Group Policy Tip: Local GPOs…Do they matter?
I know lots of people who used them, then decided to dump ‘em.. only to begin recently using them again.
What gives?
Let’s go back.. way back.. to a time you may not remember. That’s right: a time when your organization DIDN’T have AD. That’s right.
Before Caring about AD.
Or, BC AD.
So, when your world was BC AD, you couldn’t use AD-based GPOs to do all the dirty work for you. That’s because you didn’t have AD. (I do realize that many people grew up only starting with Windows 2000 and newer. And for that, be happy my friends.)
Anyhoo.. that’s when LGPOs were handy. LGPOs, or Local Group Policy Objects were great, because you got the power of Group Policy, but kind of in 1 on 1 sort of way. LGPOs mean that you walk up to a machine and type “gpedit.msc” and edit the Local Group Policy.
When you do — EVERYONE on that machine is affected. Sounds great! Let’s “Prevent access to the Control Panel” for everyone and give everyone the same “Active Desktop Wallpaper.” Whee.
Great. Until you realize that when YOU want to log on, you’re stuck without Control Panel and can’t change the desktop background to that Porsche 911 Carerra you always wanted.
So, Vista has a new trick up its sleeve called MLGPOs, or Multiple Local GPOs. I cover MLGPOs in huge detail in the updated Green book starting on page 14. But, here’s the summary. There are now THREE levels of Local GPOs on a Vista (or Windows Server 2008 machine) for that matter.
- Level 1: Affects everyone
- Level 2A: Affects the person if they’re a Joe User
- Level 2B: Affects the person if they’re a local Admin
- Level 3: Affects a specific person based on username
So, you see there are three levels. But, there are four lines listed above, because a person can only be a USER *OR* an Admin. Not both.
Therefore, MLGPOs affect “Everyone First” then get more specific as they apply DOWN toward the most specific — the specific person based on username.
Now, if people stopped using LGPOs, do MLGPOs matter?
Yep.
Here’s a scenario: imagine you wanted to implement a baseline of setting on your machine. Then, once you make contact and join a domain, you want the AD-based GPOs to override the local settings.
Neat! So now if you machine gets “lost in transit” between your “build shop in the basement” and it’s final destination in Kenya, you’ve at least got some baseline setting built-in. And, provided you set up the AD-based GPOs perfectly, you’ll be able to “revert” the LGPO settings on the machine.
But wait. I have an even better idea. There’s a new policy setting — just for Vista. And it’s called “Turn Off Local Group Policy Objects Processing.” My suggestion would be to take a GPO and link it to a place in AD where you computers join after the machine makes it to Kenya.
So, the machine makes it to Kenya, safe and sound, but full of Local GPO settings that would usually affect everyone on the machine.
But, now that you’ve set up that special policy setting in the domain, you get a little magic.
The machine joins the domain, and <poof>. LGPOs are immediately neutralized the moment the machine is joined.
Let me know what you think in the comments.
—
Special Assignment for those who want “Extra Credit”
I’m working on a newsletter about Kiosks. You know what I mean; those “locked down” computers that people walk up to to check their email, surf the web or run just one program.
If you feel you’ve got it “pretty much down to a science” would you mind shooting me an email explaining what you did? I have some ideas, of course, but would like to see what some of my rockstars are doing too.
Did you use Policy? Preferences? Registry punches? Scripts? Your own shell? Something else?
I’d like to see, really, what you did.
So, maybe the best way to send me stuff to test is to backup some GPOs you’re using and send them over.
And, if you’re doing something special with scripts or non-GPO like items as well, I’d love to hear about that as well. So, in short: if you’re “kiosking something” let me know, and help me “re-create it.” I won’t use your name unless you want me to, and nothing from your company will be published.
People who’s info I use will get a free GPanswers.com mug. Now, C’mon! That’s incentive!
Keep up with Jeremy at his site http://www.GPanswers.com
September 10, 2008 - 9:18 am
I would first like to say that i enjoy your site very much. about the kiosk software, we use kioware. it is easy to deploy, just dont change any hardware on the machine. I initially tried to lock-down firefox, but it seemed to be too much work for as little as it paid off. for the experienced computer user, there are always a way to get around those road blocks (eg. calculator trick)
Click to Reply to This Comment.
September 10, 2008 - 10:12 am
I use Kioware as well we used to do the whole IE 5 in kiosk mode running inside a terminal that would only open to ie5.
It wasn’t fun.
Click to Reply to This Comment.
September 11, 2008 - 8:48 am
It’s on my to do list but I am thinking of using Windows SteadyState.
Click to Reply to This Comment.
September 11, 2008 - 3:37 pm
I use all grou policy with content filter from our firewall.
Basically locked down everything via gp. Only have ie on the desktop and on the start menu.
(you will have to delete everything that cant be done on gp in their profile directory)
Made it so that ie cant be closed and that ie opens up on start up.
We have a script that makes it so that if you log off it logs right back in to that same user . to log in as an admin you hold down shift then press log off and keep holding shift till the login screen comes on.
You can get rid of the ie7 search bar by a reg edit that can be given out via group policy.
I also deleted all the bad icons in ie also .
you can also use kiosk mode for ie but your website must be able to be used without the back and foward buttons.
Click to Reply to This Comment.