This guide provides detailed instructions on how to backup and restore Local Group Policy Editor settings in Windows 11. It includes instructions on how to back up Local Group Policy manually, as well as how to script and automate the process.
Local Group Policy in Windows 11 is a powerful tool for managing Windows devices (whether it’s customizing your own, or providing tech support for others). Being able to readily back up and restore Group Policy settings makes it easier to roll back changes, or duplicate Group Policy to another PC.
Group Policy in Windows
Group Policy, an administrative feature of Windows operating systems (Pro, Enterprise, and Server versions). It provides tools for the centralized configuration of user and system settings on Windows devices, and the ability to configure supported third-party applications. Group Policy is used by system administrators to manage security policies, network configuration, user permissions, and user profiles.
A Group Policy contains what is known as Group Policy Objects (GPOs), and each of these GPOs contains the configuration options that change the configured behavior of the associated application or operating system feature. GPOs defined as a Computer Configuration only apply to the Windows device they target (affecting users who log into that machine), whereas a User Configuration will apply to a single user account and apply to any Windows device they log into with that account for the duration of their session.
There are two types of Windows Group Policy GPOs:
- Local Group Policy: The Local group policy applies solely to the single Windows PC they are directly configured on.
- Group Policy in Active Directory: GPOs developed in a Windows Active Directory domain are defined based on organizational units (OU), which can target devices or users based on defined groups. Active Directory is designed for managing enterprise networks, and is usually not deployed for home use.
When managing Group Policy in Windows, it’s worth noting that in the case of a conflict, the most restrictive policy takes precedence, and domain Group Policy Objects from Group Policy in Active Directory always overrule Local Group Policy Objects.
Where are Local Group Policy Editor settings located in Windows 11?
In both Windows 11 and Windows 10, Local Group Policy Editor settings are stored at the following locations:
- Computer Configuration is stored at %SystemRoot%\System32\GroupPolicy\Machine
- User Configuration is stored at %SystemRoot%\System32\GroupPolicy\User
- Group Policy Objects targeting specific users or groups is stored at %SystemRoot%\System32\GroupPolicyUsers
Note that Local Group Policy is not available on Windows 11 and Windows 10 Home — these directories may exist, but backing up and restoring GPOs will have no effect.
How to backup Local Group Policy Editor settings
To backup Local Group Policy in Windows, follow these steps:
- Make sure that you have enabled show hidden files and folders in Windows Explorer
- Right click on Start and click Run
- In the Run dialog, copy and paste the path to the local Group Policy Objects you wish to back up (Computer Configuration, User Configuration, or GPOs for specific users/groups) from the list found above
- Select all the files and folders in the directory by pressing Ctrl + A
- Right-click and copy the contents of the folder into a new folder on an external USB or network drive, or to cloud storage
Restoring Local Group Policy Editor settings
To restore Group Policy settings in Windows 11:
- Make sure that you have enabled show hidden files and folders in Windows Explorer
- Right-click on the Start button and click Run
- In the Run dialog, copy and paste the path to the local Group Policy Objects you wish to restore to (Computer Configuration, User Configuration, or GPOs for specific users/groups) from the list above
- In a separate Explorer window, navigate to the folder you originally copied your backups to
- Select all the files and folders in the directory by pressing Ctrl + A
- Right-click and copy the contents of the folder and paste them into the folder path they were originally backed up from
- Open the command prompt or PowerShell and run gpupdate /force
Once you have restored your Group Policy Settings, you should verify that they have taken effect.
Use cases for backing up and restoring Group Policy settings
There are several common use cases for backing up Local Group Policy Editor settings on Windows:
- Migrating to a new PC (or deploying the same policies to multiple PCs): Rather than manually re-creating each Group Policy Object to configure a new PC, you can simply export them from your existing device, and then import them.
- Troubleshooting or rolling back after a failed change: If you make major changes to your group policies that don’t work as intended, you can roll them all back by restoring a backup, rather than having to find and manually undo each individual change.
- System repair and maintenance: Rolling back the unintentional changes made by end-users is a common task for system administrators, and having backups that can be quickly restored can save a lot of time.
Automate the Group Policy Backup Process with LGPO
LGPO is a Local Group Policy backup tool provided by Microsoft. It is a command-line utility, so it’s perfect for automating the backup and restoration process. LGPO can be downloaded as part of the Microsoft Security Compliance Toolkit here.
Once you’ve downloaded and extracted LGPO, copy and paste the file LGPO.exe to the path C:\Windows\System32 — this will make the application available as a global command on your system, so it can be run from anywhere.
Now that LGPO is installed, you can use it to create a backup by running the following command in the command prompt or PowerShell:
LGPO.exe /b “PATH_TO_BACKUP_DIRECTORY”
Be sure to replace PATH_TO_BACKUP_DIRECTORY with the location of the folder you wish to store your backups in (for example, D:\my_group_policy_backups). Note that within the backup directory, the actual backup files will be in a folder with a unique ID (a random looking string of characters and dashes) — you’ll need to be aware of this when restoring the backup.
As this method uses the command line, it can be automated using PowerShell and scheduled using the Windows Task Scheduler.
To restore your Local Group Policy Editor backups, run:
LGPO.exe /g “PATH_TO_BACKUP_DIRECTORY/UNIQUE_ID”
Note that you’ll need to provide the full path to the backup directory, including the uniquely named directory created for that specific backup.
Best practices and troubleshooting
There are a few further things you should keep in mind when importing and exporting Group Policy Editor settings in Windows.
If you’re regularly changing your Local Group Policy settings, you should automate and schedule the backup process so you always have an up-to-date backup stored on a separate device or in the cloud. You can also export and import specific policies by only copying those directories to your backup folder, allowing you to backup or restore policies individually.
Importantly, it is not advisable to restore Group Policy Settings from a different version of Windows due to differences between operating system versions. Restoring from a different version of Windows, or importing corrupted Group Policy files, can lead to unintended behavior or an unstable system. If your PC is not behaving as expected after restoring from a Group Policy backup, restore your whole PC from a full system backup and recreate the policies manually.
Managing Windows Group Policy in an enterprise environment
Using Local Group Policy to manage more than a few Windows devices is cumbersome. This is why system administrators for even small businesses deploy Windows Domains, including Group Policy in Active Directory, to centrally manage user and device configurations. Backing up and restoring Group Policy Editor settings can then be done as part of routine backups on the server, rather than per-device.
Windows domains with Active Directory are the industry standard for centrally managing users and configuring Windows devices. It includes management and security tools (including identity and access management, firewalls, and anti-malware) to manage access and protect assets. Furthermore, you can improve the security and resiliency of your enterprise networks with the implementation of remote monitoring and management. This is vital for organizations that also deploy Apple and Android devices (in addition to their Windows PCs) as it provides a comprehensive, cross-platform monitoring and management solution for all of your devices.
NinjaOne is a powerful endpoint management solution with a unified interface for deploying and maintaining Windows 11 devices. It integrates with endpoint protection and helps you oversee group policies for hundreds or thousands of users, as well as centrally manage the backup process for your servers, workstations, and mobile devices.
