You have to construct groups in a domain to differentiate the policies applied. If you do the config on the machine, it will be set that way for everyone. If you do it through the domain, you can create a group and apply the policy to the group, thus giving you the ability to lock something out for some and not others.