Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Group Policies / Apply a Local Group Policy to Non-Admins or a Single User with MLGPO

May 25, 2021 Group PoliciesWindows 10

Apply a Local Group Policy to Non-Admins or a Single User with MLGPO

You can use Local Group Policy to configure Windows or user settings on computers in small workgroup networks (without an AD domain). Earlier, the main disadvantage of a local GPO was the inability to apply the policy settings to the specific local user or group. For example, if you have disabled USB devices in the local GPO, this policy is applied both to users and local administrator accounts.

Multiple Local Group Policy Objects (MLGPOs) allow you to apply local GPO settings to different local users or groups. In this article we’ll show how to apply a local GPO to a single local user or users who are not members of the local admins using MLGPO.

You can assign an MLGPO to:

  • Any local user (by name);
  • Members of the local Administrators group;
  • All users who are not members of the local Administrators group.
Local Group Policy Editor is only available in Pro, Enterprise, and Education Windows 10 editions. In Windows 10 Home, you can install gpedit.msc using the following guide.

To create a new local Group Policy for a user or a group:

  1. Press Win + R -> mmc;
  2. Click File -> Add/Remove Snap-in
    mmc add/remove snap-in
  3. Select Group Policy Object Editor in the list of available snap-ins and click Add;
    add Group Policy Object Editor snap-in
  4. Click Browse and go to the Users tab. You can select a local group or a user to apply a policy to. If a local GPO is already assigned to the user or group, you will see Yes in the Group Policy Object Exists column. To apply a policy to all local users except administrators, select Non-Administrators;
    Apply Group Policy to All Users Except Administrator on Windows 10
  5. Make sure that the Local Computer\Non-Administrators is selected and click Finish;
    MLGPO for Local Computer\Non-Administrators
  6. The GPO editor console with user settings appear. Here you can configure local policy settings to be applied to non-admin users;
    configure local gpo for non-administrators
  7. Configure the desired Group Policy settings for local users.
You can use MLGPO to set user restrictions to be applied prior to joining the computer to your AD domain. For example, you can restrict network access under local accounts.

If you want to remove a local policy for the group, select the group in the Users tab and click Remove Group Policy Object.

remove group policy object from local gpo

The main disadvantage of local GPO is that they are hard to move to other computers (unlike domain GPO which are stored on AD domain controllers and edited centrally). To transfer MLGPO settings, you can use an official Microsoft tool – lgpo.exe (it is a part of Security Compliance Manager and Microsoft Security Baseline).

To export all configured local policies to files, this command is used:

lgpo /b c:\GPObackup\

To import the local Group Policy settings to another computer, specify its GUID (you can find the policy folder in the files you have got by the well-known SID of Non-Administrators group — S-1-5-32-545). To apply the settings on target computer, the following command is used:

lgpo /parse /u C:\GPObackup\{GUID}\DomainSysvol\GPO\User\registry.pol

Then just refresh the GPO settings:

gpupdate /force

Also, you can use the LocalGPO.wsf script to export/import an MLGPO.

To export:

cscript LocalGPO.wsf /Path:C:\GPObackup /Export /MLGPO:Non-Administrators

To import:

cscript LocalGPO.wsf /Path:C:\GPObackup\{GUID}

1 comment
0
Facebook Twitter Google + Pinterest
previous post
How to Disable Windows Error Reporting and Clear WER\ReportQueue Folder on Windows?
next post
Sending Email with SMTP Authentication via Telnet or OpenSSL

Related Reading

Configure User’s Folder Redirection with Group Policy

February 3, 2023

Disable Built-in PDF Viewer in Microsoft Edge

February 3, 2023

Join a Windows Computer to an Active Directory...

February 2, 2023

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

1 comment

Phil Draper June 8, 2022 - 3:15 pm

Excellent article and nice to have steps and screen shots as well.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Updating List of Trusted Root Certificates in Windows
  • Configure Google Chrome Settings with Group Policy
  • Allow RDP Access to Domain Controller for Non-admin Users
  • How to Find the Source of Account Lockouts in Active Directory?
  • How to Hide or Show User Accounts from Login Screen on Windows 10/11?
  • Reset Local Group Policy Settings in Windows
  • How to Disable or Enable USB Drives in Windows using Group Policy?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top