Local Policy Object
This
is the most generic of the three local GPOs. If you are familiar with
earlier versions of GPOs, the basic premise of the Local Policy Object
is identical to the original design of the local GPO for Windows 2000 or
Windows XP Professional. This GPO should be used to include the generic
settings that affect all users. Of the three local GPOs, it has the
weakest precedence. Any settings in this GPO apply to all users who log
on to the computer. Furthermore, if there is a conflicting setting with
this GPO and any GPOs from Active Directory (or the other two local
GPOs), this GPO will not take precedence for that setting.
To access this GPO, you use the Local Group Policy Editor. To access the Local Group Policy Editor, type gpedit.msc in the Run dialog box.
Note
This
is an administrative task; if you have User Account Control (UAC)
enabled, you must agree to the permissions that opening the Local Group
Policy Editor MMC snap-in requires. |
The Local Group Policy Editor opens, exposing the Local Computer Policy, as shown in Figure 1.
Note that this local
GPO includes settings for both the computer and user accounts. This is
not the case for all local GPOs. This GPO is used to configure all
settings for the computer and user in a generic manner.
Administrators and Non-Administrators Local GPOs
One of the new local GPOs
that comes with Windows Vista is not just one GPO, but two. Together,
the Administrators and Non-Administrators local GPOs give you the
ability to separate those users who are seen by the local desktop as
administrators from standard users on the desktop.
This
structure of local GPOs is ideal for both normal desktops and
specialized desktops, such as kiosks, training room computers, and
shared computers. The Administrators local GPO applies only to user
accounts that have membership in the local Administrators group on the
desktop. Because this group is controlled at the desktop level, each
desktop can have a unique list of members. You use the Administrators
Local GPO to override the Local Policy Object when the administrators
need more privileges than other users and the Local Policy Object is too
confining.
The Non-Administrators
local GPO applies to all users who are not affected by the
Administrators local GPO. By deduction, this includes all users who log
on to the desktop who do not have membership in the local Administrators
group. You use the Non-Administrators Local GPO to modify the Local
Policy Object settings, or as an alternative to configuring the Local
Policy Object.
Access to these local GPOs
is not as simple as it is for the Local Policy Object. These GPOs are
exposed by using the Microsoft Management Console (MMC). To access them
for editing, follow these steps:
1. | In the Run dialog box, type MMC.
Note This
is an administrative task; if you have UAC enabled, you must agree to
the permissions that opening the Local Group Policy Editor MMC snap-in
requires. |
|
2. | In the MMC console, click File, and then click Add/Remove Snap-in.
|
3. | Select Group Policy Management Editor from the Available Snap-ins list, and then click Add.
|
4. | In the Welcome to the Group Policy Wizard page, leave Local Computer as the entry under Group Policy Object.
|
5. | Click Browse.
|
6. | In the Browse for a Group Policy Object dialog box, click the Users tab.
|
7. | Select Administrators, and then click OK.
|
8. | On the Welcome to the Group Policy Wizard page, click Finish.
|
9. | In the Add/Remove Snap-ins dialog box, click OK.
|
10. | In the console, expand the Local Computer\Administrators Policy node.
|
11. | Repeat
these steps for the Non-Administrators local GPO, replacing
Non-Administrators with Administrators in the applicable steps.
|
Note that these two local GPOs have only User Configuration settings, not Computer Configuration settings, as shown in Figure 2. This is because a computer cannot have membership in the local Administrators group, so there is no way to differentiate between the two types of computers.
Any settings that are
configured in both the Local Policy Object and one of these
Administrator GPOs are controlled by the Administrator-based GPO.
User-Specific Local GPOs
There are some
instances in which you would like to have more precise control over the
settings on a computer. This is not possible with the Local Policy
Object, the Administrators GPO, or the Non-Administrators GPO. These
GPOs are for “groups” of users, not specific users.
The final local GPO
option is to specify a unique set of policy settings for a local user
account. This is an ideal solution for controlling users logging on to
kiosks or other specialized desktops throughout the enterprise. With
user-specific local GPOs, you can create a custom environment that will
allow for a more relaxed or more strict set of policy settings.
As with the
Administrators local GPOs, access to user-specific GPOs requires the use
of the MMC and involves several steps. Follow these steps to access the
user-specific local GPOs:
1. | In the Run dialog box, type MMC.
Note This
is an administrative task; if you have UAC enabled, you must agree to
the permissions that opening the Local Group Policy Editor MMC snap-in
requires. |
|
2. | In the MMC console, click File, and then click Add/Remove Snap-in.
|
3. | Select Group Policy Management Editor from the Available Snap-ins list, and then click Add.
|
4. | On the Welcome to the Group Policy Wizard page, leave Local Computer as the entry under Group Policy Object.
|
5. | Click Browse.
|
6. | In the Browse for a Group Policy Object dialog box, click the Users tab.
|
7. | Select the desired user account from the list, and then click OK.
|
8. | On the Welcome to the Group Policy Wizard page, click Finish.
|
9. | In the Add/Remove Snap-ins dialog box, click OK.
|
10. | In the console, expand the Local Computer\<username> Policy node.
|
As with the Administrators local GPOs, the user-specific local GPOs contain only User Configuration settings, as you can see in Figure 3.
Note
It
is essential to note that the only user accounts that can have a
user-specific local GPO associated with them are those that have an
account in the local Security Accounts Manager (SAM). |
The user-specific local
GPOs give you control over User Configuration settings, which is
logical. Because these GPOs involve user accounts, it would not make
sense for them to configure computer-related settings.
Precedence
If you review the
local GPOs from the more generic to more specific, you will see the
overall precedence structure. The most generic local GPOs have the
weakest precedence, and the most specific local GPOs have the highest
precedence. Table 1 lists the affected settings of each local GPO and their precedence in relation to local and Active Directory–based GPOs.
Table 1. Group Policy Object Settings and Precedence
| Group Policy Object | Precedence | Settings in the GPO |
|---|
| Local Policy Object | 6 (lowest precedence of all GPOs) | Computer Configuration
User Configuration |
| Local Administrators and Non-Administrators GPO | 5 | User Configuration |
| User-specific local GPO | 4 (highest precedence of all local GPOs) | User Configuration |
| GPO linked to Active Directory site | 3 (lowest precedence of Active Directory GPOs) | Computer Configuration
User Configuration |
| GPO linked to Active Directory domain | 2 | Computer Configuration
User Configuration |
| GPO linked to Active Directory organizational unit | 1 (highest precedence of all GPOs) | Computer Configuration
User Configuration |
