Solved

Winxp pro - Modify Policy for single users?

Posted on 2007-03-26
13
274 Views
Last Modified: 2008-02-01
I'm new to the group policy editor for winxp pro environment. My problem is that when I modify a policy under "User Configuration" on thelocal machine, it applies to all users of that machine. I thought that's what the "Computer Configuration" group was for? I realize when the user logs into the Domain that certain policies will apply.

How do I change a policy for certain users of the local computer when they are not logged into the domain?


Windows XP Pro SP2
0
Comment
Question by:msk100
  • 5
  • 4
  • 4
13 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18793314
Hi!

Unfortunately Local Policy can not be set per user in Windows XP. Domain policies will apply only to domain users. If you wish that local policy is applied and not overwritten by domain polices, you should log in with local user account.

Good news is that Vista allows Local policies to be set per user, but I doubt, that is information you were looking for. ;)
0
 
LVL 1

Author Comment

by:msk100
ID: 18793386
No, I think I may not have described this well. I'll try again.

 I have a user's computer that has the ability to log into a domain. While it is logged into the domain, everything is great.
 When it is not logged into the domian, i need to prohibit certain functions. I would like it if these policies would apply to only say the "users" group and not the admin group, but if need be the admin account will have to suffer the same changes. It just seems silly to block an admin from something like the RUN dialog but i'll do it if i have to :)

0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18793448
What do you mean: user logged into a domain? Connected to network with DC online? You can log on to domain as domain user even if DC is not available with cached credentials. And you can log on as local user even if DC is available? Which case are you talking about: first one ore second one?
0
 
LVL 19

Expert Comment

by:weellio
ID: 18793504
Windows 2000 and above clients process Local policies first, then Site, Domain and OU policies. A possible way to remember this sequence is the LSD-O acronym.
 
 The last policy that runs always wins. Policies are cumulative, and the last one that runs (typically the OU policy) will win, unless you use the No Override switch on top-level policies.

maybe this will help you.


 
0
 
LVL 1

Author Comment

by:msk100
ID: 18793579
Toniur:
 Yes the user has the choice to log into the domain or log into the computer locally.
 When they are logged in locally is when i need to restrict their actions.

thanks all for your help on this issue..
0
 
LVL 19

Expert Comment

by:weellio
ID: 18793618
do they login with the same ID or a different ID?

one thing you can do is configure a restricted profile(via registry editing). copy it over the 'default user' profile. Then when a profileless user logs in they are restricted.

but if they use locally cached profiles this won't necessarily work.  

are we referring to laptops?

if the local and the roaming profiles are diffferent then you can od a lot,.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:msk100
ID: 18793713
weellio:
 Same ID, Desktop computer, same roaming and local profiles.
My main concerns are the firewall settings and restricting the installation of software.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18793775
As I said before, when local user is logged on, only Local Policy will apply. When domain user is logged on Local Policy will be overwriten with site, domain, and OU policies.

In addition: firewall policy settings has two proflies, which can be set for domain users, Domain and Standard profile.

And finally if user is not administrator he can not install software.
0
 
LVL 19

Expert Comment

by:weellio
ID: 18793828
besides the no 'run' command and the 'no install software' what other restrictiions do you want?

0
 
LVL 19

Accepted Solution

by:
weellio earned 500 total points
ID: 18793837
can't you just make the user part of the 'users' group and all this be taken care of that way?
0
 
LVL 1

Author Comment

by:msk100
ID: 18794564
the user is part of the local 'users' group

to simplify, lets assume this PC is not part of a domain. Let's assume you want to resctrict one of your children from shutting off the firewall on your home windows xp pro machine. But you want to be able to turn it on and off when you log on as the administrator. Is this possible?

0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18794804
Not with Windows XP. For instance firewall setting are part of Computer Settings which applies to all users. Technically, there is workaround, you could deny Read permission for certain user on this folder C:\Windows\System32\GroupPolicy and settings will not apply to this user.
Of course if you deny read permission to administrator for this folder, you will not be able to edit policy until security settings are corrected. ;)
0
 
LVL 1

Author Comment

by:msk100
ID: 18824932
As a user they still have access to the windows firewall settings, they just cant modify them. Remember this is xp pro.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now