Creating multiple local GPOs
Computers that are members of an AD DS domain benefit from a great deal of flexibility
when it comes to Group Policy configuration. Standalone (nonAD DS) systems can achieve
some of that flexibility as long as they are running at least Windows Vista or Windows Server
2008 R2. These operating systems enable administrators to create multiple local GPOs that
provide different settings for users, based on their identities.
Windows systems supporting multiple local GPOs have three layers of Group Policy
support, as follows:
■■ Local Group Policy Identical to the single local GPO supported by older operating
system versions, the Local Group Policy layer consists of both computer settings and
user settings and applies to all system users, administrative or not. This is the only local
GPO that includes computer settings, so to apply Computer Configuration policies, you
must use this GPO.
■■ Administrators and Nonadministrators Group Policy This layer consists of two
GPOs: one that applies to members of the local Administrators group and one that
applies to all users who are not members of the local Administrators group. Unlike the
Local Group Policy GPO, this layer does not include computer settings.
■■ User-specific Group Policy This layer consists of GPOs that apply to specific local
user accounts created on the computer. These GPOs can apply to individual users only,
not to local groups. These GPOs also do not have computer configuration settings.
Windows applies the local GPOs in the order listed here. The Local Group Policy settings
are applied first, then either the Administrators GPO or the Non-Administrators GPO, and,
finally, any user-specific GPOs. As with nonlocal GPOs, the settings processed later can
overwrite
any earlier settings with which they conflict.
In the case of a system that is also a member of a domain, the three layers of local GPO
processing come first, followed by the standard order of nonlocal Group Policy application.
To create local GPOs, you use the Group Policy Object Editor, which is an MMC snap-in
provided on all Windows computers specifically for the management of local GPOs, as in the
following procedure.
1. Open the Run dialog box and, in the Open text box, type mmc and click OK. An empty
MMC console opens.
2. Click File, Add/Remove Snap-In to open the Add Or Remove Snap-Ins dialog box.
3. From the Available Snap-Ins list, select Group Policy Object Editor and click Add. The
Select Group Policy Object page opens.
4. To create the local Group Policy GPO, click Finish. To create a secondary or tertiary
GPO, click Browse. The Browse For A Group Policy Object dialog box opens.
5. Click the Users tab, as shown in Figure 6-4.
FIGURE 6-4 The Users tab of the Browse For A Group Policy Object dialog box
NOTE: MULTIPLE LOCAL GPOS
Windows computers that do not support multiple local GPOs lack the Users tab in the
Browse For A Group Policy Object dialog box. This includes domain controllers and computers
running Windows versions prior to Windows Vista and Windows Server 2008 R2.
6. To create a secondary GPO, select either Administrators or Non-Administrators and
click OK. To create a tertiary GPO, select a user and click OK. The GPO appears on the
Select Group Policy Object page.
7. Click Finish. The snap-in appears in the Add Or Remove Snap-Ins dialog box.
8. Click OK. The snap-in appears in the MMC console.
9. Click File, Save As. A Save As combo box appears.
10. Type a name for the console to save it in the Administrative Tools program group.
11. Close the MMC console.
You can now open this console whenever you need to configure the settings in the GPO
you created.