Introduction to Local Group Policy Objects: Part 1

Have you ever used a computer whether in a cafe, kiosk, or just about any other public location when you had the sudden urge to do a little ‘exploration’? For example, ‘s say you wanted to visit the Task Manager to see what’s going on with the computer when all of a sudden you find out you can’t access the Task Manager applet! You calm down for a bit and decide to head into the System Properties menu to see how much RAM and CPU juice the computer got. Just like that, you find out that you can’t access that as well! What in the world is going on? You most likely should have already realized that although you are logged in as a standard user, you should still be able to access both the Task Manager and the System Properties menu. Well, you’re correct in that sense. However, you didn’t think Microsoft would ship a operating system without some way of letting people (usually the owners or administrators) locking it down, right? And before you smart bunch answer back, I’m clearly talking Windows 2000 and beyond! Dears readers, welcome to the awesome world of what can be considered one of Microsoft’s greatest operating system technology and feature, Group Policy.

This article is mainly intended for computer users/owners/administrators that need a way to secure their computers in a workgroup environment. For example, if you are in charge of a couple of computers in a computer lab where random students come and go, or computers in a public location like kiosks, you can utilize Local Group Policy to lock down those systems and maintain better control over them. Many casual home users have no need to configure Local Group Policy settings. However, if your main computer is shared by many others in your household and you are the sole person responsible for the welfare of the system, you can also utilize Local Group Policy for better control. Local Group Policy has been a feature within the Microsoft operating system since Windows 2000.

What is Group Policy?

Have you also ever wondered how companies seem to manage the hundreds and thousands of computers and users in their organization? Well, not surprisingly, the answer to that is Group Policy as well. Hopefully by the end of this article, you’ll see just why. The topic of Group Policy (GP) is definitely a huge one and to gain a complete understanding of it certainly requires one to venture way beyond what you read here. GP is a technology that allows central configuration of computers and users in a Microsoft network. If you are familiar with how the registry works, than you already have a head start. For example, when you configure some settings in the Control Panel, behind the scenes, you’re actually altering your registry because that is where all of your computer settings are stored and read by the

computer. Because the registry is considered hands-off for casual users (or basically anyone who doesn’t know what they are doing), Microsoft allows us to work in the registry area via a GUI (graphical user interface) which is much more user friendly and less prone to errors. With GP, it can be considered the same to some degree however, GP allows for much, much, much, more deeper customization than just the Control Panel offerings or any other interface for that matter. To put it another way, GP is the central location for configuring a computer. From controlling how a desktop behaves, security controls, configuring certain Microsoft applications like Internet Explorer, what the user/computer is allowed and not allowed to do, to what the user see’s or doesn’t see, GP is the key to everything. Here is a sample picture of the Local Group Policy Editor. Notice all of the settings that I can configure on a computer relating to just Internet Explorer application in the Delete Browsing History category:

How Local Group Policy Works

Now that you have a little understanding of what GP is, let’s see talk about how it works. Every time you power-on your computer, it processes the Local Group Policy Object (LGPO). In simple terms, think of a LGPO as the file containing all of the settings that may or may not have been configured in the Local Group Policy Editor. Because I am referring to a stand-alone computer in this article, the computer by default, only processes the Local Group Policy Object (one file, in simple terms). As I’ll explain later on though, with the release of Windows Vista and Windows 7, we now have the option of configuring multiple LGPOs on the same local machine. If your computer was connected to a Microsoft Active Directory domain, a computer would usually process a lot more GPOs. In a LGPO, there are two major sections, although they both produce the same results. The first section contains GP settings that pertains to your computer’s account. In a nutshell, settings configured in this section applies to everyone who logs on the computer, regardless whether you are an administrator or standard user (once again, this changes with Vista and Windows 7 as I’ll explain in part 2 of this article). The second section contains GP settings that applies to user accounts on the computer. Because we are not talking about Active Directory domains and organizational units here, the user configuration portion of a LGPO will also apply to all user accounts who log in to the computer, regardless of status. Basically every setting you configure, no matter which section, will apply to anyone and everyone who logs in to the computer. Despite what you’re thinking, the two sections do contain different settings. With a default installation of Windows, most of the settings and policies in your LGPO configuration is set to Not Configured. This makes sense because you wouldn’t like Microsoft locking you out of some part in your operating system would you?!

Local Group Policy settings that you configure are stored in the %systemroot%system32grouppolicy folder. You will see two folders labeled Machine and User. Each of these two folders stores the appropriate settings you’ve configured in the Local Group Policy Editor for each respective section. Every time your computer boots up or during logon, these files are read to apply the appropriate policy settings. If you have many computers in your environment that requires the same LGPO settings, you’ll have to manually configure each and every LGPO on each and every stand-alone computer. However, if you copy the contents of this folder to the same location on the target machine (export,import), you might be able to get away with it. However, this is not recommended and the method is not supported by Microsoft so try this hack on your own. Once you’ve imported the files to the target machine, reboot the computer for the changes to take effect. However, many settings don’t migrate over with this hack and needs to be configured via another management tool. In the end, it’s best to manually configure every machine. Just be sure to create a checklist of all the settings you’ve made in your base LGPO so that you won’t have to remember them all! Chances are, you’ll forget a policy setting or two when configuring the other machines and so you’ll have to revisit each one again at a later time to reconfigure the LGPO properly.

How to Configure Local Group Policy

Alright, let’s try and configure some Local Group Policy settings to see how it affects our computer. By seeing the results of configuring an LGPO, it should hopefully give you a better understanding of the technology.

1. To begin configuring our LGPO, all we need to do is open the Local Group Policy Editor. Do so by first opening your Start Menu and typing in gpedit.msc and hitting Enter. If the UAC prompt appears, accept it or provide an account with administrator privileges.

2. The Local Group Policy Editor should then appear. You should now see the two sections I’ve mentioned earlier. What I failed to mention before is that there are basically thousands of options to configure. Therefore, the hard part is actually finding out where the setting you want to configure is located. You can usually ignore the Software Settings folder in both sections. Under Computer Configuration, you will be most interested in the Windows Settings/Security Settings policies and the Administrative Templates policies. Under the User Configuration portion, stick with the Administrative Templates as most of the policies you’ll configure will be located there. Remember though, every setting/policy you configure will apply to every person logging into the computer.
In our simple example, let’s try enabling the “Prevent changing window color and appearance” policy. Once enabled, all users should then be denied the privilege of changing the Windows color theme via the Personalization Control Panel or elsewhere. In the policy editor, drill down to User Configuration/Administrative Template/Control Panel/Personalization to find the policy. Once you highlight the policy, notice what is written in the Description panel. This is very useful because there will be times when you’re not quite sure just what the setting or policy does so reading the description will help you a lot. Trust me.

3. To enable the setting, simple double click on it first. Next, click on the Enabled radio button to configure the policy and hit OK to apply it. Other settings might require you to add or choose other pieces of information before it can be enabled.

4. Sometimes a setting configured in the policy editor may not take effect immediately. Therefore, to instruct the computer to refresh the LGPO, we need to use the gpupdate command. Fire up a command prompt window and enter in the gpupdate command. Alternatively, you could simply just type in the command in the Search box of the Start menu and it will have the same effects. Also, there are some settings that require a re-login or even a computer restart before the configured policy settings to take effect. Basically if entering the gpupdate command didn’t do the trick, logoff and log back in. If nothing happens still, restart your computer. If still nothing happens, you’ve most likely configured the wrong policy setting.

Now, let’s head into the Personalization menu and see what’s changed! Here is an before and after shot:

As you can see, I (along with any other user that logs in) no longer have the option to change/customize my Windows color theme! This is perfect because if you go back to step number 2, this is the exact setting we chose to configure/enable. That means everything worked like it suppose to! By also disabling the ability to change themes, Windows color, screensavers and/or desktop wallpapers, you’ve gotten the personalization category pretty much locked up from abuse by random users.

The Possibilities with Using LGPO

There are certainly many aspects of your local computer that can be controller via configuration in the LGPO. When it comes down to everything, it’s about experimenting. Some policy settings are very granular in nature so you have to be sure that the setting, when Enabled or Configured, does exactly what you want it to do. If you have a lot of stand-alone workstations to configure, it is best to test out all of your LGPO settings on one machine first. This way, you’ll be able to see if everything works accordingly before making the same changes to the rest of the workstations. Remember, you’ll have to manually configure each LGPO on each workstation (unless you go with the import and export hack mentioned earlier). If you applied the same settings on every computer and later find out that it’s not what you actually wanted, you’ll have to revisit each computer and manually reconfigure the settings again!

 

In the End…

Although very limited in scope, configuring LGPO’s to accommodate your computing environment and situation can still be very helpful for stand alone workstations. Not only can you lock down settings you don’t want to be changed, as seen in our personalization example above, more importantly, we can more tightly secure the computer via many of the security options and policy settings as well.
What I have demonstrated here is just a really, really, small example of what LGPO can do for you. Like I’ve said earlier, there are many policy settings for you to configure. Sometimes (actually, most of the time is more like it) it can be difficult to find the exact setting we are looking for. Therefore, my advice to you is that when in doubt, Google it!

In the second part of this article, I’ll be talking about how to utilize and take advantage of Multiple Local Group Policy Objects on your workstation computer, which is a new feature in Windows Vista and Windows 7.

Read Part 2 to Learn About Multiple Local Group Policy…

Introduction to Local Group Policy Objects: Part 1, 4.8 out of 5 based on 2 ratings