1. Local Group Policies
You can apply two different types of policies
to Windows systems and Windows system user accounts: local group
policies and Active Directory domain-based group policies. Local group
policies exist on all Windows systems, but domain-based group policies
are available only in an Active Directory forest. Until the release of
Windows Vista and Windows Server 2008, servers and workstations could
contain and apply only a single local computer policy. This policy
contained settings for both the local computer and the user who logged
on to the computer.
In many environments,
usually because of legacy or line-of-business application requirements,
end users were often granted local Administrators group membership on
workstations and essentially excluded from the application of the many
configured security settings applied by the local computer group policy.
End users with local Administrators group membership could override
settings and make configuration changes that could compromise security
or, more often, reduce the reliability of the system.
Starting with Windows Vista and Windows Server
2008, administrators could create multiple local computer policies, now
known simply as local group policies. One useful feature of local group
policies is that specific user group policies can be created for all
users, for users who are not administrators, and for users who are
members of the local Administrators group on the local computer. This
feature increases the security and reliability of computers, both those
configured in a workgroup or those configured as standalone. In domain
configurations, computer and user-based policy settings are generally
configured within domain-based group policies and applied to the Active
Directory computers and users. By configuring local group policies, you
can ensure that these computers have a base security configuration and
user experience that supports the organization’s needs, even if the
computer is not configured as part of an Active Directory domain.
Local Computer Policy
The default local computer policy contains out-of-the-box policy settings, as shown in Figure 2,
which are available to configure the computer and user environment.
This policy is applied first to both computer and user objects logging
on to the workstation in workgroups or domains.
Figure 2. Local computer policy settings.
Local User Policies for Nonadministrators and Administrators
Starting with Windows Vista and Windows Server
2008, and continuing with Windows 8 and Windows Server 2012,
administrators now have the option to create multiple local user group
policies on a single machine. In earlier versions, the single local
computer policy allowed administrators to apply the single policy
settings to all users logging on to a workstation that is part of a
workgroup. Now, workgroup computers and domain computers can have
additional policies applied to specific local users. Also, policies can
be applied to local computer administrators or nonadministrators. This
allows the workstation administrator to leave the user section of the
default local computer policy blank and create a more-restrictive policy
for local users and a less-restrictive policy for members of the local
workstation Administrators security group. Local user-based group
policies can be created for specific users, for all nonadministrator
users and administrators to give a lot of different user configurations
based on the user who is logging on to the system.
2. Domain-Based Group Policies
Domain-based group polices differ
significantly from local group policies because you must have an Active
Directory environment to create and apply these policies. The settings
within the group policies include both policy and preference nodes,
which is another major difference (because the local group policies do
not include preference settings). After that, however, most of the
settings remain the same. Domain-based group policies allow for more
flexibility when it comes to actually configuring what criteria is used
to apply the policy. With domain-based policies, they can be filtered to
apply to specific members of Active Directory security groups,
computers, or objects on a particular subnet or stored within an
organizational unit (OU), or they can be applied to computers that are
running a specific OS version. Also, with preference settings in a
domain-based group policy, item-level targeting can be used to determine
whether a setting will be applied based on many different types of
criteria, as shown in Figure 2.
Figure 2. Domain-based GPP item-level targeting.
