Apply a Local Group Policy to Non-Admins or a Single User with MLGPO

You can use Local Group Policy to configure Windows or user settings on computers in small workgroup networks (without an AD domain). Earlier, the main disadvantage of a local GPO was the inability to apply the policy settings to the specific local user or group. For example, if you have disabled USB devices in the local GPO, this policy is applied both to users and local administrator accounts.

Multiple Local Group Policy Objects (MLGPOs) allow you to apply local GPO settings to different local users or groups. In this article we’ll show how to apply a local GPO to a single local user or users who are not members of the local admins using MLGPO.

You can assign an MLGPO to:

• Any local user (by name);
• Members of the local Administrators group;
• All users who are not members of the local Administrators group.

To create a new local Group Policy for a user or a group:

1. Press Win + R -> mmc;
2. Click File -> Add/Remove Snap-in
   
3. Select Group Policy Object Editor in the list of available snap-ins and click Add;
   
4. Click Browse and go to the Users tab. You can select a local group or a user to apply a policy to. If a local GPO is already assigned to the user or group, you will see Yes in the Group Policy Object Exists column. To apply a policy to all local users except administrators, select Non-Administrators;
   
5. Make sure that the Local Computer\Non-Administrators is selected and click Finish;
   
6. The GPO editor console with user settings appear. Here you can configure local policy settings to be applied to non-admin users;
   
7. Configure the desired Group Policy settings for local users.

If you want to remove a local policy for the group, select the group in the Users tab and click Remove Group Policy Object.

The main disadvantage of local GPO is that they are hard to move to other computers (unlike domain GPO which are stored on AD domain controllers and edited centrally). To transfer MLGPO settings, you can use an official Microsoft tool – lgpo.exe (it is a part of Security Compliance Manager and Microsoft Security Baseline).

To export all configured local policies to files, this command is used:

lgpo /b c:\GPObackup\

To import the local Group Policy settings to another computer, specify its GUID (you can find the policy folder in the files you have got by the well-known SID of Non-Administrators group — S-1-5-32-545). To apply the settings on target computer, the following command is used:

lgpo /parse /u C:\GPObackup\{GUID}\DomainSysvol\GPO\User\registry.pol

Then just refresh the GPO settings:

gpupdate /force

Also, you can use the LocalGPO.wsf script to export/import an MLGPO.

To export:

cscript LocalGPO.wsf /Path:C:\GPObackup /Export /MLGPO:Non-Administrators

To import:

cscript LocalGPO.wsf /Path:C:\GPObackup\{GUID}