Why Local GPOs Matter

Jul
7
2011

I know lots of people who used them, then decided to dump ‘em.. only to begin recently using them again.

What gives?

Let’s go back.. way back.. to a time you may not remember. That’s right: a time when your organization DIDN’T have AD. That’s right.

Before Caring about AD.

Or, BC AD.

So, when your world was BC AD, you couldn’t use AD-based GPOs to do all the dirty work for you. That’s because you didn’t have AD. (I do realize that many people grew up only starting with Windows 2000 and newer. And for that, be happy my friends.)

Anyhoo.. that’s when LGPOs were handy. LGPOs, or Local Group Policy Objects were great, because you got the power of Group Policy, but kind of in 1 on 1 sort of way. LGPOs mean that you walk up to a machine and type "gpedit.msc" and edit the Local Group Policy.

When you do — EVERYONE on that machine is affected. Sounds great! Let’s "Prevent access to the Control Panel" for everyone and give everyone the same "Active Desktop Wallpaper." Whee.
Great. Until you realize that when YOU want to log on, you’re stuck without Control Panel and can’t change the desktop background to that Porsche 911 Carerra you always wanted.

So, Vista and Windows 7 have a new trick up its sleeve called MLGPOs, or Multiple Local GPOs. I cover MLGPOs in huge detail in the updated Green book . But, here’s the summary. There are now THREE levels of Local GPOs for that matter.

Level 1: Affects everyone
Level 2A: Affects the person if they’re a Joe User
Level 2B: Affects the person if they’re a local Admin
Level 3: Affects a specific person based on username

So, you see there are three levels. But, there are four lines listed above, because a person can only be a USER *OR* an Admin. Not both.

Therefore, MLGPOs affect "Everyone First" then get more specific as they apply DOWN toward the most specific — the specific person based on username.

Now, if people stopped using LGPOs, do MLGPOs matter? Yep.

Here’s a scenario: imagine you wanted to implement a baseline of setting on your machine. Then, once you make contact and join a domain, you want the AD-based GPOs to override the local settings.

Neat! So now if you machine gets "lost in transit" between your "build shop in the basement" and it’s final destination in Kenya, you’ve at least got some baseline setting built-in. And, provided you set up the AD-based GPOs perfectly, you’ll be able to "revert" the LGPO settings on the machine.

But wait. I have an even better idea. There’s a new policy setting — just for Vista and later. And it’s called "Turn Off Local Group Policy Objects Processing." My suggestion would be to take a GPO and link it to a place in AD where you computers join after the machine makes it to Kenya.

So, the machine makes it to Kenya, safe and sound, but full of Local GPO settings that would usually affect everyone on the machine.

But, now that you’ve set up that special policy setting in the domain, you get a little magic.

The machine joins the domain, and LGPOs are immediately neutralized the moment the machine is joined.

Neat, right ?