NIST's guidance for a Zero Trust Architecture

Top Read Articles

Local Group Policy Editor

Group Policy in Active Directory (AD) simplifies the administrative burden and makes management a whole lot easier. When an administrator needs to control and configure settings on a local computer that is not part of AD, settings specific to that computer can be configured in the Local Group Policy.

Multiple Local Group Policy objects are an enhancement to Local Group Policy. With Multiple Local Group Policy Objects, settings can be selectively applied to different users at different levels, decentralizing the management of desktops. Multiple Local Group Policy objects on a standalone computer comprise of the following:

  • Local Computer Policy applies to the computer and to everyone who logs on to that computer.
  • Administrators Local Group Policy applies to members of the built-in Administrators group
  • Non-Administrators Local Group Policy applies to all users who are not members of the  Administrators group.
  • User-specific policies apply to specific local users.

What is the Local Group Policy Editor?

Windows uses a Microsoft Management Console (MMC) snap-in called the Local Group Policy Editor to let administrators interact, control, navigate and edit the local Group Policy Object (GPO) settings. It divides policy settings into two categories, namely Computer Configuration and User Configuration. While Computer Configuration allows administrators to set policies that are applied to the computer regardless of who logs on, User Configuration allows to set policies differently for different users who log on to the computer. A simple launch of the Local Group Policy Editor presents administrators a hierarchical view for configuring settings in GPOs.

Opening the Local Group Policy Editor

The following are some ways to open the Local Group Policy Editor:

Method 1: Through command prompt

Type gpedit.msc in the cmd window and press ENTER.  

Method 2: From the Start menu

Type gpedit.msc in the start box and press ENTER.

Method 3: Through MMC Snap-in

  • Go to Start → Type mmc in the search box and press ENTER.
  • Click on File and select Add/Remove Snap-in.
  • From the list of available snap-ins, select Group Policy Editor, and click Add.
  • In the Select Group Policy Object dialog box, click on Browse.
  • To edit the Local GPO, click This Computer.
  • Click the Users tab to configure administrator, non-administrator or specific user policy settings. To save the new policy snap-in for administrator, non-administrators or specific users.
  • Click Finish.

Editing Group Policies using the Local Group Policy Editor

 The following steps illustrate how to edit a Local Group Policy object:

  • In the left pane of the Local Group Policy Editor, double-click the folder to view the policy settings in the details pane.
  • In the results pane, double-click a policy setting to view Properties and then edit the policy settings as required.

Group Policy settings can also be modified with the Windows Registry Editor. However, the Local Group Policy Editor is a safer and easier option. 

Computer Configuration and User Configuration

 Both Computer Configuration and User Configuration consist of Software Settings, Windows Settings and, Administrative Templates.

Software SettingsApplies to all users who log on to the computer. It has a Software Installation subnode.Applies differently to different users who log on to the computer. It has a Software Installation subnode.
Windows SettingsApplies to all users who log on to the computer. It has four subnodes: Name Resolution Policy, Scripts, Security Settings, and Policy-based QoS.Applies differently to different users who log on to the computer. It has three subnodes: Scripts, Security Settings, and Policy-based QoS.
Administrative TemplatesContains all registry-based policy settings. It has the following subnodes: Control Panel, Network, Printers, System, Windows Components and All Settings.Contains all registry-based policy information. It has the following subnodes: Control Panel, Desktop, Network, Shared Folders, Start Menu and Taskbar, System, Windows Components and All Settings.

Administrative Templates

Administrative templates are a group of settings used by administrators to make changes to the registry by setting policies for the OS, Windows components, and programs. In Windows XP and earlier, Administrative templates were Unicode formatted text files with a .adm extension. The later versions offer Administrative templates as a combination of ADMX and ADML file types. Every ADMX file has a unique language file called the ADML file to read out the policies.

Here is a quick comparison between ADM and ADMX/ADML:

Groups several complex settings into chunky files.Logically splits settings into small and easy-to-handle files.
Demands higher storage space.Lower storage space requirements.
Registry policies use ADM syntax.Registry policies use XML syntax.
ADM files are stored in individual GPOs by default.By default, ADMX/ADML files are obtained from the computer performing the GPO administration. After the central store is implemented, the files are centralized.
They can be found by default in the location C:\Windows\inf. The ADM template also gets added to the contents of the GPO itself.They can be found by default in the file location C:\Windows\policyDefinitions.
Related posts
Top Read Articles

Forest Functional Level

Top Read Articles

Group Policy Backup

Top Read Articles

Active Directory Maintenance Checklist

Leave a Reply

Your email address will not be published. Required fields are marked *