Tactical Advice

Get Active About Group Policy

Working with multiple local Group Policy objects.
This story appears in the September 2007 issue of BizTech Magazine.

With Group Policy objects, you can change hundreds of default settings in Microsoft Windows — from color schemes to desktop security — and create a complex hierarchy of GPOs to configure settings based on the user and the computer’s location, organization and purpose in Active Directory environments.

Here’s how to define, edit and prioritize multiple local GPOs.

First, not all computers can join a domain. For example, public computers (such as a kiosk in a library) are frequently attacked and could put the entire domain at risk. Windows XP and earlier versions of Windows had a single local GPO that applied settings to the client computer and all users that logged on to the computer. Therefore, if you needed to lock down the desktop environment to prevent guests from opening the Start menu, you also made it impossible to manage the computer when logged on as an administrator.

Windows Vista now supports multiple local Group Policy objects (MLGPOs) so that you can apply different settings to administrators, non-administrators and specific users.

MLGPO Types

Windows Vista supports the following local GPOs:

  • Local Computer Policy: Just like earlier versions of Windows, Vista supports local computer policy that always applies, regardless of which user is logged on. This policy contains both the Computer Configuration and User Configuration nodes. All other local GPOs contain only the User Configuration node.
  • Administrators Policy: Settings configured in this policy apply only to users who are members of the local Administrators group.
  • Non-administrators Policy: Settings apply to all users who are not members of the local Administrators group.
  • User-Specific Policies: You can configure GPOs that apply to only a specific user account.

Any user who logs on will have, at most, three local GPOs: the local computer policy, a user-specific policy, and either the administrators or non-administrators policy. Oddly, you cannot create local GPOs that apply to local groups, such as “backup operators” or “guests.”

GPO Priorities

Local GPOs are applied in the following order, with later policies overriding conflicting settings in earlier policies:

  1. local computer policy;
  2. administrators and non-administrators policies;
  3. user-specific policies.

For example, if you set the desktop to blue in the local computer policy but set it to red in the administrators policy, it will appear red when an administrator logs on. If you set the desktop to green in the user-specific policy, that setting would override all other local GPOs.

If the computer is a member of an Active Directory domain, domain GPOs always override conflicting settings in local GPOs. If you want to completely disable local GPOs, enable the following setting in a domain GPO:

computer configuration\administrative templates\system\group policy\turn off local group policy objects processing


To remove a local GPO, right-click it from this dialog box, and then click Remove Group Policy Object.

How to Edit Local GPOs

To edit one of the local GPOs in Vista, log on as a member of the administrators group and follow these steps:

  1. Click Start, type MMC, and then press Enter. Respond to the User Account Control prompt that appears.
  2. In the blank console, click the File menu, and then click Add/Remove Snap-In.
  3. In the Add or Remove Snap-Ins dialog box, under Available Snap-Ins, click Group Policy Object Editor. Then, click Add. The Select Group Policy Object wizard will appear.
  4. On the Welcome to the Group Policy Wizard page, click Browse.
  5. On the Browse for a Group Policy Object dialog box, choose a GPO:
    • Local Computer Policy: On the Computers tab, click This Computer.
    • Administrators Policy: On the Users tab, click Administrators.
    • Non-administrators Policy: On the Users tab, click Non-administrators.
    • User-Specific Policies: On the Users tab, click the user account you want to configure.
  6. Click OK, and then click Finish.

You can now use this custom management console to edit the GPO you selected. To simplify editing, add any useful local GPOs to the console, and then save the console for future use.

Copying Local GPOs Between Computers

It’s not as easy as managing GPOs in a domain, but you can copy most GPO settings between standalone computers running Vista. First, use the Group Policy Object Editor to configure the local GPOs on the primary computer. Then, copy the GPO settings to your target computers. The technique you use to copy the data depends on whether your settings are within the Security Settings node or the Administrative Templates node. (Just a reminder: The Group Policy Management Console can be used only with domain GPOs.)

Security Settings

If you edit the local computer policy and update any settings within the computer configuration\windows settings\security settings node, use the secedit command-line tool to copy the settings to the target computers:

  1. Export the security settings from the primary computer by running the following command:
    secedit /export /cfg secsettings.inf
  2. Copy the secsettings.inf file to each of your target computers, and perform a full backup.
  3. On each target computer, run the following command to import the security settings from the primary computer:
    secedit /configure /db secsettings /cfg secsettings.inf /overwrite
  4. To ensure all settings are applied, restart the target computers.

Administrative Templates

If you edit any of the local GPOs and update settings within the Administrative Templates node, manually copy the settings to the target computers by following these steps:

  1. For any GPO you edited, copy the contents of the folder listed in the following table to the target computer. These folders are hidden and require administrative privileges to access. For user-specific policies, you must change the folder name to match the service set identifier (SSID) of the user on the target computer.
  2. On the target computer, run gpupdate /force to apply the new Group Policy settings.

The registry.pol file stores most of the GPO data. To view these files directly, use the free PolViewer utility available at GPOGuy.

GPO Folder
Administrators %windir%\system32\grouppolicyusers\s-1-5-32-544\
Non-administrators %windir%\system32\grouppolicyusers\s-1-5-32-545\
User-specific policies %windir%\system32\grouppolicyusers\<ssid>\
Local computer policy, computer config. %windir%\system32\grouppolicy\machine\
Local computer policy, user config. %windir%\system32\grouppolicy\user\

 

Troubleshooting Local GPOs

You can troubleshoot problems with local GPOs using most of the same tools you use for Active Directory GPOs, including:

  • Resultant Set of Policy: A Microsoft Management Console snap-in that analyzes all Group Policy settings, displays the effective settings, and allows you to isolate the Group Policy objects that define any setting.
  • GPResult: A command-line tool that provides a list of active GPOs, including both domain and local GPOs, among other useful information.
  • Event Viewer: Vista adds an event to the System Event Log when policies are applied, and stores detailed processing information in the applications and service logs\microsoft\windows\group policy\operational event log. The Operational Event Log replaces the userenv.log file used in earlier versions of Windows.
  • Group Policy Log View: A tool that exports Group Policy event data into a text file. You can download GPLogView at go.microsoft.com/fwlink/?LinkId=75004.
IT Takeaway

GPOs are the most efficient way to configure the hundreds of settings on a Windows computer. XP and earlier versions of Windows had only a single local GPO, and any settings configured in that GPO applied to all users. Therefore, you couldn’t use the local GPO to harden the desktop environment because you would also prevent administrators from managing the computer.

•Vista solves this problem by providing three levels of local GPOs: the local computer GPO, the administrators and non-administrators GPOs, and GPOs for individual users.
• With Vista, you can lock down a computer without locking yourself out.
Tony Northrup is a developer, security consultant and author with more than 10 years of professional experience developing applications for Microsoft Windows.
Sign up for our e-newsletter

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.