Ladies and gentlemen, I will show a cool feature we from Windows Vista, which is to create multiple local group policy.
In earlier versions of operating systems (Windows 2000, 2003 and XP) we have only one layer, where we have the local GPO applied to all local users and groups from the machine. With Windows Vista and beyond, we have three layers to work with the local GPO´ s:
- The first layer, we have a default local GPO, where configure both user configuration options as this computer is applied to all including local administrators.
- In the second layer, ´ s we GPO that will be applied to users in the Administrators group and GPO ´ s that will be applied to common users. None of these objects local group policy contains settings for your computer.
- The third layer contains GPO ´ (s) that will be applied to a specific user and those Group Policy objects, we can only user settings.
In case of conflict between the GPO ´ s, the last GPO applied is that prevaleçe and the order in which they are applied is ..... Default (1st local GPO) layer, GPO for administrators and non-administrators (2nd layer) and finally the GPO to specific user (3rd layer)
In the case of a computer in a domain, the GPO ´ s site, domain, and OU GPO will prevail over the ´ s locations. You can also turn off the processing of local GPO ´ s, configuring the option "turn off Local Group Policy objects processing" in "computer Configuration Administrative Templates \System \ policy" in the domain GPO.
To demonstrate how to create and apply these GPO ´ s, I use a computer with Windows 7 installed. The first step is to create a common user as shown in image …
… then we will work with a UserAdmin (local administrator) and UserComum (user). The next step is to create a custom MMC, we need to add a Group Policy object editor "for each GPO created. To do this, click Start , in Search type MMC.exe, and click OK .
In the Console1 window, ', click file, and then click Add or remove snap-in. In the list of available snap-ins, click "Policy object editor" group, and then click Add . Choose the object to the local computer. Click Concluir.
Again, click file, and then click Add or remove snap-in. In the list of available snap-ins, click "Policy object editor" group, click then add and click Browse . Click the tab, users click não-administradores group … click OK and Finish button.
Again, click file, and then click Add or remove snap-in. In the list of available snap-ins, click "Policy object editor" group, click then add and click Browse . Click the tab, users click the Administrators group of … click OK and Finish button.
Do the same procedure by selecting the object UserAdmin …
Click file, click Save and save the MMC with a name of your own …
Now we must set up group policies according to our needs. For example, I will configure common users that will disappear the option menu, all programs "Iniciar… menu
Logging in with a typical user, you can see that the policy was applied to the user.
As an example, administrators set up for a GPO that does not appear Documentos… option
Logging in with a user a member of the Administrators group , the GPO is applied … Note that the option "all programs" appears to the user, because it was not a customized GPO …
… I customize user GPO to the, UserAdmin in this policy I will disable LOGOFF option and purposely create a conflict, contrary to the GPO applied to group Administradores.
Logging with the user, we can see that the Logoff option is disabled and that documents appear to the user, proving the GPO precedence (3rd layer)
If you want to remove the policies, do the same process of adding a new object … click Start , Search type MMC.exe, and click OK then click. file, and then click Add or remove snap-in. In the list of available snap-ins, click "Policy object editor" group, click then add and click Browse . Click the tab users, select the user or group you want to delete the policy, click with the right button and choose the option to remove the GPO, as pictured below …
I hope that is useful!
No comments:
Post a Comment