How to Export and Import Local Group Policy (GPO) in Batch Script

Local Group Policy Objects (GPO) control everything from Start Menu layouts to advanced network security settings on a Windows machine. While Domain Admins use the Group Policy Management Console, local administrators often need a way to capture these settings and "Clone" them onto another machine or restore them after a system wipe. Since Windows does not provide a native "Export" button for local GPO, power users rely on the LGPO.exe tool or manual directory copying.

This guide explains how to manage local GPO lifecycle using a Batch script.

Why Manage GPO via Batch?

Workstation Standardization: Ensuring every standalone PC in a kiosk or lab has the exact same security and UI restrictions.
Disaster Recovery: Backing up your meticulously configured local policies so they can be reapplied after a reformat.
Automated Deployment: Applying custom "Default User" settings during an OS deployment (OSD) phase.

Native Tool Limitation

Unlike registry keys, Group Policies are stored as binary files in protected system folders. To manage them reliably, you should use the official LGPO.exe utility from the Microsoft Security Compliance Toolkit.

Method 1: Using LGPO.exe (The Professional Standard)

LGPO.exe is the definitive tool for importing and exporting local GPOs. It can handle registry settings, security templates, and advanced auditing.

Exporting GPO

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

:: Check for LGPO.exe
where lgpo >nul 2>&1
if %errorlevel% neq 0 (
    if not exist "%~dp0lgpo.exe" (
        echo [ERROR] LGPO.exe not found in PATH or script directory.
        echo [HELP] Download from the Microsoft Security Compliance Toolkit.
        pause
        exit /b 1
    )
    set "LGPO=%~dp0lgpo.exe"
) else (
    set "LGPO=lgpo.exe"
)

set "BACKUP_DIR=%~dp0GPO_Backup"

echo [PROCESS] Exporting Local Group Policy to backup folder...

if not exist "%BACKUP_DIR%" mkdir "%BACKUP_DIR%"

"%LGPO%" /b "%BACKUP_DIR%"

if %errorlevel% equ 0 (
    echo [SUCCESS] Policies exported to: %BACKUP_DIR%
) else (
    echo [ERROR] Export failed. Code: %errorlevel%
)
pause

Importing GPO

@echo off
setlocal EnableDelayedExpansion

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

:: Locate LGPO.exe
where lgpo >nul 2>&1
if %errorlevel% neq 0 (
    if not exist "%~dp0lgpo.exe" (
        echo [ERROR] LGPO.exe not found.
        pause
        exit /b 1
    )
    set "LGPO=%~dp0lgpo.exe"
) else (
    set "LGPO=lgpo.exe"
)

set "BACKUP_DIR=%~dp0GPO_Backup"

echo [PROCESS] Restoring Local Group Policy from backup...

:: Find the GUID-named subfolder created by /b export
set "GUID_FOLDER="
for /d %%d in ("%BACKUP_DIR%\{*}") do set "GUID_FOLDER=%%d"

if not defined GUID_FOLDER (
    echo [ERROR] No GUID backup folder found in: %BACKUP_DIR%
    echo [HELP] Run the export script first to create a backup.
    pause
    exit /b 1
)

"!LGPO!" /g "!GUID_FOLDER!"

if !errorlevel! equ 0 (
    echo [SUCCESS] Policy restored from: !GUID_FOLDER!
    echo [PROCESS] Refreshing system policies...
    gpupdate /force
) else (
    echo [ERROR] Policy import failed. Code: !errorlevel!
)
pause

Method 2: The "Simple" Folder Copy (Emergency Backup)

If you don't have access to third-party tools, you can manually back up the policy folders. Note that this method is less reliable and might not capture "Security" area settings.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

set "SOURCE=%windir%\System32\GroupPolicy"
set "DEST=%~dp0GPO_Manual_Backup"

echo [PROCESS] Backing up raw policy files...

if exist "%SOURCE%" (
    xcopy "%SOURCE%" "%DEST%\" /E /I /H /Y >nul
    if %errorlevel% equ 0 (
        echo [SUCCESS] Raw files backed up to: %DEST%
    ) else (
        echo [ERROR] Backup failed. Code: %errorlevel%
    )
) else (
    echo [INFO] No local Group Policy files found at: %SOURCE%
)
pause

Creating a Policy Deployment Script

This script checks for the LGPO.exe dependency and then applies a "Gold Image" policy file.

@echo off
setlocal

echo ============================================================
echo   Local GPO Deployment Engine
echo ============================================================

:: 1. Verify Admin Rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [CRITICAL] Admin rights REQUIRED to apply GPO.
    pause
    exit /b 1
)

:: 2. Check for tool
where lgpo >nul 2>&1
if %errorlevel% neq 0 (
    if not exist "%~dp0lgpo.exe" (
        echo [ERROR] LGPO.exe not found in PATH or script directory.
        echo [HELP] Download from the Microsoft Security Compliance Toolkit.
        pause
        exit /b 1
    )
    set "LGPO=%~dp0lgpo.exe"
) else (
    set "LGPO=lgpo.exe"
)

:: 3. Verify policy file exists
set "POLICY_FILE=%~dp0SecurityHardening.pol"
if not exist "%POLICY_FILE%" (
    echo [ERROR] Policy file not found: %POLICY_FILE%
    pause
    exit /b 1
)

:: 4. Apply Policy
echo [PROCESS] Applying '%POLICY_FILE%'...
"%LGPO%" /m "%POLICY_FILE%"

if %errorlevel% equ 0 (
    echo [SUCCESS] Policy applied successfully.
) else (
    echo [ERROR] Policy application failed. Code: %errorlevel%
    pause
    exit /b 1
)

:: 5. Force Update
echo [PROCESS] Refreshing system policies...
gpupdate /force

echo.
echo [DONE] Deployment complete.
echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

You cannot touch the GroupPolicy folder or run LGPO.exe as a standard user. The script will return "Access Denied" or silently fail.

GPUpdate vs. LGPO

Applying a policy using LGPO.exe writes the data to the disk, but the system might not "Realize" the settings have changed for several minutes.

SEO and UX Tip

Always follow a policy import with the command gpupdate /force. This forces the Windows OS to re-read the configuration files and apply the changes to the registry and system services immediately.

Best Practices for GPO Management

Backup Registry Separately: Some local GPOs are essentially just registry keys. Also back up HKLM\Software\Policies.
Test on Virtual Machines: Never apply an unknown GPO to a production machine. You can easily disable Networking, USB ports, or even the Command Prompt itself.
Use Specific Filenames: Instead of just "backup," name your exports by date and purpose (e.g., 2023-10-12_Kiosk_Lockdown.pol).

User vs. Computer

Local GPO is divided into Computer Configuration (affects the machine) and User Configuration (affects the person logged in). LGPO.exe can target these separately using the /m (machine) and /u (user) flags.

Conclusion

Exporting and importing Local Group Policy via Batch script is a critical workflow for maintaining consistent and secure Windows environments. By utilizing professional tools like LGPO.exe and enforcing policy refreshes with gpupdate, you can automate complex system configurations in seconds rather than hours. This professional approach to system management reduces configuration drift, simplifies machine cloning, and provides a reliable recovery path for your most detailed security and usability settings across the entire Windows ecosystem.

Why Manage GPO via Batch?​

Method 1: Using LGPO.exe (The Professional Standard)​

Exporting GPO​

Importing GPO​

Method 2: The "Simple" Folder Copy (Emergency Backup)​

Creating a Policy Deployment Script​

Common Pitfalls and How to Avoid Them​

Administrative Rights​

GPUpdate vs. LGPO​

Best Practices for GPO Management​

Conclusion​

Table of Contents