Many organizations deploy Windows servers and
workstations in workgroup configurations and for these organizations,
local group policies can play a vital role in simplifying Windows system
administration. Some of the benefits of leveraging local group policies
in workgroup deployments include, but are not limited to, the
following:
Standardizing workgroup and image deployments—
Define the base local computer, Administrators, and Non-Administrators
local policies on a machine that will be used as a template for a
desktop or server image to reduce security exposure, improve
standardization, and reduce user error when many systems are deployed. Standardizing User Configuration settings—
The User Configuration section of the local computer policy can be
configured to install specific printers for users, customize the Start
menu and display settings, predefine settings for Windows programs
such as Remote Desktop Connection, and much more. For the most part,
however, the settings are standardized to give every user the same
experience. Preconfiguring policies for shared or public Windows systems—
Systems that are made available for public use or are utilized by
several different users require more restrictive configurations to
increase the security and reliability of the system. In these types of
deployments, Windows administrators can configure tight security
settings in the local computer policy, very restrictive settings in the
non-administrators policy, and less restrictive settings in the
administrators policy to allow for updates and management. Also, audit
settings can be enabled to track logon/logoff, file and folder access,
and much more. Preconfiguring security updates and remote administration settings—
Windows systems that are deployed in workgroups can be difficult to
remotely support and administer if the proper configurations are not
created prior to deployment. Using the local computer policy, firewall
rules can be created to allow for remote management, Remote Desktop can
be enabled and enforced, and Windows Update settings can also be
configured to enable automated security update installation and remote
management options.
Creating Local Administrators and Non-Administrators Policies
When a Windows system is
first deployed, only the local computer group policy is created. Local
group policies for administrators, nonadministrators, and individual
local users need to be manually created if they are to be utilized. The
process of creating the Administrators or Non-Administrators policy must
be performed from the local machine using the Group Policy Object
Editor. In the following example, create a local group policy for the
Administrators group. To create a local user group policy for
administrators, perform the following steps:
1. | Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
| 2. | Click Start, click in the Search pane, type MMC, and press Enter.
| 3. | When the Microsoft Management Console opens, click File from the menu bar, and select Add/Remove Snap-In.
| 4. | In
the Add or Remove Snap-Ins window, in the Available Snap-Ins pane on
the left, scroll down and select the Group Policy Object Editor, and
click the Add button.
| 5. | The
Select Group Policy Object window opens and defaults to the local
computer policy. Click the Browse button to choose a different policy.
| 6. | In the Browse for a Group Policy Object window, select the Users tab.
| 7. | On
the Users tab, each local user account will be listed as well as
Administrators and Non-Administrators. Select Administrators and click
OK, as shown in Figure 1.
| 8. | Back
in the Select Group Policy Object window, the Group Policy Object name
should reflect Local Computer\Administrators. If the name matches, click
Finish to return to the Add or Remove Snap-Ins window.
| 9. | In the Add or Remove Snap-Ins window, click OK to complete adding snap-ins to this console window.
| 10. | In
the MMC window, the Local Computer\Administrators policy will be
available for editing. Because this policy only applies to users in the
Administrators group, only the User Configuration node is present.
| 11. | Configure
at least one setting in this policy to create it and close the MMC
window when the configuration of the local user group policy for
administrators is complete.
| 12. | When prompted to save the console, click No and log off of the server.
| 13. | Log back on to the server with an account with local Administrator rights.
| 14. | Click Start, click in the Search pane, type cmd, and press Enter.
| 15. | Type gpresult /h LGPO-Administrators.html and press Enter. The gpresult command with the /h
option generates an HTML file that will be used to determine if the
local user group policy for administrators has been applied. This option
is only available on Windows Vista, Windows 7, Windows Server 2008, and
Windows Server 2008 R2 systems, but the tool can be run against remote
systems with the proper permissions and firewall settings configured.
| 16. | After gpresult completes, in the command prompt type the name of the file created, in this example LGPO-Administrators.html, and press Enter.
| 17. | The
previous command will launch Internet Explorer; notice that the browser
might require permission to allow the Active X content to load.
| 18. | After
allowing the Active X content and functionality, scroll down to the
User Configuration Summary section and click on the Group Policy Objects
link.
| 19. | Click on Applied GPOs and Denied GPOs to reveal which policies were applied to the user, as shown in Figure 2.
| 20. | Review the HTML report and when finished, close Internet Explorer and log off.
|
The same procedure can be used to create local group policies for nonadministrators or individual local user accounts.
|