Sep 13 2007

Get Active About Group Policy

Working with multiple local Group Policy objects.

With Group Policy objects, you can change hundreds of default settings in Microsoft Windows — from color schemes to desktop security — and create a complex hierarchy of GPOs to configure settings based on the user and the computer’s location, organization and purpose in Active Directory environments.

Here’s how to define, edit and prioritize multiple local GPOs.

First, not all computers can join a domain. For example, public computers (such as a kiosk in a library) are frequently attacked and could put the entire domain at risk. Windows XP and earlier versions of Windows had a single local GPO that applied settings to the client computer and all users that logged on to the computer. Therefore, if you needed to lock down the desktop environment to prevent guests from opening the Start menu, you also made it impossible to manage the computer when logged on as an administrator.

Windows Vista now supports multiple local Group Policy objects (MLGPOs) so that you can apply different settings to administrators, non-administrators and specific users.


Windows Vista supports the following local GPOs:

  • Local Computer Policy: Just like earlier versions of Windows, Vista supports local computer policy that always applies, regardless of which user is logged on. This policy contains both the Computer Configuration and User Configuration nodes. All other local GPOs contain only the User Configuration node.
  • Administrators Policy: Settings configured in this policy apply only to users who are members of the local Administrators group.
  • Non-administrators Policy: Settings apply to all users who are not members of the local Administrators group.
  • User-Specific Policies: You can configure GPOs that apply to only a specific user account.

Any user who logs on will have, at most, three local GPOs: the local computer policy, a user-specific policy, and either the administrators or non-administrators policy. Oddly, you cannot create local GPOs that apply to local groups, such as “backup operators” or “guests.”

GPO Priorities

Local GPOs are applied in the following order, with later policies overriding conflicting settings in earlier policies:

  1. local computer policy;
  2. administrators and non-administrators policies;
  3. user-specific policies.

For example, if you set the desktop to blue in the local computer policy but set it to red in the administrators policy, it will appear red when an administrator logs on. If you set the desktop to green in the user-specific policy, that setting would override all other local GPOs.

If the computer is a member of an Active Directory domain, domain GPOs always override conflicting settings in local GPOs. If you want to completely disable local GPOs, enable the following setting in a domain GPO:

computer configuration\administrative templates\system\group policy\turn off local group policy objects processing

To remove a local GPO, right-click it from this dialog box, and then click Remove Group Policy Object.

How to Edit Local GPOs

To edit one of the local GPOs in Vista, log on as a member of the administrators group and follow these steps:

  1. Click Start, type MMC, and then press Enter. Respond to the User Account Control prompt that appears.
  2. In the blank console, click the File menu, and then click Add/Remove Snap-In.
  3. In the Add or Remove Snap-Ins dialog box, under Available Snap-Ins, click Group Policy Object Editor. Then, click Add. The Select Group Policy Object wizard will appear.
  4. On the Welcome to the Group Policy Wizard page, click Browse.
  5. On the Browse for a Group Policy Object dialog box, choose a GPO:
    • Local Computer Policy: On the Computers tab, click This Computer.
    • Administrators Policy: On the Users tab, click Administrators.
    • Non-administrators Policy: On the Users tab, click Non-administrators.
    • User-Specific Policies: On the Users tab, click the user account you want to configure.
  6. Click OK, and then click Finish.

You can now use this custom management console to edit the GPO you selected. To simplify editing, add any useful local GPOs to the console, and then save the console for future use.

Copying Local GPOs Between Computers

It’s not as easy as managing GPOs in a domain, but you can copy most GPO settings between standalone computers running Vista. First, use the Group Policy Object Editor to configure the local GPOs on the primary computer. Then, copy the GPO settings to your target computers. The technique you use to copy the data depends on whether your settings are within the Security Settings node or the Administrative Templates node. (Just a reminder: The Group Policy Management Console can be used only with domain GPOs.)

Security Settings

If you edit the local computer policy and update any settings within the computer configuration\windows settings\security settings node, use the secedit command-line tool to copy the settings to the target computers:

  1. Export the security settings from the primary computer by running the following command:
    secedit /export /cfg secsettings.inf
  2. Copy the secsettings.inf file to each of your target computers, and perform a full backup.
  3. On each target computer, run the following command to import the security settings from the primary computer:
    secedit /configure /db secsettings /cfg secsettings.inf /overwrite
  4. To ensure all settings are applied, restart the target computers.

Administrative Templates

If you edit any of the local GPOs and update settings within the Administrative Templates node, manually copy the settings to the target computers by following these steps:

  1. For any GPO you edited, copy the contents of the folder listed in the following table to the target computer. These folders are hidden and require administrative privileges to access. For user-specific policies, you must change the folder name to match the service set identifier (SSID) of the user on the target computer.
  2. On the target computer, run gpupdate /force to apply the new Group Policy settings.

The registry.pol file stores most of the GPO data. To view these files directly, use the free PolViewer utility available at GPOGuy.

GPO Folder
Administrators %windir%\system32\grouppolicyusers\s-1-5-32-544\
Non-administrators %windir%\system32\grouppolicyusers\s-1-5-32-545\
User-specific policies %windir%\system32\grouppolicyusers\<ssid>\
Local computer policy, computer config. %windir%\system32\grouppolicy\machine\
Local computer policy, user config. %windir%\system32\grouppolicy\user\


Troubleshooting Local GPOs

You can troubleshoot problems with local GPOs using most of the same tools you use for Active Directory GPOs, including:

  • Resultant Set of Policy: A Microsoft Management Console snap-in that analyzes all Group Policy settings, displays the effective settings, and allows you to isolate the Group Policy objects that define any setting.
  • GPResult: A command-line tool that provides a list of active GPOs, including both domain and local GPOs, among other useful information.
  • Event Viewer: Vista adds an event to the System Event Log when policies are applied, and stores detailed processing information in the applications and service logs\microsoft\windows\group policy\operational event log. The Operational Event Log replaces the userenv.log file used in earlier versions of Windows.
  • Group Policy Log View: A tool that exports Group Policy event data into a text file. You can download GPLogView at
IT Takeaway

GPOs are the most efficient way to configure the hundreds of settings on a Windows computer. XP and earlier versions of Windows had only a single local GPO, and any settings configured in that GPO applied to all users. Therefore, you couldn’t use the local GPO to harden the desktop environment because you would also prevent administrators from managing the computer.

•Vista solves this problem by providing three levels of local GPOs: the local computer GPO, the administrators and non-administrators GPOs, and GPOs for individual users.
• With Vista, you can lock down a computer without locking yourself out.
Tony Northrup is a developer, security consultant and author with more than 10 years of professional experience developing applications for Microsoft Windows.