Windows 7 / Getting Started

Understanding Multiple Local Group Policy

Another feature of Group Policy that was introduced in Windows Vista is support for MLGPOs. MLGPOs simplify the task of locking down shared-use computers, such as kiosk computers in libraries. Although MLGPOs are primarily intended for use on stand-alone computers, they can also be used on domain-joined computers (although you're better off creating multiple domain GPOs whenever possible).

Types of MLGPOs

Earlier versions of Windows supported only a single LGPO per computer-also known as Local Computer Policy. With these Windows platforms, you could manage stand-alone computers with Group Policy only by configuring their LGPO. You could manage domain-joined computers with Group Policy both by configuring their LGPO and also by using one or more domain-based GPOs to target the AD DS container (domain, organizational unit [OU], or site) to which the computer or user belongs.

Although you cannot manage LGPOs on earlier versions of Windows using GPMC, you can open them in the Group Policy Management Editor and configure them on the local computer. An earlier version of Windows that has been clean-installed has no LGPO until created when an administrator first uses the Local Group Policy Editor. The newly created LGPO is stored in the hidden directory, %WinDir%\System32\GroupPolicy, and has a file structure similar to the GPT for a domain-based GPO. Not all domain-based policy settings are included in the local GPO.

Computers running Windows 7, however, have three levels of LGPO (which is why they are called MLGPOs):

  • Local Computer Policy This is the default LGPO. It will affect all users on the computer and also contains the only available Local Computer Policy. This level consists of a single MLGPO whose policy settings apply to all users on the computer, including local administrators. Local Group Policy contains both computer and user settings, and its behavior in Windows 7 is the same as in versions of Windows earlier than Windows Vista. Because this is the only MLGPO that contains computer settings, however, you typically use this MLGPO to apply a set of policy settings uniformly to all users of the computer.
  • Administrators and Non-Administrators Local Group Policy Users on a computer running Windows 7 are either members or not members of this group. Users that are members of Administrators have full administrative privileges on the computer (although elevation may be required to realize these privileges); those who are not members of this group have limited privileges. This level has two MLGPOs: one for users who belong to the Administrators group and one for those who don't. These MLGPOs have user settings only and do not contain any machine settings. You can use these MLGPOs to apply different policy settings to administrators and standard users. These settings apply only to user-based policy and do not affect the computer side.
  • User-Specific Local Group Policy This level consists of one or more MLGPOs-one per local user account that you create on the computer. These MLGPOs have user settings only, do not contain any machine settings, and allow you to apply a different set of policy settings to each local user on the computer if necessary. These settings apply only to user-based policy and do not affect the computer side.

Note Windows 7 does not support using ad hoc local groups to configure Local Group Policy for groups of users on the computer, nor can you use any built-in groups other than Administrators (and Non-Administrators) to configure Local Group Policy for groups of users on the computer. For example, you cannot create an MLGPO for users who belong to the Backup Operators built-in group on the computer.

[Previous] [Contents] [Next]