Windows

Taking advantage of Windows Vista's Multiple Local Group Policy feature

In this edition of the Windows Vista Report, Greg Shultz explains how Multiple Local Group Policy works, then provides you with a simple example to show you how a local administrator can take advantage of this new feature.

If you have ever been responsible for managing Windows XP computers in a standalone configuration with multiple users, such as in a library or a school lab, you may have wished for Group Policy in order to set different policies for different users. Unfortunately, that wasn't possible in Windows XP because there was only one Local Group Policy -- and it applied to all of the computer's users. Microsoft at last decided to make this type of task possible by introducing a new feature in Windows Vista called Multiple Local Group Policy.

In this edition of the Windows Vista Report, I'll explain how Multiple Local Group Policy works, then provide you with a simple example to show you how a local administrator can take advantage of this new feature.

How Multiple Local Group Policy works

In Windows XP, you had a Local Group Policy with which you could change literally hundreds of computer and user configuration settings in order to lock down a computer. However, these settings applied to every user of the computer -- even the administrator. In order to work around this inconvenience, Vista's Multiple Local Group Policy implements a system that uses three layers of Local Group Policy.

At the top is the standard Local Group Policy and just like its namesake in Windows XP, this layer allows you to configure computer-related and user-related settings -- or policies -- that apply to all users of the computer, including the administrator. The second layer is the Administrators and Non-Administrators Local Group Policy. This layer allows you to set polices for users in the Administrators group and users not in the Administrators group. The third layer is the User-Specific Group Policy, which allows you to set policies that apply only to specific users.

The term layer implies that these different policies process in a top-down order -- in other words, Vista first applies Local Group Policy, then the Administrators or Non-Administrators Local Group Policy, and lastly the User-Specific Local Group Policy. When a conflict arises, Vista uses the Last Writer Wins methodology to resolve the conflict.

For example, if the Local Group Policy, which processes first, disables a particular setting but the User-Specific Local Group Policy enables that particular setting, then the end result is that Vista enables the setting because it processes the User-Specific Local Group Policy last. Keep in mind that if there are several individual User-Specific Local Group Policies and only one of them enables the particular setting, the setting will remain disabled for any accounts covered only by the Local Group Policy.

An example

Now that you have a basic idea of how Vista's Multiple Local Group Policy works, let's take a look at an example. Suppose that you have two users, Bob and Barb, who both use one computer. You want both users to see only the Classic View of the Control Panel, but you want to limit the things that Bob can change on the Start Menu and Taskbar while allowing Barb to be able to freely customize the Start Menu and Taskbar.

Create a custom Microsoft Management Console

The first thing that you'll have to do is create a custom Microsoft Management Console to which you will add the objects that you want to be able to control in your Multiple Local Group Policy. To get started:

1. Click the Start button.

2. Type mmc in the Start Search text box and press [Enter].

3. Once you have a new console window, as shown in Figure A, pull down the File menu and select the Add or Remove Snap-ins command.

Figure A

Figure A

In order to use Multiple Local Group Policy, you'll first create a custom Microsoft Management Console.
4. From the Add or Remove Snap-ins dialog box, locate the Group Policy Object Editor, as shown in Figure B, and click the Add button.

Figure B

Figure B

Locate the Group Policy Object Editor in the Add/Remove Snap-ins dialog box.
5. When you see the Select Group Policy Object dialog box, as shown in Figure C, you'll see the Local Computer selected in the text box. This is the standard Local Group Policy, which is the first layer. To add it, click Finish.

Figure C

Figure C

The first layer of the Multiple Local Group Policy is the Local Group Policy, also known as the Local Computer policy.
6. When you return to the Add/Remove Snap-ins dialog box, again select the Group Policy Object Editor and click Add. When you see the Select Group Policy Object dialog box this time, click the Browse button to bring up the Browse Group Policy Object dialog box. Then, select the Non-Administrators group, as shown in Figure D, and then click OK.

Figure D

Figure D

Use the Browse Group Policy Object dialog box to select both groups and users.
7. Now, successively repeat the instructions to access the Browse Group Policy Object dialog box and add the Barb and Bob user policies. Then, click OK to close the Add/Remove Snap-ins dialog box. When you do, your console window will look like the one shown in Figure E. At this point, save the new console with an appropriate name, such as Multi-Local-GPO.msc.

Figure E

Figure E

By creating a custom console, all of your policies are in one place and easy to configure.
Configuring the policies Since the goal of our example is to configure settings or policies that only apply to the users Barb and Bob, you'll begin altering the Non-Administrators Policy rather than the Local Group Policy, which would affect all users. To configure the default as the Classic View of Control Panel, expand the Local Computer\Non-Administrators Policy\User Configuration\Administrative Templates\Control Panel branch, as shown in Figure F, and then enable the Force Classic Control Panel View setting.

Figure F

Figure F

Set policies that you want to apply to your typical users in the Non-Administrators Policy.
To limit Bob's access to the Start Menu and Taskbar configuration, you then expand the Local Computer\Bob Limited Policy\User Configuration\Administrative Templates\Start Menu and Taskbar branch as shown in Figure G, and then disable any of the configuration options to which you don't want Bob to have access. To give Barb unlimited access to the Start Menu And Taskbar settings, leave them at the default.

Figure G

Figure G

You can now specify individual policy settings to further limit what users can do.

Now, when Bob or Barb log in to the same Vista system, each will have a different configuration based on the Non-Administrators and User-Specific Local Group Policies.

What's your take?

Do you have a need for a feature like Windows Vista's Multiple Local Group Policy? If you haven't yet moved to Vista, are you likely to implement Multiple Local Group Policy when you do?

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

4 comments
walterfdoyle
walterfdoyle

Great all i need now isa way to push these setting to the 50 or so machines I support !!

bill.gorman
bill.gorman

Likewise, this is the first real administrative advantage I have seen in Vista, and it can be very useful in our computer labs. There is indeed a workaround in XP, but it is somewhat involved and not very flexible--this looks much better.

IT cowgirl
IT cowgirl

This is the first thing I have seen in Vista which is useful to me! I worked with so much in 2000 & XP in the past but it was so annoying because it applied to all users. I know there was a workaround for that issue. Hmmmm, what was it? Guess I will have to find it or I will never sleep again. Great article! Thanks!

Richard Noel
Richard Noel

Is there a way to import all the new Vista Group Policies into the Active Directory on our Windows 2003 Server's?