Local Group Policy Object

  • Article

Local Group Policy objects exist on stand-alone computers, however it consists of only the Group Policy template portion of a Group Policy object. The location of the local Group Policy object is %SystemRoot%\System32\GroupPolicy. Each Group Policy extension snap-in queries Group Policy to receive the Group Policy object type (local or Active Directory–based), and then determines if it should be displayed in the console.

Table 22.6 indicates whether or not each Group Policy snap-in extension opens when the Group Policy snap-in is focused on a local Group Policy object.

Table   22.6 When Group Policy Snap-in Loads

Group Policy snap-in extension

Loads when Group Policy snap-in focused on local Group Policy object

Security Settings

Yes

Administrative Templates

Yes

Software Installation

No

Scripts

Yes

Internet Explorer Maintenance

Yes

Remote Installation Services

No

Folder Redirection

No

Starting Group Policy on Windows 2000 Professional

Windows 2000 Professional does not provide a preconfigured MMC console for accessing non-local Group Policy directly, except for Security Settings, which can be accessed from Control Panel. However, you can create your own custom Group Policy console by taking the following steps:

To start the Group Policy snap-in on Windows   2000 Professional

  1. Click Start , click Run , type MMC , and then click OK .

  2. In the MMC window, on the Console menu, click Add/RemoveSnap-in .

  3. On the Standalone tab, click Add .

  4. In the Add Snap-in dialog box, click Group Policy , and then click Add . The Select Group Policy object dialog box appears.

  5. Click Local Computer to edit the local Group Policy object, or Browse to find the Group Policy object that you want to use.

  6. Click Finish .

  7. Click OK . The Group Policy snap-in opens focused on the specified Group Policy object.

note-iconNote

To use the Group Policy snap-in focused on a remote computer, you must have administrative rights on the target computer in addition to appropriate permission to use the snap-in.

Using the Group Policy Snap-in Focused on a Remote Computer

The Group Policy object seen at the root node of the Group Policy console is said to have "focus." The console can be focused on any computer's local Group Policy object, or any Active Directory–based Group Policy object.

note-iconNote

Focusing the Group Policy snap-in, whether on a remote computer or the local computer, or on an Active Directory–based Group Policy object, must be done when the extension is added to an MMC console file, or as a command line option. The focus cannot be changed while the Group Policy console is in use.

To add Group Policy to an MMC console focused on a specific remote computer

  1. Click Start , click Run , and type MMC . Or you can open an existing saved console such as Console1.mmc.

  2. In the MMC window, on the Console menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add .

  4. In the Add Snap-in dialog box, click Group Policy , and then click Add . By default this is set to open on the local computer.

  5. Click Browse .

  6. You can now select a Group Policy object from Active Directory or, as in this case, select the Computer tab.

  7. Select Another Computer .

  8. Either type in the computer name or click Browse to locate it.

  9. Select the domains to which you have access in the Look in drop-down list.

The supported computer name formats are:

  • NetBIOS names; for example:

ThisComputer

  • DNS-style; for example:

ThisComputer.Reskit.com

You can start the Group Policy snap-in with the following two command line switches:

  • Specific computer

/gpcomputer:<machinename>

Where <machinename> can be either a NetBIOS or a DNS-style name.

For example:

gpedit.msc /gpcomputer:"ThisComputer"

or

gpedit.msc /gpcomputer:"ThisComputer.Reskit.com"

Note that there is no space following

/gpcomputer:

Also, the quotes are necessary, not optional.

  • Specific ADSI path

/gpobject:"<ADSI path>"

For example:

/gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Reskit,DC=com"

in which the GUID for the Group Policy object is a made-up example.

For these command line options to function with a saved console file, you must select the check box titled "Allow the focus of the Group Policy snap-ins to be changed when launching from the command line." This only applies if you save the console. The Gpedit.msc file supplied with Windows 2000 has this option enabled.

Note:

The Security Settings extension does not support remote management for local policy in Windows 2000.

Local Group Policy Object Processing

The local Group Policy object is processed even when the Block Policy Inheritance option has been specified on a domain or organizational unit.

Local Group Policy objects are always processed first, and then non-local (that is, Active Directory–based) policy is processed. If a computer is participating in a domain, and a conflict occurs between non-local and local computer policy, then by default, non-local policy prevails by overwriting local policy. If a computer withdraws from a domain, local Group Policy object policy settings are still applied and assume greater importance because they can no longer be overwritten.

If the Computer Account object and User Account object are both managed by Windows NT 4.0 domain controllers and are therefore not in Active Directory, then no local Group Policy object will be processed. For details about other interoperability situations that can arise during migration, see "Migration Issues Pertaining to Group Policy" later in this chapter.