Local Group Policy (Group Policy Infrastructure)

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can set local Group Policy for any computer, whether or not it participates in a domain. To set local Group Policy, you use the Group Policy Object Editor focused on the local computer. You can access the Group Policy Object Editor tool by typing mmc at the command prompt, adding the Group Policy Object Editor to MMC console, and focusing the Group Policy Object Editor on the local computer. Group Policy is processed in this order: local GPO first, followed by Active Directory linked GPOs (site, domain, organizational unit, and any nested organizational units).

Local Group Policy Object

On all computers, an Local GPO exists—this is just the Group Policy template portion. The location of the Local GPO is \%SystemRoot%System32\GroupPolicy. Each Group Policy extension snap-in queries the Group Policy engine to get the GPO type, and then decides if it should be displayed.

The following table indicates whether or not the Group Policy Object Editor extensions open when the Group Policy Object Editor is focused on the Local GPO.

Local Group Policy Object and DACLs

There is no Apply Group Policy ACE for the local GPO; therefore, if you have Read access to the Local GPO, the local GPO applies to you. The implication is that it's difficult to have to choose whom the Local GPO should apply to (for example, the Local GPO also applies to the administrator). Everyone with Read access to the Local GPO who logs on gets the Local GPO. If this is not what you want, a work-around exists. You can set the Read ACE to Deny for a specific user, and then the Local GPO doesn't apply to that user. This is useful for administrators who don't want to be subject to the Local GPO settings. However, without Read access, administrators cannot see the contents of the Local GPO.

Viewing Policy settings When the Group Policy Object Editor is Focused on the Local Computer

When administrators run the Group Policy Object Editor focused on a local computer, this shows the information in the local GPO, not the cumulative effect of what has been applied to the computer or user. For Windows Server 2003, it shows the settings that a local administrator has set for that computer and all users of that computer. In the evaluation process, when the computer is joined to a domain, all the policy settings are subject to being overwritten by domain-based policy (any policy set in the site, domain, or organizational unit).

Local Group Policy Object Processing

When a computer is joined to a domain with Active Directory and Group Policy implemented, a local Group Policy object is processed. Note that Local GPO policy is processed even when the Block Policy Inheritance option has been specified.

Local Group Policy objects are always processed first, and then domain policy is processed. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, Local GPO policy is applied.

Modifying the Local GPO on a Domain-based Computer

If you modify the Local Group Policy object for a computer that is participating in a domain while the computer is disconnected from the network, the change is applied only after the computer is reconnected to the network. This is caused by two facts: the entire domain hierarchy must first be evaluated to find the resultant set of policy settings that apply to the computer and domain user, and domain-based Group Policy settings always take precedence over local Group Policy settings. Therefore, the computer can use only the existing policy settings (no new policy changes can be evaluated) until the computer is reconnected to the network.