854
|
Chapter 26: Using Group Policy with Windows Vista
Vista resolves conflicts in settings by overwriting any previous setting with the last
read and most current setting. The final setting is the one Windows Vista uses.
Because of this, the processing order is extremely important: it determines which
user settings are actually applied when there are conflicting settings.
Only the enabled or disabled state of a setting matters. If a setting is
set as Not Configured, this has no effect on the state of the setting
from a previous policy application.
To see how setting overwriting works, consider the following examples:
• Jim is a member of the local Administrator account and has a user-specific GPO.
When Jim logs on to his computer, Local Group Policy is applied, then Adminis-
trators Local Group Policy, and then his User-specific Local Group Policy. Thus,
if Local Group Policy disabled a setting, then Administrators Local Group Pol-
icy enabled a setting, and then User-specific Local Group Policy disabled the set-
ting, the setting would be disabled.
• Tina is not a member of the local Administrator account and has a user-specific
GPO. When Tina logs on to her computer, Local Group Policy is applied, then
Non-Administrators Local Group Policy, and then her User-specific Local Group
Policy. Thus, if a setting is disabled in Local Group Policy, then enabled in
Administrators Local Group Policy, and then not configured in User-specific
Local Group Policy, the setting would be enabled.
As you can see, using multiple LGPOs in a standalone configuration allows you to
control precisely how policy settings are applied to users based on their logon
account and group membership. In a domain configuration, however, you might not
want to use multiple LGPOs because in domains, most computers and users already
have multiple GPOs applied to them, and adding multiple LGPOs to this already var-
ied mix can make it confusing to manage Group Policy.
In a domain, computers apply local policy first and then domain policy. Because
domain policy is applied last, domain policy settings overwrite any conflicting set-
tings from local policy. Further, to simplify administration, domain administrators
can disable processing of LGPOs on computers running Windows Vista by enabling
the “Turn off Local Group Policy objects processing” policy setting in a domain
GPO. In Group Policy, this setting is located under Computer Configuration\Adminis-
trative Templates\System\Group Policy.
Creating Multiple Local Group Policy Objects
Using the GPOE, you can easily create and manage multiple LGPOs. By default, the
only local policy object that exists on a computer is the LGPO. You can, however,
create other local objects as necessary. Other objects are created when you access
them in the GPOE.
Working with Multiple Local Group Policy Objects
|
855
Accessing the top-level LGPO
The way you create or access a particular LGPO depends on the object you want to
work with. You can access the top-level LGPO by completing the following steps:
1. Log on to a computer running Windows Vista with an administrative user
account.
2. Click Start, type
mmc into the Search box, and then press Enter.
3. In the Microsoft Management Console, click File
➝ Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor and
then click Add.
5. In the Select Group Policy Object dialog box, click Finish because this is the
default object.
6. Click OK.
You can use the same Microsoft Management Console to manage
more than one LGPO. In the Add or Remove Snap-ins dialog box, you
simply add one instance of the GPOE for each object you want to
work with.
Accessing the Administrators Local Group Object or the Non-Administrators Local
Group Object
You can create or access the Administrators Local Group Object or the Non-
Administrators Local Group Object by completing the following steps:
1. Log on to a computer running Windows Vista with an administrative user
account.
2. Click Start, type
mmc into the Search box, and then press Enter.
3. In the Microsoft Management Console, click File
➝ Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor and
then click Add.
5. In the Select Group Policy Object dialog box, click Browse.
6. In the Browse for a Group Policy Object dialog box, click the Users tab, as
shown in Figure 26-3. Note that the entries in the Group Policy Object Exists
column specify whether a particular local policy object has already been created.
7. Select Administrators to create or access the Administrators Local Group Object.
Select Non-Administrators to create or access the Non-Administrators Local
Group Object.
8. Click OK.
Get Windows Vista Security: Praxisorientierte Sicherheit für Profis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
