Configuring Group Policy Settings

Applies To: Windows 7

Group Policy provides an infrastructure for managing computer and user settings in businesses. Administrators define Group Policy objects (GPOs) in Active Directory. Windows 7 applies the settings to computers each time they start or to users each time they log on. Group Policy refreshes GPOs at a regular interval.

Standard user accounts cannot change settings that administrators define in a GPO. For example, if Ben defines a setting that configures the Windows 7 desktop theme, users cannot change the theme. Windows 7 also supports a variety of settings that restrict users from certain parts of the user interface. Ben can prevent users from opening Control Panel, for example.

Windows SteadyState implements many of its features as Group Policy settings, and Windows 7 provides many more Group Policy settings than earlier versions of the Windows operating system. This makes it easy to replace Windows SteadyState with native Windows 7 features and free tools from Microsoft.

Note

Group Policy is enforceable only with standard user accounts. If you allow users to log on to their computers as administrators, they can change or remove Group Policy settings with minimal effort. However, Group Policy will reapply any settings that users change or remove at the next refresh interval.

The second document in this set, Steady State Reference Document, describes a large number of Group Policy settings that you can use to configure and restrict settings. It also identifies Windows SteadyState settings that match Group Policy settings to help you transition from Windows SteadyState to using native Windows 7 features by identifying which Group Policy settings match which Windows SteadyState settings.

Because Ben’s shared computers are domain-joined, he can configure GPOs in Active Directory, and then apply those GPOs to multiple computers. The remainder of this section focuses on how to configure local Group Policy objects (LGPOs) on shared computers that are running Windows 7, replicating the way Windows SteadyState works. Local Group Policy objects are stored on individual computers whether or not they are part of an Active Directory Environment.

To configure the LGPO

  1. On the shared computer, click Start, type group policy, and then click Edit group policy to open the Local Group Policy Editor.

  2. In the console tree (left pane), click the folder that contains the setting you want to configure, as shown in Figure 5.

  3. In the details pane (right pane), click the setting that you want to configure, and then click Action, Edit on the menu.

Figure 5  Configuring the LGPO

The local policy settings apply to the computer and to all users who use the computer. You can optionally configure multiple LGPOs to help better manage settings on shared computers. Multiple LGPOs is a collection of LGPOs that include:

  • Administrators Local Group Policy. This LGPO applies user policy settings to members of the Administrators group.

  • Non-Administrators Local Group Policy. This LGPO applies user policy settings to users who are not included in the Administrators group.

  • User-Specific Local Group Policy. This LGPO applies user policy settings to a specific local user.

Note

Using multiple LGPOs has an advantage over configuring a single LGPO. The single LGPO applies settings to the computer and to all users who use the computer. So the restrictions in the LGPO apply to local administrators, and these restrictions can prevent administrators from maintaining the computer without first resetting the LGPO. Instead, you can configure restrictions by using the non-administrators LGPO. This leaves administrators free to maintain the computer while applying restrictions to standard users.

To configure multiple LGPOs

  1. Click Start, type mmc, and press ENTER to open the Microsoft Management Console.

  2. Click File, and then click Add/Remove Snap-in.

  3. In the Available Snap-ins list, click Group Policy Object Editor, and then click Add.

  4. In the Select Group Policy Object dialog box, click the Browse button.

  5. In the Browse for the Group Policy Object dialog box, click the Users tab, and then click the user or group for which you want to create or edit the local Group Policy settings.

  6. Click OK, click Finish, and then click OK.