This guide aims to help you understand how to navigate and use the Windows Local Group Policy Editor (LGPE) to enhance your Windows desktop environment’s security, performance, and usability.
The Windows Local Group Policy Editor is a Microsoft Management Console (MMC) snap-in that allows you to manage and change Group Policy Objects (GPO) on the local computer. Policy changes reflect changes to specific keys in the Windows Registry.
In medium-to-large enterprises, Group Policy settings are managed via Active Directory domain controllers and are pushed down to endpoints. LGPE offers advanced users and IT Pros a troubleshooting option for determining why specific settings aren’t working as expected. In addition, for computers that are not centrally managed by Active Directory (AD), the LGPE lets IT Pros make configuration changes to Windows PCs.
There are several methods to open LGPE. The only prerequisite is that it is not installed or supported on Windows 10/11 Home Edition.
Here are the most common methods for launching the tool.
The LGPE is divided into two panes:
The Computer Configuration contains all the policy settings that affect the computer object, regardless of whether a user is logged on or not. Changing these settings will, by default, affect every user who logs onto this computer. Typically, when the computer starts and boots into Windows, these policies will be applied.
In the User Configuration section, you’ll find settings that affect users specifically. These settings generally run when a user logs into the computer. If you want a logon script to run when a user logs on, this is where you will configure the policy changes.
As you drill down into all the various sections of policies, you’ll eventually see Settings. These are the individual policies you can view and edit.
As you click on one of the settings, and the view mode is set to ‘Extended‘ at the bottom of the window, you’ll see the Requirements and Description of the setting on the left.
Above I clicked on the ‘Remove Properties from the Recycle Bin context menu.’ The Requirements show that this setting will only affect Windows Server 2003 and Windows XP or newer. So, any supported version of Windows client and server today. 🙂 The Description shows the basics of what the setting will affect.
To make changes to a setting, you can click the ‘Edit policy setting‘ link in the Extended pane I just mentioned. However, it’s probably easiest to just double-click on the setting name.
All the information you need to know to make an informed change is here. For most settings, you choose ‘Not Configured‘, ‘Enabled‘, or ‘Disabled.’ In this example, if I click Enabled and click OK, that change will occur right away. Let me show you.
Because I didn’t log off and log on again, the Properties link was still visible, but as you can see, it is unavailable.
I stated above that there is a difference between using the Local Group Policy Editor to modify the local computer configuration and using Group Policy Management to manage your enterprise Group Policy Objects (GPOs).
You’ll use the same type of tool for both, but how policies are displayed is different. The Group Policy Management tool will show your AD forest and domains and list the entire domain Organizational Unit (OU) structure – this is how they are applied.
Administrative template files (ADML and ADMX files) determine the settings and policies that are displayed. Admin templates are released and updated periodically by Microsoft when new features are released and new Windows versions (Feature Updates) are made generally available.
The ADMX files store the setting definitions, and the ADML files ‘en-US’ (or other languages) contain the specific language policy descriptions. Admin templates can be downloaded from Microsoft from various locations.
Some helpful and routine security settings can quickly be set using this tool. Here are some examples:
Somewhat buried in the Microsoft Security Compliance Toolkit 1.0, the LGPO Utility lets you export your Local Group Policy Editor settings and import them on another machine.
LGPO.exe /b c:\Path\To\Backup\To
You can then run this command on a new machine to import the prior config.
LGPO.exe /g c:\Your\New\Path
Thank you for reading my post on using the Local Group Policy Editor. Please leave a comment or question below.