Checking Local Group Policy

by Mitch Tulloch [Published on 21 Dec. 2005 / Last Updated on 21 Dec. 2005]

There may be times when you want to check the Local Group Policy Settings on a desktop machine.

While using the Group Policy Results Wizard is the simplest way to view the Group Policy settings that apply to a remote machine, there may be times when you want to check the Local Group Policy Settings on a desktop machine. Group Policy is applied according to the mnemonic LSDOU, which means Local Group Policy firest, then GPOs linked to the AD site the machine belongs to, then GPOs linked to the domain the machine belongs to, and finally GPOs linked to the OUs the machine belongs to (directly or by view of a hierarchical OU structure). So an LGPO setting *can* cause problems if it's not overridden by a site, domain or OU policy setting.

Here's a simple way of checking the Local GPO on a user's machine while the user is logged on:

1. Ask them to turn their head or go away so they don't see you type a password.

2. Open a command prompt and type runas /user:machinename\username "mmc gpedit.msc" where machinename is the name of the user's computer and username is the name of the local administrator account on that machine.

3. Type the password for the local administrator account on that machine.

Group Policy Object Editor now opens and displays the *local* Group Policy settings that are defined on that machine. You can tell it's the LGPO since the root node is displayed as Local Computer Policy.

Further tips:

- Typing runas gpedit.msc doesn't work because *.msc files aren't executable. You must type runas "mmc gpedit.msc"

- Local Group Policy settings aren't displayed when you run the Group Policy Results wizard in the GPMC, which is a good reason for never configuring local computer policies in the first place!

- Why would some computers from older Windows 2000/XP deployments actually have local computer policies configured? Usually when an administrator has run the Security Configuration and Analysis console on the machine to apply a secure or highly secure template to the machine for security reasons before the machine joined the domain.

See Also

Featured Links