Windows 7 : Managing and Applying LGPOs (part 1) - Configuring Local Security Policies

9/20/2011 3:50:24 PM
Policies that have been linked through Active Directory will, by default, take precedence over any established local group policies. Local group policies are typically applied to computers that are not part of a network or are in a network that does not have a domain controller and thus does not use Active Directory.

Previous versions of Windows (before Vista) contained only one Local Group Policy Object that applied to all of the computer's users unless NTFS permissions were applied to the LGPO. However, Windows 7 and Windows Vista changed that with the addition of Multiple Local Group Policy Objects (MLGPOs). Like Active Directory GPOs, MLGPOs are applied in a certain hierarchical order:

  1. Local Computer Policy

  2. Administrators and Non-Administrators Local Group Policy

  3. User-Specific Group Policy

The Local Computer Policy is the only LGPO that includes computer and user settings; the other LGPOs contain only user settings. Settings applied here will apply to all users of the computer.

The Administrators and Non-Administrators LGPOs were new to Windows Vista and are still included with Windows 7. The Administrators LGPO is applied to users who are members of the built-in local Administrators group. As you might guess, the Non-Administrators LGPO is applied to users who are not members of the local Administrators group. Because each user of a computer can be classified as an administrator or a non-administrator, either one policy or the other will apply.

User-Specific LGPOs are also included with Windows 7. These LGPOs make it possible for specific policy settings to apply to a single user.

As with Active Directory GPOs, any GPO settings applied lower in the hierarchy will override GPO settings applied higher in the hierarchy by default. For example, any user-specific GPO settings will override any conflicting administrator/non-administrator GPO settings or Local Computer Policy settings. And, of course, any AD GPO settings will still override any conflicting LGPO settings.


Domain administrators can disable LGPOs on Windows 7 computers by enabling the Turn Off Local Group Policy Objects Processing domain GPO setting, which you can find under Computer Configuration\Admimstrative Templates\System\Group Policy.

You apply an LGPO to a Windows 7 computer through the Group Policy Object Editor snap-in within the MMC. Figure 1 shows the Local Computer Policy for a Windows 7 computer.

Figure 1. Local Computer Policy

Complete the following exercise to add the Local Computer Policy snap-in to the MMC.

Exercise 1: Adding the Local Computer Policy Snap-In

  1. Open the Admin Console MMC shortcut by typing MMC in the Search programs and files box.

  2. A User Account Control dialog box appears. Click Yes.

  3. Select File => Add/Remove Snap-In.

  4. Highlight the Group Policy Object Editor Snap-in and click the Add button.

  5. The Group Policy Object specifies Local Computer by default. Click the Finish button.

  6. In the Add or Remove Snap-Ins dialog box, click OK.

  7. In the left pane, right-click the Local Computer Policy and choose New Windows From Here.

  8. Choose File => Save As and name the console LGPO. Make sure you save it to the Desktop. Click Save.

  9. Close the MMC Admin console.

Now we will look at how to open an LGPO for a specific user account on a Windows 7 machine. Complete Exercise 1 to access the Administrators, Non-Administrators, and User-Specific LGPOs.

Exercise 2: Accessing the LGPO

  1. Open the Admin Console MMC shortcut by typing MMC in the Windows 7 Search box.

  2. Select File => Add/Remove Snap-In.

  3. Highlight the Group Policy Object Editor snap-in and click the Add button.

  4. Click Browse so that you can browse for a different GPO.

  5. Click the Users tab.

  6. Select the user you want to access and click OK.

  7. In the Select Group Policy Object dialog box, click Finish.

  8. In the Add Or Remove Snap-Ins dialog box, click OK. You may close the console when you are done looking at the LGPO settings for the user you chose.


Notice that the Administrators, Non-Administrators, and User-Specific LGPOs contain only User Configuration settings, not Computer Configuration settings.

Now let's take a look at the different security settings that can be configured in the LGPO.

1. Configuring Local Security Policies

Through the use of the Local Computer Policy, you can set a wide range of security options under Computer Configuration\Windows Settings\Security Settings.

This portion of the Local Computer Policy is also known as the Local Security Policy. The following sections describe in detail how to apply security settings through LGPOs (see Figure 2).

Figure 2. Security Settings of the LGPO

The main areas of security configuration of the LGPO are as follows:

Account Policies Account policies are used to configure password and account lockout features. Some of these settings include password history, maximum password age, minimum password age, minimum password length, password complexity, account lockout duration, account lockout threshold, and whether to reset the account lockout counter afterwards.

Local Policies Local policies are used to configure auditing, user rights, and security options.

Windows Firewall with Advanced Security Windows Firewall with Advanced Security provides network security for Windows computers. Through this LGPO you can set domain, private, and public profiles. You can also set this LGPO to authenticate communications between computers and inbound/outbound rules.

Network List Manager Policies This section allows you to set the network name, icon, and location group policies. Administrators can set Unidentified Networks, Identifying Networks, and All Networks.

Public Key Policies Use the Public Key Policies settings to specify how to manage certificates and certificate life cycles.

Software Restriction Policies The settings under Software Restriction Policies allow you to identify malicious software and control that software's ability to run on the Windows 7 machine. These policies allow an administrator to protect the Microsoft Windows 7 operating system against security threats such as viruses and Trojan horse programs.

Application Control Policies This section allows you to set up AppLocker. You can use AppLocker to configure a Denied list and an Accepted list for applications. Applications that are configured on the Denied list will not run on the system and applications on the Accepted list will operate properly.

IP Security Policies on Local Computer This section allows you to configure the IPsec policies. IPsec is a way to secure data packets at the IP level of the message.

Advanced Audit Policy Configuration Advanced Audit Policy Configuration settings can be used to provide detailed control over audit policies. This section also allows you to configure auditing to help show administrators either successful or unsuccessful attacks on their network.


You can also access the Local Security Policy by running secpol.msc or by opening Control Panel and selecting Administrative Tools => Local Security Policy.

Now that you have seen all the options in the security section of the LGPO, let's take a look at account policies and local policies in more detail.
  •  Windows 7 : Managing Security
  •  Windows 7 : Creating and Managing Groups
  •  Windows 7 : Managing User Properties
  •  Windows 7 : Working with User Accounts (part 2)
  •  Windows 7 : Working with User Accounts (part 1)
  •  Windows Server : Designing a Software Update Infrastructure (part 2)
  •  Windows Server : Designing a Software Update Infrastructure (part 1)
  •  Securing Windows Server 2008 in the Branch Office
  •  Windows 7 : Configuring Network Connectivity - Configuring DirectAccess
  •  Windows 7 : Configuring Network Connectivity - Understanding BranchCache
  •  Windows 7 : Configuring Remote Management
  •  Configuring Windows 7 on a Network
  •  Windows Server : Branch Office Deployment - Branch Office Services (part 2)
  •  Windows Server : Branch Office Deployment - Branch Office Services (part 1)
  •  Windows Server : Planning Application Virtualization
  •  Windows 7 : Understanding TCP/IP (part 2)
  •  Windows 7 : Understanding TCP/IP (part 1) - Basics of IP Addressing and Configuration
  •  Windows Server 2008 : Planning Operating System Virtualization (part 2) - Planning for Server Consolidation
  •  Windows Server 2008 : Planning Operating System Virtualization (part 1)
  •  Windows Server 2003 : Troubleshooting Group Policy
    Top 10
    Master Retro Photography With An Android Device
    Editor’s Picks: Tablet Photo-Editing Apps (Part 2) - Google Picasa 3.9, Nik Software Snapseed Desktop, Serif Photoplus X5
    Editor’s Picks: Tablet Photo-Editing Apps (Part 1) - Photogene, Photos Hop Touch, Snapseed, Gimp 2.8
    Track A Stolen Device (Part 1) - Set up a device, Lock your phone
    Track A Stolen Device (Part 2)
    Is It Time To Quarantine Infected Pcs?
    CrowdFunding - Does It Work? (Part 2)
    CrowdFunding - Does It Work? (Part 1)
    Ultrabook Supertest (Part 2) - Acer Aspire Timeline U M5
    Ultrabook Supertest (Part 1) - Acer Aspire Timeline U M3
    Most View
    Windows Server AppFabric
    Samsung 830
    Exploring the T-SQL Enhancements in SQL Server 2005 : Exception Handling in Transactions
    Windows Server 2008 and Windows Vista : Group Policy Processing Events (part 2) - Foreground Group Policy Processing
    Samsung Galaxy SIII : Live up to the hype (Part 3)
    Windows 7 : Understanding User Account Control and Its Impact on Performance
    ASP.NET AJAX : Progress Notification
    Apple Macbook Pro Retina 2.6GHz - Precision Build And Meticulous Design
    Windows Phone 7 Development : Building a Phone Client to Access a Cloud Service (part 3) - Coding the BoolToVisibilityConvert
    Understanding Exchange Policy Enforcement Security : Creating Messaging Records Management Policies
    Becoming an Excel Programmer : View Results
    Retouch Images In iPhoto
    Manage iOS with iCloud (Part 2)
    Programming with SQL Azure : Record Navigation in WCF Data Services
    Using Google Apps On The Ipad Safari Browser
    Linux - Bad Maths
    AC-1 Ammoclip for Xbox 360 - Keep Shooting!
    Synchronizing Mobile Data - Using Merge Replication (part 2) - Programming for Merge Replication
    Preparing Multimedia Data for Silverlight
    Audio Cleaning Lab MX - makes some sounds sound better