LGPO.exe: Batch-Apply Local Group Policy on a Standalone Server (Reflects in gpedit)
On a domain you push Group Policy from Active Directory. On a standalone / workgroup server (no AD) there’s no such luxury — you’re stuck clicking through gpedit.msc by hand, and there’s no clean way to copy that config to the next box. LGPO.exe fixes exactly this: it backs up, transfers, and batch-applies local group policy from the command line, and the result shows up in gpedit.msc just like a manual change.
It’s a free, single-file Microsoft tool (part of the Security Compliance Toolkit) that installs nothing.
Get LGPO.exe
- Download the Microsoft Security Compliance Toolkit from Microsoft’s official Download Center (search “Security Compliance Toolkit 1.0”).
- Inside, grab
LGPO.zipand extractLGPO.exeto a working folder, e.g.C:\LGPO\. - It’s a standalone command-line EXE — no install, no dependencies. Run an elevated Command Prompt/PowerShell for everything below.
The core idea: back up → apply
LGPO works with GPO backups (the same folder format the Group Policy Management Console produces) and with raw policy components — registry.pol, security templates (.inf), and audit CSVs.
Step 1: Configure one server by hand, then back it up
Set your baseline once on a “golden” machine using gpedit.msc, then capture it:
LGPO.exe /b C:\LGPO\Backups/b writes a GUID-named GPO backup of the current local policy into that folder. That backup is now your portable, version-controllable baseline — commit it to source control if you like.
Step 2: Batch-apply that backup to any standalone server
Copy the backup folder to the target server and import it:
LGPO.exe /g C:\LGPO\Backups\{GUID-folder}/g imports one or more GPO backups into local policy. Open gpedit.msc afterward and you’ll see the settings populated — LGPO writes the real local-policy store, not a temporary overlay.
⚠️ Apply baselines to a test server first. A bad local policy (e.g. an over-tight user-rights assignment) can lock you out of your own box. Take a
/bbackup before importing so you can roll back.
Applying individual components
You don’t always have a full GPO backup. LGPO imports pieces directly:
- Registry policy (the bulk of Administrative Templates):
LGPO.exe /m C:\LGPO\registry.pol/m= machineregistry.pol; use/ufor the per-userregistry.pol. - Security template (account/lockout/user-rights,
.inf):LGPO.exe /s C:\LGPO\secpol.inf - Advanced audit policy (CSV):
LGPO.exe /ac C:\LGPO\audit.csv
After any import, run gpupdate /force to make sure the local policy engine has re-evaluated.
Editing a baseline as text (the power move)
LGPO can convert a registry.pol into a readable text file, let you edit it, then rebuild it:
LGPO.exe /parse /m C:\LGPO\registry.pol > policy.txt :: export to text
LGPO.exe /r policy.txt /w C:\LGPO\registry.pol :: rebuild .pol from textThat’s how you keep local-policy baselines in Git as plain text and diff changes between server builds.
Applying Microsoft’s security baselines
The same toolkit ships Microsoft Security Baselines (for Windows Server 2019/2022) as GPO backups. On a standalone server you apply them locally with the included Baseline-LocalInstall script, which calls LGPO under the hood — giving a non-domain server the same hardened config a domain would push.
FAQ
Will these settings really show in gpedit.msc? Yes. LGPO writes the actual Local Group Policy store, so gpedit.msc reflects them and gpresult reports them.
Does LGPO work without AD? That’s its main purpose — managing local policy on non-domain-joined systems. No AD required.
How do I undo an import? Restore the /b backup you took beforehand, or reset local policy by deleting the contents of C:\Windows\System32\GroupPolicy (and GroupPolicyUsers) and running gpupdate /force. Back up first.
Sources: Microsoft Learn — Security Compliance Toolkit Guide, Microsoft — LGPO.exe Local Group Policy Object Utility