Solved

Winxp pro - Modify Policy for single users?

Posted on 2007-03-26
13
275 Views
Last Modified: 2008-02-01
I'm new to the group policy editor for winxp pro environment. My problem is that when I modify a policy under "User Configuration" on thelocal machine, it applies to all users of that machine. I thought that's what the "Computer Configuration" group was for? I realize when the user logs into the Domain that certain policies will apply.

How do I change a policy for certain users of the local computer when they are not logged into the domain?


Windows XP Pro SP2
0
Comment
Question by:msk100
  • 5
  • 4
  • 4
13 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18793314
Hi!

Unfortunately Local Policy can not be set per user in Windows XP. Domain policies will apply only to domain users. If you wish that local policy is applied and not overwritten by domain polices, you should log in with local user account.

Good news is that Vista allows Local policies to be set per user, but I doubt, that is information you were looking for. ;)
0
 
LVL 1

Author Comment

by:msk100
ID: 18793386
No, I think I may not have described this well. I'll try again.

 I have a user's computer that has the ability to log into a domain. While it is logged into the domain, everything is great.
 When it is not logged into the domian, i need to prohibit certain functions. I would like it if these policies would apply to only say the "users" group and not the admin group, but if need be the admin account will have to suffer the same changes. It just seems silly to block an admin from something like the RUN dialog but i'll do it if i have to :)

0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18793448
What do you mean: user logged into a domain? Connected to network with DC online? You can log on to domain as domain user even if DC is not available with cached credentials. And you can log on as local user even if DC is available? Which case are you talking about: first one ore second one?
0
 
LVL 19

Expert Comment

by:weellio
ID: 18793504
Windows 2000 and above clients process Local policies first, then Site, Domain and OU policies. A possible way to remember this sequence is the LSD-O acronym.
 
 The last policy that runs always wins. Policies are cumulative, and the last one that runs (typically the OU policy) will win, unless you use the No Override switch on top-level policies.

maybe this will help you.


 
0
 
LVL 1

Author Comment

by:msk100
ID: 18793579
Toniur:
 Yes the user has the choice to log into the domain or log into the computer locally.
 When they are logged in locally is when i need to restrict their actions.

thanks all for your help on this issue..
0
 
LVL 19

Expert Comment

by:weellio
ID: 18793618
do they login with the same ID or a different ID?

one thing you can do is configure a restricted profile(via registry editing). copy it over the 'default user' profile. Then when a profileless user logs in they are restricted.

but if they use locally cached profiles this won't necessarily work.  

are we referring to laptops?

if the local and the roaming profiles are diffferent then you can od a lot,.
0
Why won’t your email signature format correctly?

Struggling to get your corporate email signatures to format correctly? Does the logo keep resizing? Is the text appearing too big? What can you do to prevent this? Find out how you can save your signatures today.

 
LVL 1

Author Comment

by:msk100
ID: 18793713
weellio:
 Same ID, Desktop computer, same roaming and local profiles.
My main concerns are the firewall settings and restricting the installation of software.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18793775
As I said before, when local user is logged on, only Local Policy will apply. When domain user is logged on Local Policy will be overwriten with site, domain, and OU policies.

In addition: firewall policy settings has two proflies, which can be set for domain users, Domain and Standard profile.

And finally if user is not administrator he can not install software.
0
 
LVL 19

Expert Comment

by:weellio
ID: 18793828
besides the no 'run' command and the 'no install software' what other restrictiions do you want?

0
 
LVL 19

Accepted Solution

by:
weellio earned 500 total points
ID: 18793837
can't you just make the user part of the 'users' group and all this be taken care of that way?
0
 
LVL 1

Author Comment

by:msk100
ID: 18794564
the user is part of the local 'users' group

to simplify, lets assume this PC is not part of a domain. Let's assume you want to resctrict one of your children from shutting off the firewall on your home windows xp pro machine. But you want to be able to turn it on and off when you log on as the administrator. Is this possible?

0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18794804
Not with Windows XP. For instance firewall setting are part of Computer Settings which applies to all users. Technically, there is workaround, you could deny Read permission for certain user on this folder C:\Windows\System32\GroupPolicy and settings will not apply to this user.
Of course if you deny read permission to administrator for this folder, you will not be able to edit policy until security settings are corrected. ;)
0
 
LVL 1

Author Comment

by:msk100
ID: 18824932
As a user they still have access to the windows firewall settings, they just cant modify them. Remember this is xp pro.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now