.2,
    256GB OCZ Vector,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master
    Internet Speed
    300 Mb/s Download and 30 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Arris SB6190 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Lumia 1520 phone