In previous versions of Windows, there was no mechanism for creating multiple local Group Policy Objects. The only way you could filter Local Group Policy was by applying NTFS deny access permissions on the Group Policy.

Windows Vista allows you to create multiple local GPOs. You can create them for any user, by name, for all the members of the local Administrators group, and for all users who are NOT members of the local Administrators group.

You may wish to disable this ability in your domain:

1. Open the Group Policy Management Console using Start / Run / gpmc.msc / OK.

2. Edit a GPO that is linked to an OU (Organizational Unit) that contains the Windows Vista computers.

3. Expand Computer Configuration / Administrative Templates / System / Group Policy

4. Double-click Turn off Local Group Policy objects processing in the right-hand pane and set it to Enabled.

5. Press Apply and OK.

6. Restart the Windows Vista computers.