Winxp pro - Modify Policy for single users?

I'm new to the group policy editor for winxp pro environment. My problem is that when I modify a policy under "User Configuration" on thelocal machine, it applies to all users of that machine. I thought that's what the "Computer Configuration" group was for? I realize when the user logs into the Domain that certain policies will apply.

How do I change a policy for certain users of the local computer when they are not logged into the domain?


Windows XP Pro SP2
LVL 1
msk100Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Hi!

Unfortunately Local Policy can not be set per user in Windows XP. Domain policies will apply only to domain users. If you wish that local policy is applied and not overwritten by domain polices, you should log in with local user account.

Good news is that Vista allows Local policies to be set per user, but I doubt, that is information you were looking for. ;)
0
msk100Author Commented:
No, I think I may not have described this well. I'll try again.

 I have a user's computer that has the ability to log into a domain. While it is logged into the domain, everything is great.
 When it is not logged into the domian, i need to prohibit certain functions. I would like it if these policies would apply to only say the "users" group and not the admin group, but if need be the admin account will have to suffer the same changes. It just seems silly to block an admin from something like the RUN dialog but i'll do it if i have to :)

0
Toni UranjekConsultant/TrainerCommented:
What do you mean: user logged into a domain? Connected to network with DC online? You can log on to domain as domain user even if DC is not available with cached credentials. And you can log on as local user even if DC is available? Which case are you talking about: first one ore second one?
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

William ElliottSr Tech GuruCommented:
Windows 2000 and above clients process Local policies first, then Site, Domain and OU policies. A possible way to remember this sequence is the LSD-O acronym.
 
 The last policy that runs always wins. Policies are cumulative, and the last one that runs (typically the OU policy) will win, unless you use the No Override switch on top-level policies.

maybe this will help you.


 
0
msk100Author Commented:
Toniur:
 Yes the user has the choice to log into the domain or log into the computer locally.
 When they are logged in locally is when i need to restrict their actions.

thanks all for your help on this issue..
0
William ElliottSr Tech GuruCommented:
do they login with the same ID or a different ID?

one thing you can do is configure a restricted profile(via registry editing). copy it over the 'default user' profile. Then when a profileless user logs in they are restricted.

but if they use locally cached profiles this won't necessarily work.  

are we referring to laptops?

if the local and the roaming profiles are diffferent then you can od a lot,.
0
msk100Author Commented:
weellio:
 Same ID, Desktop computer, same roaming and local profiles.
My main concerns are the firewall settings and restricting the installation of software.
0
Toni UranjekConsultant/TrainerCommented:
As I said before, when local user is logged on, only Local Policy will apply. When domain user is logged on Local Policy will be overwriten with site, domain, and OU policies.

In addition: firewall policy settings has two proflies, which can be set for domain users, Domain and Standard profile.

And finally if user is not administrator he can not install software.
0
William ElliottSr Tech GuruCommented:
besides the no 'run' command and the 'no install software' what other restrictiions do you want?

0
William ElliottSr Tech GuruCommented:
can't you just make the user part of the 'users' group and all this be taken care of that way?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
msk100Author Commented:
the user is part of the local 'users' group

to simplify, lets assume this PC is not part of a domain. Let's assume you want to resctrict one of your children from shutting off the firewall on your home windows xp pro machine. But you want to be able to turn it on and off when you log on as the administrator. Is this possible?

0
Toni UranjekConsultant/TrainerCommented:
Not with Windows XP. For instance firewall setting are part of Computer Settings which applies to all users. Technically, there is workaround, you could deny Read permission for certain user on this folder C:\Windows\System32\GroupPolicy and settings will not apply to this user.
Of course if you deny read permission to administrator for this folder, you will not be able to edit policy until security settings are corrected. ;)
0
msk100Author Commented:
As a user they still have access to the windows firewall settings, they just cant modify them. Remember this is xp pro.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.