Logo
CAR REVIEW
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
PREGNANCY
 
 
Windows Server

Windows Server 2008 R2 : Planning Workgroup and Standalone Local Group Policy Configuration

3/25/2011 6:43:11 PM
Many organizations deploy Windows servers and workstations in workgroup configurations and for these organizations, local group policies can play a vital role in simplifying Windows system administration. Some of the benefits of leveraging local group policies in workgroup deployments include, but are not limited to, the following:
  • Standardizing workgroup and image deployments— Define the base local computer, Administrators, and Non-Administrators local policies on a machine that will be used as a template for a desktop or server image to reduce security exposure, improve standardization, and reduce user error when many systems are deployed.

  • Standardizing User Configuration settings— The User Configuration section of the local computer policy can be configured to install specific printers for users, customize the Start menu and display settings, predefine settings for Windows programs such as Remote Desktop Connection, and much more. For the most part, however, the settings are standardized to give every user the same experience.

  • Preconfiguring policies for shared or public Windows systems— Systems that are made available for public use or are utilized by several different users require more restrictive configurations to increase the security and reliability of the system. In these types of deployments, Windows administrators can configure tight security settings in the local computer policy, very restrictive settings in the non-administrators policy, and less restrictive settings in the administrators policy to allow for updates and management. Also, audit settings can be enabled to track logon/logoff, file and folder access, and much more.

  • Preconfiguring security updates and remote administration settings— Windows systems that are deployed in workgroups can be difficult to remotely support and administer if the proper configurations are not created prior to deployment. Using the local computer policy, firewall rules can be created to allow for remote management, Remote Desktop can be enabled and enforced, and Windows Update settings can also be configured to enable automated security update installation and remote management options.

Creating Local Administrators and Non-Administrators Policies

When a Windows system is first deployed, only the local computer group policy is created. Local group policies for administrators, nonadministrators, and individual local users need to be manually created if they are to be utilized. The process of creating the Administrators or Non-Administrators policy must be performed from the local machine using the Group Policy Object Editor. In the following example, create a local group policy for the Administrators group. To create a local user group policy for administrators, perform the following steps:

1.
Log on to the Windows Server 2008 R2 system with an account with administrator privileges.

2.
Click Start, click in the Search pane, type MMC, and press Enter.

3.
When the Microsoft Management Console opens, click File from the menu bar, and select Add/Remove Snap-In.

4.
In the Add or Remove Snap-Ins window, in the Available Snap-Ins pane on the left, scroll down and select the Group Policy Object Editor, and click the Add button.

5.
The Select Group Policy Object window opens and defaults to the local computer policy. Click the Browse button to choose a different policy.

6.
In the Browse for a Group Policy Object window, select the Users tab.

7.
On the Users tab, each local user account will be listed as well as Administrators and Non-Administrators. Select Administrators and click OK, as shown in Figure 1.

Figure 1. Selecting the local group policy for administrators.


8.
Back in the Select Group Policy Object window, the Group Policy Object name should reflect Local Computer\Administrators. If the name matches, click Finish to return to the Add or Remove Snap-Ins window.

9.
In the Add or Remove Snap-Ins window, click OK to complete adding snap-ins to this console window.

10.
In the MMC window, the Local Computer\Administrators policy will be available for editing. Because this policy only applies to users in the Administrators group, only the User Configuration node is present.

11.
Configure at least one setting in this policy to create it and close the MMC window when the configuration of the local user group policy for administrators is complete.

12.
When prompted to save the console, click No and log off of the server.

13.
Log back on to the server with an account with local Administrator rights.

14.
Click Start, click in the Search pane, type cmd, and press Enter.

15.
Type gpresult /h LGPO-Administrators.html and press Enter. The gpresult command with the /h option generates an HTML file that will be used to determine if the local user group policy for administrators has been applied. This option is only available on Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems, but the tool can be run against remote systems with the proper permissions and firewall settings configured.

16.
After gpresult completes, in the command prompt type the name of the file created, in this example LGPO-Administrators.html, and press Enter.

17.
The previous command will launch Internet Explorer; notice that the browser might require permission to allow the Active X content to load.

18.
After allowing the Active X content and functionality, scroll down to the User Configuration Summary section and click on the Group Policy Objects link.

19.
Click on Applied GPOs and Denied GPOs to reveal which policies were applied to the user, as shown in Figure 2.

Figure 2. Verifying GPO application using the gpresult HTML report.

20.
Review the HTML report and when finished, close Internet Explorer and log off.

The same procedure can be used to create local group policies for nonadministrators or individual local user accounts.

Other -----------------
- Exchange Server 2010 : Components of a Secure Messaging Environment (part 3) - Using Email Disclaimers
- Exchange Server 2010 : Components of a Secure Messaging Environment (part 2)
- Exchange Server 2010 : Components of a Secure Messaging Environment (part 1) - Hardening Windows Server 2008
- Considering the Importance of Security in an Exchange Server 2010 Environment
- Installing BizTalk Server RFID 2010
- BizTalk Server 2010 : Configuring EDI Trading Partners
- BizTalk Server 2010 : Accessing the EDI Version 5010 HIPAA Schemas
- Exchange Server 2010 : Managing Recipients and Distribution Groups (part 2) - Distribution Groups
- Exchange Server 2010 : Managing Recipients and Distribution Groups (part 1) - Mail Contacts & Mail-Enabled Users
- Exchange Server 2010 : Resources and Shared Mailboxes
- Windows Server 2003 : Monitoring Network Performance (part 3)
- Windows Server 2003 : Monitoring Network Performance (part 2) - Performance Console Differences
- Windows Server 2003 : Monitoring Network Performance (part 1) - Using the Networking Tab in Task Manager
- Windows Server 2008 R2 : Group Policy Management for Network Clients - Group Policy Feature Set
- Windows Server 2008 R2 : Group Policy Management for Network Clients - Windows Group Policies
- SharePoint 2010 PerformancePoint Services : SharePoint List Data Source
- SharePoint 2010 PerformancePoint Services : Data Sources - Import from Excel Workbook
- SharePoint 2010 : Visio Graphics Services Overview
- SharePoint 2010 : Access Services Overview
- Windows Server 2008 Server Core : Managing System Users - Obtaining Group Policy Results with the GPResult Command
 
 
Most view of day
- Sharepoint 2013 : Assign Users’ Permissions on a Site
- Microsoft Dynamic AX 2009 : .NET Business Connector - Usage Scenarios for .NET Business Connector
- Windows Phone 7 Programming Model : Web Browser Control
- SharePoint 2010 : Building Composite Solutions (part 1) - External Lists, External Data Columns
- Microsoft Dynamic CRM 4 : Data Migration (part 1) - Scribe Workbench - Source and Target Definitions, Source Configuration
- Windows Phone 8 : Working with the Windows Phone Software (part 5) - Using the Photo Interface
- SQL Server 2008 R2 : Performance Monitoring Tools (part 11) - Creating Data Collector Sets in Performance Monitor
- Workflow in Dynamics AX 2009 : Workflow Life Cycle (part 1) - State Model
- SQL Server 2012 : Running SQL Server in A Virtual Environment - ARCHITECTING SUCCESSFUL VIRTUAL DATABASE SERVERS
- Microsoft Dynamic AX 2009 : Working with .NET Business Connector (part 3) - Querying Data Across Companies, Invoking Business Logic
Top 10
- Sharepoint 2013 : SharePoint Designer 2013 (part 2) - Locking Down SharePoint Designer
- Sharepoint 2013 : SharePoint Designer 2013 (part 1) - New Features
- Sharepoint 2013 : Branding with the Design Manager (part 2) - Creating a Brand
- Sharepoint 2013 : Branding with the Design Manager (part 1)
- Sharepoint 2013 : SharePoint Designer and Branding - SharePoint 2013 User Interface
- Sharepoint 2013 : Microsoft Office Integration and Office Web Applications - Office Web Applications
- Windows Phone 8 : Scheduled Tasks - Scheduled Task API Limitations
- Windows Phone 8 : Scheduled Tasks - Updating Tiles Using a Scheduled Task Agent
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 5) - Editing an Existing To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 4) - Creating the To-Do Item Shell Tile, Saving a To-Do Item
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro