Windows Group Policies

Windows Server 2008 R2 and Windows 7 provide several different types of policies that can be used to manage computer systems and user accounts. Depending on the security groups a user account is a member of, and whether or not the computer system is a member of an Active Directory domain or a Windows workgroup, the number of policy settings applicable will vary.

Local Computer Policy

Every Windows system will contain a default local computer policy. The local computer policy is a Local Group Policy Object (LGPO). The local computer policy contains separate Computer and User Configuration nodes. The local computer policy, as its name states, only applies configured settings to the individual local computer system and the users who log on. The local computer policy on a new system is blank, except for the default settings defined within the Computer Configuration\Windows Settings\Security Settings policy node. The Security Settings policy node is also the local security policy.

Local Security Policy

The local security policy of a system contains the only configured policy settings on newly deployed Windows systems. Settings such as user rights assignments, password policies, Windows Firewall with advanced security settings, and system security settings are managed and configurable within the local security policy. Furthermore, the local security policy can be exported from one system as a single text file and imported to other systems to simplify security configuration in workgroup environments and to customize security for new system deployments.

Local Administrators and Non-Administrators User Policies

Windows Server 2008 R2 and Windows 7 support multiple local group policies for user accounts. If any settings are configured in the User Configuration node of the local computer policy, the settings are applied to all users who log on to the system, including the local Administrators group. In previous versions of Windows, if the local computer policy restricted an administrator from performing a specific function, the policy would need to be changed and reapplied before the administrator could perform the function. Starting with Windows Vista and Windows Server 2008 including continued support in Windows 7 and Windows Server 2008 R2, additional user-only policies can be created to provide override settings to either further restrict or reduce security to allow the particular user to perform their tasks. As an example, if the local computer policy setting was enabled to remove the Display applet from Control Panel, no users would be able to access and modify the display settings of the system. If an Administrators local group policy was created, this same setting could be set to disabled and any users who are members of the local Administrators group would then have access to the Display Control Panel settings.

For local administrators, the Administrators local group policy can be configured as stated previously. Additionally, separate local user policies can be created for the Non- Administrators users. If the system has local user accounts, specific local user policies can be created for each user. This allows for very granular assignment of rights and functionality for systems that use local accounts but require specific configurations and security settings on a per-user basis.

By default, users logging on to Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7 will apply the local computer policy, followed by either the Administrators or Non-Administrators policy and any local user-specific policy. An example of how to use multiple policies can be a local computer policy that denies all users from writing to removable storage and the Administrators local user policy that allows read and write access to removable storage. Because the Administrators local user policy is applied after the local computer policy, only administrators will be able to write to removable storage media.