If you would like to read the other parts in this article series please go to:
Windows Vista includes some important changes from earlier Windows operating systems in regards to Group Policy (GP). This article introduces you to how Multiple Local Group Policy Objects (MLGPO) can make any ‘stand-alone’, or ‘kiosk’, administrator happy.
Welcome to the constantly expanding Microsoft Group Policy universe.
Multiple Local Group Policy Objects (MLGPO)
If you ever tried administering locked down ‘kiosk’ computers in public places like libraries or any other place where you have Windows 2000/XP/2003 computers set up for public use, you probably fought a great deal with local policies yourself, even when logged on as an administrator. The thing is that, before Windows Vista, we had only one set of policies on the local computer – general Computer settings and general User settings – these policies applied to all users who logged on, no matter what! Administration of such tightly locked down computers could be a very cumbersome affair where you sometimes have to disable some very restrictive policies, edit whatever needed to be changed and then re-enable the policies.
With Windows Vista the concept of MLGPO is introduced – previously we only had Local Group Policy Objects (LGPO). Typically MLGPOs will be used in non-Active Directory environments where you have standalone or workgroup computers, and the great thing is that it now supports different policy configurations for “Administrators” and “Non-Administrators” (“limited users”) and even specific policy settings for individual users! If a given user is not a member of the “administrators” group, then the user is automatically considered a “non-administrator”, which is actually not a security group in itself.
When a policy is about to be applied it checks to see if the user is a member of the Administrators group, if so the “Administrator LGPO” is loaded, if not the “Non-Administrators LGPO” is loaded. You can only load one of the two last mentioned policies, not both. After this any specific user policy is processed and applied.
Local processing order, or ‘application order’ is as follows:
a. The LGPO Computer Configuration (same as with older NT operating systems)
b. The LGPO User Configuration (same as with older NT operating systems)
- Local group membership (either “Administrators” or “Non-Administrators” LGPO, not both)
- Local users (individual/specific user policy)
Conflict resolution between policy settings is still the good old “Last Writer Wins” rule. The last processed policy overwrites any previous setting with the last read setting – if, and only if, there’s a conflict or else the settings are combined. This “3 layered” approach is very useful and much better than what we had before!
Please note that all users will be “hit” by the settings loaded in step 1a and 1b no matter what. Settings in policies loaded afterwards (step 2 or 3) can however reset, change or invert the first loaded User settings (step 1b).
After the load of the above policies, domain policies take precedence over any previously loaded LGPO just as today (LOCAL > SITE > DOMAIN > OU level) and the “Last Writer Wins”.
One small thing to note is the new policy setting: “Computer settings\Administrative Templates\System\Group Policy\Turn off Local Group Policy objects processing” – if you enable this policy setting, the system will not process and apply any Local GPOs. This setting will be ignored on stand-alone computers. A domain administrator can enable this policy to ensure that no other policies are applied to his/her domain users and computers.
So, how can I create a LGPO for a specific user or group? Well, create a new Microsoft Management Console (MMC) by entering “MMC” in a Command prompt (or from the “Run…” applet if you enabled this on the Start Menu) – click “Continue” on the User Account Control (UAC) dialog box. Go to the “File” menu and select “Add/Remove Snap-In…” (or press Ctrl+M) – you should see the dialog as Figure 1 shows.
Mark the “Group Policy Object Editor” (GPOE) snap-in in the left pane and click “Add >”. The dialog box shown in Figure 2 should popup.
Notice and click the “Users” tab (next to the default selected “Computers” tab) which is new with Windows Vista.
You should see all local users, the “Administrators” group and the ‘fictive’ “Non-Administrators”.
To the right you can see if a GPO already exists for the given user or group (Yes or No).
Select the user or group you want to put a LGPO on and click “OK”. Click “Finish” in the “Select Group Policy Object” dialog – and click “OK” in the “Add or Remove Snap-ins” dialog. Now you should have an MMC where you can expand the LGPO in the left pane and configure any User Configuration in the right pane.
Remember to save the console when you exit if you need it later. You should consider creating a custom management console for all LGPOs – you can add multiple GPOE snap-ins to your custom MMC as you can see in Figure 4:
The Local GPO is stored here: %WINDIR%\System32\GroupPolicy and user/group specific LGPOs are stored here: %WINDIR%\System32\GroupPolicyUsers (new folder) – below this folder you will see any user or group specific policy files – folder name is the same as the user’s Security Identifier (SID), e.g. “S-1-5-21-795681118-3222455423-2353112456-1005” – see Figure 5.
If you have looked at the Windows Vista features, you probably noticed the “Parental Controls” applet in the Control Panel and maybe you even tested the functionality. What you can do with this tool is basically to lock down a user to a very limited level of functionality – and some of this is actually enforced by using LGPOs on the specific user (by the use of Software Restriction Policies).
MLGPO in action… An individual user policy object is actually created behind the scenes when a “parent” creates a control policy for a specific user from the “Parental Controls” applet in the Control Panel – Figure 6.
You may need to remove the entire LGPO for a specific user or group (Administrators or Non-Administrators) at some point; this is how to do it:
Start up by creating a new MMC as we did above, when you get to the “Browse for a Group Policy Object” dialog, right click the user or group which policy which you want to remove – see Figure 7.
Select “Remove Group Policy Object” to delete the policy. Please note that you cannot delete the “general” LGPO (step 1a and 1b), all you can do is to reset all settings to default (“Not Configured”) or disable LGPO processing in a domain environment as mentioned above.
One thing you might have to consider if you find the MLGPO functionality very interesting is to take a good look at Microsoft’s Shared Computer Toolkit for Windows XP – this toolkit helps make it easy to set up, safeguard, and manage shared computers running Windows XP. It helps restrict local user profiles, defend shared computers against unauthorized changes to the hard disk (Windows Disc Protection), allow certain updates (Critical, Antivirus and AntiSpyware updates etc.) and enhance the user experience. Version 2 is on its way and maybe Windows Vista will be supported…?
In this part the article series we covered having multiple local group policy objects.
In part one of three articles we covered the difference between ADM and ADMX/ADML files and what the Central Store is all about.
In part three (the last) of this article series, “Managing Windows Vista Group Policy”, which will be published here on WindowSecurity.com in the near future, basic troubleshooting, improved stability and Network Location Awareness will be covered.
Step-by-Step Guide to Managing Multiple Local Group Policy Objects
What’s New in Group Policy in Windows Vista and Windows Server “Longhorn”
Group Policy in Windows Vista – webcast by Mike Lawrence
What’s New in Group Policy in Windows Vista
If you would like to read the other parts in this article series please go to: