Understanding Multiple Local GPOs in Windows Vista

Local GPOs are used to allow the administrator of a Windows 2000/XP/2003/Vista computer to configure security and registry settings for the computer. LGPOs allow the administrator to do so in absence of an Active Directory-based GPO infrastructure, such as in the following scenarios:

  • Kiosk computer
  • Demo workstation
  • Public environments such as libraries

and so on.
LGPOs are also useful in scenarios where an AD GPO infrastructure does exist, but for various reasons they need to configure extra settings for the local workstation instead of assigning these settings via AD-based GPOs.
LGPOs can also be used in home scenarios, where one needs to configure a restriction on the computer, like preventing your children from messing your Control Panel settings, Regedit and so on.

The bad news

The main disadvantage of LGPOs is the fact that Windows 2000/XP/2003 only allows the creation and usage of only one Local GPO. This may be problematic when trying to create different settings for users that are part of different groups. For example, if you want to configure different settings for members of the administrators group and for any user that is not a member of that group.

The good news

Windows Vista has the ability to create multiple local group policies (GPOs). Wow! This means that whenever you want to configure different settings for different users you can do so easily without the need to mess with NTFS permissions (this was one of the methods used by Pre-Vista administrators to bypass the single LGPO limit in Windows 2000/XP/2003).
In Windows Vista, the administrator can configure one LGPO for the computer just like in Windows 2000/XP/2003, but if need arises, they can also add LGPOs within these limitations:
LGPOs in Vista can be configured for:

  • Any local user, by name
  • Users that are members of the local Administrators group
  • Users that are NOT members of the local Administrators group

A user can only be effected by one of the above LGPOs.
In addition, if the Vista computer is a member of an Active Directory domain, LGPOs are processed in the same manner they were in Windows 2000/XP/2003:

  • First the LGPO is processed after the computer starts
  • Then AD GPOs are processes in the regular order of
    • Site GPO
    • Domain GPO
    • OU GPO
    • Child OU GPO (if applicable)

In addition, administrators can configure the Vista computer not to process any LGPO at all by enabling an AD GPO. This will prevent the possibility of any local Vista administrator to add their own LGPO. Read more about this setting in my Disable Local GPOs in Windows Vista article.
In order to create and apply LGPOs read my Configure Multiple Local GPOs in Windows Vista article.

Related articles

You may also want to read: