With Group Policy objects, you can change hundreds of default settings in Microsoft Windows — from color schemes to desktop security — and create a complex hierarchy of GPOs to configure settings based on the user and the computer’s location, organization and purpose in Active Directory environments.
Here’s how to define, edit and prioritize multiple local GPOs.
First, not all computers can join a domain. For example, public computers (such as a kiosk in a library) are frequently attacked and could put the entire domain at risk. Windows XP and earlier versions of Windows had a single local GPO that applied settings to the client computer and all users that logged on to the computer. Therefore, if you needed to lock down the desktop environment to prevent guests from opening the Start menu, you also made it impossible to manage the computer when logged on as an administrator.
Windows Vista now supports multiple local Group Policy objects (MLGPOs) so that you can apply different settings to administrators, non-administrators and specific users.
Windows Vista supports the following local GPOs:
Any user who logs on will have, at most, three local GPOs: the local computer policy, a user-specific policy, and either the administrators or non-administrators policy. Oddly, you cannot create local GPOs that apply to local groups, such as “backup operators” or “guests.”
Local GPOs are applied in the following order, with later policies overriding conflicting settings in earlier policies:
For example, if you set the desktop to blue in the local computer policy but set it to red in the administrators policy, it will appear red when an administrator logs on. If you set the desktop to green in the user-specific policy, that setting would override all other local GPOs.
If the computer is a member of an Active Directory domain, domain GPOs always override conflicting settings in local GPOs. If you want to completely disable local GPOs, enable the following setting in a domain GPO:
computer configuration\administrative templates\system\group policy\turn off local group policy objects processing
To edit one of the local GPOs in Vista, log on as a member of the administrators group and follow these steps:
You can now use this custom management console to edit the GPO you selected. To simplify editing, add any useful local GPOs to the console, and then save the console for future use.
It’s not as easy as managing GPOs in a domain, but you can copy most GPO settings between standalone computers running Vista. First, use the Group Policy Object Editor to configure the local GPOs on the primary computer. Then, copy the GPO settings to your target computers. The technique you use to copy the data depends on whether your settings are within the Security Settings node or the Administrative Templates node. (Just a reminder: The Group Policy Management Console can be used only with domain GPOs.)
If you edit the local computer policy and update any settings within the computer configuration\windows settings\security settings node, use the secedit command-line tool to copy the settings to the target computers:
If you edit any of the local GPOs and update settings within the Administrative Templates node, manually copy the settings to the target computers by following these steps:
The registry.pol file stores most of the GPO data. To view these files directly, use the free PolViewer utility available at GPOGuy.
|Local computer policy, computer config.||%windir%\system32\grouppolicy\machine\|
|Local computer policy, user config.||%windir%\system32\grouppolicy\user\|
You can troubleshoot problems with local GPOs using most of the same tools you use for Active Directory GPOs, including:
GPOs are the most efficient way to configure the hundreds of settings on a Windows computer. XP and earlier versions of Windows had only a single local GPO, and any settings configured in that GPO applied to all users. Therefore, you couldn’t use the local GPO to harden the desktop environment because you would also prevent administrators from managing the computer.