DCreature
asked on
Exclude a user (or Group) from having a policy applied to (Non-Domain / Non-Active Directory)
We have Windows Server 2003 servers running in a non-domain / non-Active Directory environment and they are not going to be in those environment. Currently they are configured as WORKGROUP, there's a purpose for this and should not be changed.
We have policies in place that we do not want them to be applied to certain account (or a certain group if possible). I've done some researches and I am aware that it will be hard to achieve without having the server in domain / AD environment.
However, there were some sources mentioning that some registry keys can be modified to allow this to happen, the question is, which registry keys?
We current use GPEDIT.msc to edit the policies. Remember, we're not using AD, nor DOMAIN.
We have policies in place that we do not want them to be applied to certain account (or a certain group if possible). I've done some researches and I am aware that it will be hard to achieve without having the server in domain / AD environment.
However, there were some sources mentioning that some registry keys can be modified to allow this to happen, the question is, which registry keys?
We current use GPEDIT.msc to edit the policies. Remember, we're not using AD, nor DOMAIN.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Probably the best and detailed solution I've ever received, well done mate, you're a legend.
No problem.
Thanks for the compliment.
Thanks for the compliment.
Wow, Pieter, great posting. Thanks!
Pieter, you are almost as awesome as I am. THANKS!!!! great post.
as your servers are workgroup members only all your policies will be local only. Local policies can't be blocked. If you create one, it will be applied.
(Only in a domain environment it can be overridden, so this doesn't apply to your setup.)
The difference you can make in registry keys is: some apply to HKEY_CURRENT_USER and some to HKEY_LOCAL_MACHINE.
So all HKLM keys will apply to all users logging on to this machine while HKCU keys will be functional only for the user being logged on when setting that key.
AFAIK there is no way to get around this unless you have a domain environment.
Anybody having more information?