In this edition of the Windows Desktop Report, Greg Shultz explains how Multiple Local Group Policy works in Windows 7.
If you have ever been responsible for managing stand-alone or workgroup Windows XP systems with multiple user accounts, chances are you wished you could have used Group Policy to set different policies for different users. Unfortunately, Windows XP's Local Group Policy doesn't work that way. You can use it to create a specific desktop configuration, but this type of Group Policy applies to all users of the computer regardless.
Fortunately, Microsoft realized that something more was needed and developed the Multiple Local Group Policy system. This new system, available for Windows 7 Professional, Ultimate, and Enterprise editions, will allow you to configure different policies for different users.
In this edition of the Windows Desktop Report, I'll explain how Multiple Local Group Policy works in Windows 7. As I do, I'll provide you with a simple example to show you how to take advantage of this new feature.
This blog post is also available in PDF format in a TechRepublic download.
- Keep in mind that the Multiple Local Group Policy feature is available only in Windows 7 Professional, Ultimate, and Enterprise editions. And, while I'll be focusing on Windows 7, the Multiple Local Group Policy feature is also available in similar editions of Windows Vista.
How Multiple Local Group Policy works
As you know, Windows XP's Local Group Policy will allow you to change literally hundreds of computer and user configuration settings in order to lock down or open up a computer, depending on how much freedom you want to give to the user. However, these settings apply to every user of the computer -- even the administrator.
To extend the power of Group Policy to multiple users on a single system, the Multiple Local Group Policy employs a system that uses three layers of Local Group Policy:
- First Layer: At the top is the standard Local Group Policy, which allows you to configure computer-related as well as user-related settings, or policies, that apply to all users of the computer -- including the administrator.
- Second Layer: In the Middle is the Administrators and Non-Administrators Local Group Policy, which allows you to set polices for users according to which of the two basic groups you have on a stand-alone computer -- those in the Administrators group and those not in the Administrators group.
- Third Layer: At the bottom is the User-Specific Group Policy, which allows you to set policies that apply only to specific users.
As you can imagine, the idea implied by the use of the term layer indicates that these different policies are processed in a top-down order. In other words, Local Group Policy is applied first, then the Administrators or Non-Administrators Local Group Policy, and last of all the User-Specific Local Group Policy. When a conflict arises, the operating system uses the Last Writer Wins methodology to resolve the conflict.
For example, if the Local Group Policy, which is processed first, disables a particular setting but the User-Specific Local Group Policy enables that particular setting, then the end result is that the setting is enabled because Windows 7 processes the User-Specific Local Group Policy last. Keep in mind that if there are several individual User-Specific Local Group Policies and only one of them enables the particular setting, the setting will remain disabled in any accounts covered only by the Local Group Policy.
Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday.
Now that you have a basic idea of how the Multiple Local Group Policy works, let's take a look at an example. Suppose you have two users, Dick and Jane, who both use a single computer. You want both users to see all the icons in the Control Panel instead of the Category View, but you want to limit the things that Dick can change on the Start Menu and Taskbar while allowing Jane to be able to freely customize the Start Menu and Taskbar.
Create a custom Microsoft Management Console
The first thing you'll have to do is create a custom Microsoft Management Console to which you will add the objects that you want to be able to control in your Multiple Local Group Policy. To get started, click the Start button, type mmc in the Start Search text box, and press [Enter]. You'll then need to respond appropriately to the UAC.Once you have a new console window, as shown in Figure A, pull down the File menu and select the Add/Remove Snap-in command. From the Add/Remove Snap-ins dialog box, locate the Group Policy Object Editor, as shown in Figure B, and click the Add button.
In order to use Multiple Local Group Policy, you'll first create a custom Microsoft Management Console.
Locate the Group Policy Object Editor in the Add/Remove Snap-ins dialog box.When the Welcome to the Group Policy Wizard screen appears, as shown in Figure C, you'll see that the Local Computer is selected in the text box. This is the standard Local Group Policy, which is the first layer, and to add it, you'll just click Finish.
The first layer of the Multiple Local Group Policy is the Local Group Policy, which is also known as the Local Computer policy.When you return to the Add/Remove Snap-ins dialog box, again select the Group Policy Object Editor and click Add. When you see the Welcome to the Group Policy Wizard screen this time, click the Browse button to bring up the Browse for a Group Policy Object dialog box. Then, click the Users tab, select the Non-Administrators group, as shown in Figure D, and click OK. Now, click Finish to add the second layer.
You'll use the Browse for a Group Policy Object dialog box to select both groups and users.
At this point, successively repeat the above instructions to access the Browse for a Group Policy Object dialog box and add the Dick and Jane user policies. This will create the third layer.Then, click OK to close the Add/Remove Snap-ins dialog box. When you do, your console window will look like the one shown in Figure E. Now, save the new console with an appropriate name, such as Multi-Local-GPO.msc.
By creating a custom console, all your policies are in one place and are easy to configure.
Configuring the policesSince the goal in our example is to configure settings or policies that apply only to the users Dick and Jane, you'll begin altering the Non-Administrators Policy rather than the Local Group Policy, which would affect all users. To configure the default to be the icon view of Control Panel, you'll expand the Local Computer | Non-Administrators Policy | User Configuration | Administrative Templates | Control Panel branch and select the Always Open All Control Panel Items When Opening the Control Panel setting, as shown in Figure F. Now, to enable the setting, double-click it to open the dialog box, select the Enabled radio button, and click OK.
You'll set policies that you want to apply to your typical users in the Non-Administrators Policy.To limit Dick's access to the Start Menu and Taskbar configuration, you then expand the Local Computer | Dick Policy | User Configuration | Administrative Templates | Start Menu and Taskbar branch, as shown in Figure G, and then disable or enable any of the configuration options to which you don't want Dick to have access. To give Jane unlimited access to the Start Menu and Taskbar settings, you'll leave them at the default in her policy.
You can now specify individual policy settings to further limit what users can do.
To complete the operation, save your new console and then close it. Now, when Dick or Jane log in to the same system, they will each have a different configuration based on the Non-Administrators and User-Specific Local Group Policies.
What's your take?
Have you needed features like those included in the Multiple Local Group Policy? Are you likely to implement Multiple Local Group Policy? Have you already used the Multiple Local Group Policy? If so, what has been your experience?