Windows 7 : Working with Multiple Local Group Policy Objects

1. Understanding Multiple Local Group Policy Object Usage

Multiple LGPOs increase flexibility when applying policy settings and allow home and workgroup users to gain some of the benefits and controls previously available only in Windows domains. They do this by allowing a policy to be uniquely tailored to users based on the logon account and their membership in specific groups.

Windows 7 has three layers of LGPOs:

1. Local Group Policy

2. Administrators and Non-Administrators Local Group Policy

3. User-specific Local Group Policy

These layers of LGPOs are processed in order. Local Group Policy is applied first. Administrators and Non-Administrators Local Group Policy is applied second. User-specific Local Group Policy is applied third.

Local Group Policy is the only LGPO that allows both computer configuration and user configuration settings to be applied. User configuration settings applied through the LGPO apply to all users of the computer, even the built-in Administrator account. Local Group Policy works the same as it did in Windows XP.

Administrators and Non-Administrators Local Group Policy contains only user configuration settings and is applied based on whether the user account being used is a member of the local Administrators group. A user is either an administrator or a nonadministrator. If the user is a member of the Administrators group, Administrators Local Group Policy is applied to the user at logon. If the user is not a member of the Administrators group, Non-Administrators Local Group Policy is applied to the user at logon.

User-specific Local Group Policy contains only user configuration settings and is applied based on whether an additional policy object has been created and applied to a user’s account. In this way, you use User-specific Local Group Policy to apply policy settings to one specific user.

The available user settings are the same among all LGPOs. Because of this, it is possible that a setting in one GPO may conflict with a setting in another GPO. Windows 7 resolves conflicts in settings by overwriting any previous setting with the last read and most current setting. The final setting is the one Windows 7 uses. Because of this, the processing order is extremely important: it determines which user settings are actually applied when there are conflicting settings.

NOTE

Only the enabled or disabled state of a setting matters. If a setting is set as Not Configured, this has no effect on the state of the setting from a previous policy application.

To see how setting overwriting works, consider the following examples:

• Jim is a member of the local Administrator account and has a user-specific GPO. When Jim logs on to his computer, Local Group Policy is applied, then Administrators Local Group Policy, and then his User-specific Local Group Policy. Thus, if Local Group Policy disabled a setting, then Administrators Local Group Policy enabled a setting, and then User-specific Local Group Policy disabled the setting, the setting would be disabled.

• Tina is not a member of the local Administrator account and has a user-specific GPO. When Tina logs on to her computer, Local Group Policy is applied, then Non-Administrators Local Group Policy, and then her User-specific Local Group Policy. Thus, if a setting is disabled in Local Group Policy, then enabled in Administrators Local Group Policy, and then not configured in User-specific Local Group Policy, the setting would be enabled.

As you can see, using multiple LGPOs in a standalone configuration allows you to control precisely how policy settings are applied to users based on their logon account and group membership. In a domain configuration, however, you might not want to use multiple LGPOs because in domains, most computers and users already have multiple GPOs applied to them, and adding multiple LGPOs to this already varied mix can make it confusing to manage Group Policy.

In a domain, computers apply local policy first and then domain policy. Because domain policy is applied last, domain policy settings overwrite any conflicting settings from local policy. Further, to simplify administration, domain administrators can disable processing of LGPOs on computers running Windows 7 by enabling the “Turn off Local Group Policy objects processing” policy setting in a domain GPO. In Group Policy, this setting is located under Computer Configuration\Administrative Templates\System\Group Policy.

2. Creating Multiple Local Group Policy Objects

Using the GPOE, you can easily create and manage multiple LGPOs. By default, the only local policy object that exists on a computer is the LGPO. You can, however, create other local objects as necessary. Other objects are created when you access them in the GPOE.

2.1. Accessing the top-level LGPO

The way you create or access a particular LGPO depends on the object you want to work with. You can access the top-level LGPO by completing the following steps:

1. Log on to a computer running Windows 7 with an administrative user account.

2. Click Start, type mmc into the Search box and then press Enter.

3. In the Microsoft Management Console, click File→Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor and then click Add.

5. In the Select Group Policy Object dialog box, click Finish because this is the default object.

6. Click OK.

NOTE

You can use the same Microsoft Management Console to manage more than one LGPO. In the Add or Remove Snap-ins dialog box, you simply add one instance of the GPOE for each object you want to work with.

2.2. Accessing the Administrators Local Group Object or the Non-Administrators Local Group Object

You can create or access the Administrators Local Group Object or the Non-Administrators Local Group Object by completing the following steps:

1. Log on to a computer running Windows 7 with an administrative user account.

2. Click Start, type mmc into the Search box, and then press Enter.

3. In the Microsoft Management Console, click File→Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor and then click Add.

5. In the Select Group Policy Object dialog box, click Browse.

6. In the Browse for a Group Policy Object dialog box, click the Users tab, as shown previously in Figure 1. Note that the entries in the Group Policy Object Exists column specify whether a particular local policy object has already been created.

7. Select Administrators (note the “s” on the end to distinguish it from the one for the Administrator user) to create or access the Administrators Local Group Object. Select Non-Administrators to create or access the Non-Administrators Local Group Object.

8. Click OK.

Figure 1. Creating or accessing the desired object

In the Microsoft Management Console, the policy is listed as Local Computer\Administrators Policy or Local Computer\Non-Administrators Policy (see Figure 2). As discussed previously, only the top-level LGPO has both computer configuration and user configuration settings. Other types of local policy objects have only user configuration settings.

Figure 2. Unique labels provided for each local policy object

2.3. Accessing a user-specific local group object

You can create or access a user-specific local group object using the procedure outlined in the preceding section. The only change is that in step 7, you select the local user whose user-specific local group object you want to create or work with. If this object doesn’t already exist, it will be created. Otherwise, you’ll open the existing object for review and editing.

3. Deleting Local Group Policy Objects

All computers have an LGPO. You cannot delete this top-level policy object. You can, however, set each policy setting to Not Configured to ensure that no related policy settings are applied.

Although you cannot delete this object, you can delete other LGPOs that you have created. When you delete an LGPO, the object and all its related settings are removed from the computer.

NOTE

An LGPO is not created until you’ve configured at least one of the objects underneath it. If you add the LGPO as outlined in the previous section, and then return to the Browser for a Group Policy Object, the Group Policy Object Exists column will read “No” unless you’ve configured one of the objects.

You can delete the Administrators Local Group Object, Non-Administrators Local Group Object, or User-specific Local Group Object by following these steps:

1. Log on to a computer running Windows 7 with an administrative user account.

2. Click Start, type mmc into the Search box, and then press Enter.

3. In the Microsoft Management Console, click File→Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.

5. In the Select Group Policy Object dialog box, click Browse.

6. In the Browse for a Group Policy Object dialog box, click the Users tab, as shown in Figure 24-3.

7. Right-click the name of the policy you want to remove and then select Remove Group Policy Object.

8. When prompted to confirm, click Yes.

9. Click Cancel three times to exit all open dialog boxes.

10. In the Microsoft Management Console, click File→Exit. If prompted to save the console, click No.

11. Log off the computer to ensure that the policy object can be removed.