Local Group Policy Backup/Restore

[zylias]

I've tried using GPMC but its only workable for domain policies. I need to backup/restore/import/export the administrative templates under the Local Computer Policy. I have a large number of terminals which I need to set the policies to, these terminals are connected to the internet through dynamic IP, so I can't make them joining a domain for this purpose. Any help would be greatly appreciated, Thanks.

[nmX.Memnoch]

You can back them up by grabbing the files in %SYSTEMROOT%\system32\GroupPolicy\.

However, the correct method would be to copy one of the security templates located at %SYSTEMROOT%\security\templates\. Edit it for your needs and then apply it to each workstation. This will also prevent any of the settings being changed with GPEDIT.MSC.

[Closet_Rambo]

The Problem with Security Templates is that a Group Policy Object has two sets of settings.

The first set is stored in the security template within the GPO folder structure and can be easily imported to a local GPO, Domain GPO, or local security policy of a machine.

The second set of settings is in the Registry.pol file.

These are the settings under administrative templates section of the gp editor.

I have not yet found a way to export, import, these settings for Local GPO's.

If you do what the previous post suggests, you will only get half the picture.

Edited May 28, 2008 by Closet_Rambo

[nmX.Memnoch]

The second set of settings is in the Registry.pol file.

These are the settings under administrative templates section of the gp editor.

I have not yet found a way to export, import, these settings for Local GPO's.

You can back them up by grabbing the files in %SYSTEMROOT%\system32\GroupPolicy\.

That's how you export and import them. Once you configure the first machine you can copy the entire %SYSTEMROOT%\system32\GroupPolicy\ structure to other workstations and have those settings apply. Note that this will NOT overwrite any settings under Computer Configuration if a security template has been applied to the machine.

I use this exact method for my unattended setups where I currently work because I don't have direct access to create/edit/maintain domain-level group policies.