Windows 7 / Networking

---

Planning Workgroup and Standalone Local Group Policy Configuration

Many organizations deploy Windows servers and workstations in workgroup configurations and for these organizations, local group policies can play a vital role in simplifying Windows system administration. Some of the benefits of leveraging local group policies in workgroup deployments include, but are not limited to, the following:

• Standardizing workgroup and image deployments: Define the base local computer, Administrators, and Non-Administrators local policies on a machine that will be used as a template for a desktop or server image to reduce security exposure, improve standardization, and reduce user error when many systems are deployed.
• Standardizing User Configuration settings: The User Configuration section of the local computer policy can be configured to install specific printers for users, customize the Start menu and display settings, predefine settings for Windows programs such as Remote Desktop Connection, and much more. For the most part, however, the settings are standardized to give every user the same experience.
• Preconfiguring policies for shared or public Windows systems: Systems that are made available for public use or are utilized by several different users require more restrictive configurations to increase the security and reliability of the system. In these types of deployments, Windows administrators can configure tight security settings in the local computer policy, very restrictive settings in the non-administrators policy, and less restrictive settings in the administrators policy to allow for updates and management. Also, audit settings can be enabled to track logon/logoff, file and folder access, and much more.
• Preconfiguring security updates and remote administration settings: Windows systems that are deployed in workgroups can be difficult to remotely support and administer if the proper configurations are not created prior to deployment. Using the local computer policy, firewall rules can be created to allow for remote management, Remote Desktop can be enabled and enforced, and Windows Update settings can also be configured to enable automated security update installation and remote management options.

Creating Local Administrators and Non-Administrators Policies

When a Windows system is first deployed, only the local computer group policy is created. Local group policies for administrators, nonadministrators, and individual local users need to be manually created if they are to be utilized. The process of creating the Administrators or Non-Administrators policy must be performed from the local machine using the Group Policy Object Editor. In the following example, create a local group policy for the Administrators group. To create a local user group policy for administrators, perform the following steps:

1. Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
2. Click Start, click in the Search pane, type MMC, and press Enter.
3. When the Microsoft Management Console opens, click File from the menu bar, and select Add/Remove Snap-In.
4. In the Add or Remove Snap-Ins window, in the Available Snap-Ins pane on the left, scroll down and select the Group Policy Object Editor, and click the Add button.
5. The Select Group Policy Object window opens and defaults to the local computer policy. Click the Browse button to choose a different policy.
6. In the Browse for a Group Policy Object window, select the Users tab.
7. On the Users tab, each local user account will be listed as well as Administrators and Non-Administrators. Select Administrators and click OK.
8. Back in the Select Group Policy Object window, the Group Policy Object name should reflect Local Computer\Administrators. If the name matches, click Finish to return to the Add or Remove Snap-Ins window.
9. In the Add or Remove Snap-Ins window, click OK to complete adding snap-ins to this console window.
10. In the MMC window, the Local Computer\Administrators policy will be available for editing. Because this policy only applies to users in the Administrators group, only the User Configuration node is present.
11. Configure at least one setting in this policy to create it and close the MMC window when the configuration of the local user group policy for administrators is complete.
12. When prompted to save the console, click No and log off of the server.
13. Log back on to the server with an account with local Administrator rights.
14. Click Start, click in the Search pane, type cmd, and press Enter.
15. Type gpresult /h LGPO-Administrators.html and press Enter. The gpresult command with the /h option generates an HTML file that will be used to determine if the local user group policy for administrators has been applied. This option is only available on Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems, but the tool can be run against remote systems with the proper permissions and firewall settings configured.
16. After gpresult completes, in the command prompt type the name of the file created, in this example LGPO-Administrators.html, and press Enter.
17. The previous command will launch Internet Explorer; notice that the browser might require permission to allow the Active X content to load.
18. After allowing the Active X content and functionality, scroll down to the User Configuration Summary section and click on the Group Policy Objects link.
19. Click on Applied GPOs and Denied GPOs to reveal which policies were applied to the user.
20. Review the HTML report and when finished, close Internet Explorer and log off.

The same procedure can be used to create local group policies for nonadministrators or individual local user accounts.