Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Winxp pro - Modify Policy for single users?

Posted on 2007-03-26
13
Medium Priority
?
282 Views
Last Modified: 2008-02-01
I'm new to the group policy editor for winxp pro environment. My problem is that when I modify a policy under "User Configuration" on thelocal machine, it applies to all users of that machine. I thought that's what the "Computer Configuration" group was for? I realize when the user logs into the Domain that certain policies will apply.

How do I change a policy for certain users of the local computer when they are not logged into the domain?


Windows XP Pro SP2
0
Comment
Question by:msk100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
13 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18793314
Hi!

Unfortunately Local Policy can not be set per user in Windows XP. Domain policies will apply only to domain users. If you wish that local policy is applied and not overwritten by domain polices, you should log in with local user account.

Good news is that Vista allows Local policies to be set per user, but I doubt, that is information you were looking for. ;)
0
 
LVL 1

Author Comment

by:msk100
ID: 18793386
No, I think I may not have described this well. I'll try again.

 I have a user's computer that has the ability to log into a domain. While it is logged into the domain, everything is great.
 When it is not logged into the domian, i need to prohibit certain functions. I would like it if these policies would apply to only say the "users" group and not the admin group, but if need be the admin account will have to suffer the same changes. It just seems silly to block an admin from something like the RUN dialog but i'll do it if i have to :)

0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18793448
What do you mean: user logged into a domain? Connected to network with DC online? You can log on to domain as domain user even if DC is not available with cached credentials. And you can log on as local user even if DC is available? Which case are you talking about: first one ore second one?
0
Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

 
LVL 19

Expert Comment

by:weellio
ID: 18793504
Windows 2000 and above clients process Local policies first, then Site, Domain and OU policies. A possible way to remember this sequence is the LSD-O acronym.
 
 The last policy that runs always wins. Policies are cumulative, and the last one that runs (typically the OU policy) will win, unless you use the No Override switch on top-level policies.

maybe this will help you.


 
0
 
LVL 1

Author Comment

by:msk100
ID: 18793579
Toniur:
 Yes the user has the choice to log into the domain or log into the computer locally.
 When they are logged in locally is when i need to restrict their actions.

thanks all for your help on this issue..
0
 
LVL 19

Expert Comment

by:weellio
ID: 18793618
do they login with the same ID or a different ID?

one thing you can do is configure a restricted profile(via registry editing). copy it over the 'default user' profile. Then when a profileless user logs in they are restricted.

but if they use locally cached profiles this won't necessarily work.  

are we referring to laptops?

if the local and the roaming profiles are diffferent then you can od a lot,.
0
 
LVL 1

Author Comment

by:msk100
ID: 18793713
weellio:
 Same ID, Desktop computer, same roaming and local profiles.
My main concerns are the firewall settings and restricting the installation of software.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18793775
As I said before, when local user is logged on, only Local Policy will apply. When domain user is logged on Local Policy will be overwriten with site, domain, and OU policies.

In addition: firewall policy settings has two proflies, which can be set for domain users, Domain and Standard profile.

And finally if user is not administrator he can not install software.
0
 
LVL 19

Expert Comment

by:weellio
ID: 18793828
besides the no 'run' command and the 'no install software' what other restrictiions do you want?

0
 
LVL 19

Accepted Solution

by:
weellio earned 1500 total points
ID: 18793837
can't you just make the user part of the 'users' group and all this be taken care of that way?
0
 
LVL 1

Author Comment

by:msk100
ID: 18794564
the user is part of the local 'users' group

to simplify, lets assume this PC is not part of a domain. Let's assume you want to resctrict one of your children from shutting off the firewall on your home windows xp pro machine. But you want to be able to turn it on and off when you log on as the administrator. Is this possible?

0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18794804
Not with Windows XP. For instance firewall setting are part of Computer Settings which applies to all users. Technically, there is workaround, you could deny Read permission for certain user on this folder C:\Windows\System32\GroupPolicy and settings will not apply to this user.
Of course if you deny read permission to administrator for this folder, you will not be able to edit policy until security settings are corrected. ;)
0
 
LVL 1

Author Comment

by:msk100
ID: 18824932
As a user they still have access to the windows firewall settings, they just cant modify them. Remember this is xp pro.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question