>> Bill Detwiler: Windows 7 and Vista machines don't need to be domain members to have user-specific policy configurations. I'm Bill Detwiler and during this episode of TR Dojo, I'll explain how the Multiple Local Group Policy system works and show you what it can do.
>> Bill Detwiler: Windows XP's Local Group Policy is a handy way to create specific desktop configurations on standalone or workgroup systems. But it doesn't let you create user-specific configurations which can be helpful on machines with multiple users. Now luckily, Microsoft introduced a feature in Windows 7 and Vista that does. The Multiple Local Group Policy allows you to create different policies for different users. This new system exists in Windows 7 Professional, Ultimate, and Enterprise editions. And while I'll be focusing on Windows 7, it's also available in the similar editions of Windows Vista. Also, this feature is designed for standalone machines or for those that are part of a workgroup. Like you'll find in many small businesses, if you're working in a domain, just use Regular Group Policy. The Multiple Local Group Policy system uses three layers of Local Group Policy. First is the standard Local Group Policy which allows you to configure computer-related as well as user-related settings or policies that apply to all users of the computer including the administrator. Second is the administrators and non-administrators Local Group Policy which allows you to set policies for users according to which of the two basic groups you have on standalone computers, those in the administrators group and those not in the administrators group. And third is the User-Specific Group Policy which allows you to set policies that apply only to individual users. The system will process policies in a top-down order. Local Group Policy is applied first then the administrators or non-administrator's Local Group Policy. And last of all, the user-specific Local Group Policy. When a conflict arises, the operating system uses the Last Writer Wins methodology to resolve the conflict. For example, if the Local Group Policy, which is processed first, disables a setting but the user-specific Local Group Policy enables that setting, then the end result is that the policy is enabled because Windows 7 processes the user-specific Local Group Policy last. Keep in mind that if there are several individual user-specific Local Group Policies and only one of them enables a particular setting, the setting will remain disabled in any accounts covered only by the Local Group Policy. Now that you have a basic understanding of how the Multiple Local Group Policy system works, let's take a look at an example. Now, assume we have two users, Dick phonetic and Jane phonetic who both use a single computer, and you want both users to see all the icons in the Control Panel instead of the Category view. But you want to limit the things that Dick can change on the start menu and task bar while allowing Jane to be able to freely customize it. Now, the first thing you'll have to do is create a custom Microsoft Management Console to which you will add the objects that you want to be able to control in your Multiple Local Group Policy. So, click the Start button, type, "MMC" in the Start search box and press Enter. You'll then need to respond appropriately to the UAC. Once you have a new console window, pull down the File menu and select the Add/Remove Snap-In command. From the Add/Remove Snap-In's dialog box, locate the Group Policy Object Editor and click the Add button. When the "Welcome to the group policy wizard" screen appears, you'll see that the local computer is selected in the text box. Now this is the standard Local Group Policy which is the first layer. And to add it, you'll just click Finish. Now, when you return to the Add/Remove Snap-In's dialog box, again select the Group Policy Object Editor and click Add. When the "Welcome to the group policy wizard" appears this time, click the Browse button to bring up the "Browse for a group policy object" dialog box. Then click the Users tab and select the Non-Administrators Group and click OK. Now, click Finish to add the second layer. At this point, successfully repeat the above instructions to access the "Browse for a group policy object" dialog box and add the "Dick" and "Jane" user policies. Now this will create the third layer. Then click OK to close the Add/Remove Snap-In's dialog box. When you do, your console window should look something like the one shown here. Now, save the new console with appropriate name such as "Multi-Local-GPO.msc. Now since the goal in our example is to configure settings or policies that apply only to the users "Dick" and "Jane" you'll begin altering the non-Administrators policy rather than the Local Group Policy which should affect all users. To configure the default to be the icon view of Control Panel, expand the Local Computer Non-Administrators Policy User Configuration Administrative Templates Control Panel branch and select the "Always open all control panel items when opening the control panel setting." To enable the setting, double click it to open the dialog box. Select the Enable inaudible button and click OK. To limit Dick's access to the Start menu and task bar configuration, you then expand the Local Computer Dick Policy User Configuration Administrative Templates Start Menu and Task Bar branch. And then disable or enable any of the configuration options to which you don't want Dick to have access. To give Jane unlimited access to the Start menu and task bar settings, you'll leave them at the default in her policy. Now, to complete the operation, save your new console and then close it. Now, when either of the users log into the same system, they'll each have a different configuration based on the non-Administrators and user-specific local group policies. I hope I've shown you how the Multiple Local Group Policy system can be used to better manage Windows machines that aren't members of a domain. Thanks to TechRepublic blogger, Greg Shultz, who put this tip together. And as always, for more teachings on your path to becoming an IT ninja, visit trdojo.techrepublic.com. Sign up for our newsletter or follow me on Twitter. Thanks for visiting the TR Dojo.
==== Transcribed by Automatic Sync Technologies ====