Computers that are members of an AD DS domain benefit from a great deal of flexibility when it comes to Group Policy configuration. Standalone (non–AD DS) systems can achieve some of that flexibility as long as they are running at least Windows Vista or Windows Server 2008 R2. These operating systems enable administrators to create multiple local GPOs that provide different settings for users, based on their identities.
Windows systems supporting multiple local GPOs have three layers of Group Policy support, as follows:
– Local Group Policy Identical to the single local GPO supported by older operating system versions, the Local Group Policy layer consists of both computer settings and user settings and applies to all system users, administrative or not. This is the only local GPO that includes computer settings, so to apply Computer Configuration policies, you must use this GPO.
– Administrators and Nonadministrators Group Policy This layer consists of two GPOs: one that applies to members of the local Administrators group and one that applies to all users who are not members of the local Administrators group. Unlike the Local Group Policy GPO, this layer does not include computer settings.
-User-specific Group Policy This layer consists of GPOs that apply to specific local user accounts created on the computer. These GPOs can apply to individual users only, not to local groups. These GPOs also do not have computer configuration settings.
Windows applies the local GPOs in the order listed here. The Local Group Policy settings are applied first, then either the Administrators GPO or the Non-Administrators GPO, and, finally, any user-specific GPOs. As with nonlocal GPOs, the settings processed later can overwrite any earlier settings with which they conflict.
In the case of a system that is also a member of a domain, the three layers of local GPO processing come first, followed by the standard order of nonlocal Group Policy application.
To create local GPOs, you use the Group Policy Object Editor, which is an MMC snap-in provided on all Windows computers specifically for the management of local GPOs, as in the following procedure.
1. Open the Run dialog box and, in the Open text box, type mmc and click OK. An empty MMC console opens.
2. Click File, Add/Remove Snap-In to open the Add Or Remove Snap-Ins dialog box.
3. From the Available Snap-Ins list, select Group Policy Object Editor and click Add. The Select Group Policy Object page opens.
4. To create the local Group Policy GPO, click Finish. To create a secondary or tertiary GPO, click Browse. The Browse For A Group Policy Object dialog box opens.
5. Click the Users tab, as shown in Figure 6-4.
FIGURE 6-4 The Users tab of the Browse For A Group Policy Object dialog box
NOTE: MULTIPLE LOCAL GPOS
Windows computers that do not support multiple local GPOs lack the Users tab in the Browse For A Group Policy Object dialog box. This includes domain controllers and computers running Windows versions prior to Windows Vista and Windows Server 2008 R2.
6. To create a secondary GPO, select either Administrators or Non-Administrators and click OK. To create a tertiary GPO, select a user and click OK. The GPO appears on the Select Group Policy Object page.
7. Click Finish. The snap-in appears in the Add Or Remove Snap-Ins dialog box.
8. Click OK. The snap-in appears in the MMC console.
9. Click File, Save As. A Save As combo box appears.
10. Type a name for the console to save it in the Administrative Tools program group.
11. Close the MMC console.
You can now open this console whenever you need to configure the settings in the GPO you created.
This article is a part of 70-410 Installing and Configuring Windows Server 2012 Prep course, more articles in this course are :
70-410 Installing and Configuring Windows Server 2012 Prep course includes following practice tests: