Two different types of policies
can be applied to Windows systems and Windows system user accounts:
local group policies and Active Directory group policies. Local group
policies exist on all Windows systems, but Active Directory group
policies are only available in an Active Directory forest. Until the
release of Windows Vista and Windows Server 2008, servers and
workstations could contain and apply only a single local computer and
user policy. This policy contained the settings that could be applied to
the local computer and the user objects to control the security and
configuration settings.
In many environments, usually
due to legacy or line-of-business application requirements, end users
were frequently granted local Administrators group membership on
workstations and essentially excluded from the application of many
security settings applied by both the local and group policies. End
users with local Administrators group membership have the ability to override settings and make
configuration changes that could compromise the security, or more
frequently, reduce the reliability of the system.
Starting with Windows Vista
and Windows Server 2008, administrators now have the ability to create
multiple local group policies. One of the new features is that specific
user group policies can be created for all users, for users who are not
administrators, and for users who are members of the local
Administrators group on the computers. This new feature can be
especially valuable for computers configured in workgroup or standalone
configurations to increase the security and reliability of the computer.
In domain configurations, computer security policies are usually
specified using group policies and applied to the Active Directory
computers.
Local Computer Policy
The default local
computer policy contains out-of-the-box policy settings, as shown in Figure 1, which are available to configure the
computer and user environment. This policy will be applied first for
both computer and user objects logging on to the workstation in
workgroups or domains.
Local User Policies for
Non-Administrators and Administrators
Starting with Windows Vista and
Windows Server 2008, and continuing with Windows 7 and Windows Server
2008 R2, administrators now have the option to create multiple local
user group policies on a single machine. In previous versions, the
single local computer policy allowed administrators to apply the single
policy settings to all users logging on to a
workstation that is part of a workgroup. Now, workgroup computers and
domain computers can have additional policies applied to specific local
users. Also, policies can be applied to local computer administrators or
nonadministrators. This allows the workstation administrator to leave
the user section of the default local computer policy blank, and create a
more-restrictive policy for local users and a less-restrictive policy
for members of the local workstation Administrators security group.
