Winxp pro - Modify Policy for single users?

I'm new to the group policy editor for winxp pro environment. My problem is that when I modify a policy under "User Configuration" on thelocal machine, it applies to all users of that machine. I thought that's what the "Computer Configuration" group was for? I realize when the user logs into the Domain that certain policies will apply.

How do I change a policy for certain users of the local computer when they are not logged into the domain?


Windows XP Pro SP2
LVL 1
msk100Asked:
Who is Participating?
 
William ElliottConnect With a Mentor Sr Tech GuruCommented:
can't you just make the user part of the 'users' group and all this be taken care of that way?
0
 
Toni UranjekConsultant/TrainerCommented:
Hi!

Unfortunately Local Policy can not be set per user in Windows XP. Domain policies will apply only to domain users. If you wish that local policy is applied and not overwritten by domain polices, you should log in with local user account.

Good news is that Vista allows Local policies to be set per user, but I doubt, that is information you were looking for. ;)
0
 
msk100Author Commented:
No, I think I may not have described this well. I'll try again.

 I have a user's computer that has the ability to log into a domain. While it is logged into the domain, everything is great.
 When it is not logged into the domian, i need to prohibit certain functions. I would like it if these policies would apply to only say the "users" group and not the admin group, but if need be the admin account will have to suffer the same changes. It just seems silly to block an admin from something like the RUN dialog but i'll do it if i have to :)

0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Toni UranjekConsultant/TrainerCommented:
What do you mean: user logged into a domain? Connected to network with DC online? You can log on to domain as domain user even if DC is not available with cached credentials. And you can log on as local user even if DC is available? Which case are you talking about: first one ore second one?
0
 
William ElliottSr Tech GuruCommented:
Windows 2000 and above clients process Local policies first, then Site, Domain and OU policies. A possible way to remember this sequence is the LSD-O acronym.
 
 The last policy that runs always wins. Policies are cumulative, and the last one that runs (typically the OU policy) will win, unless you use the No Override switch on top-level policies.

maybe this will help you.


 
0
 
msk100Author Commented:
Toniur:
 Yes the user has the choice to log into the domain or log into the computer locally.
 When they are logged in locally is when i need to restrict their actions.

thanks all for your help on this issue..
0
 
William ElliottSr Tech GuruCommented:
do they login with the same ID or a different ID?

one thing you can do is configure a restricted profile(via registry editing). copy it over the 'default user' profile. Then when a profileless user logs in they are restricted.

but if they use locally cached profiles this won't necessarily work.  

are we referring to laptops?

if the local and the roaming profiles are diffferent then you can od a lot,.
0
 
msk100Author Commented:
weellio:
 Same ID, Desktop computer, same roaming and local profiles.
My main concerns are the firewall settings and restricting the installation of software.
0
 
Toni UranjekConsultant/TrainerCommented:
As I said before, when local user is logged on, only Local Policy will apply. When domain user is logged on Local Policy will be overwriten with site, domain, and OU policies.

In addition: firewall policy settings has two proflies, which can be set for domain users, Domain and Standard profile.

And finally if user is not administrator he can not install software.
0
 
William ElliottSr Tech GuruCommented:
besides the no 'run' command and the 'no install software' what other restrictiions do you want?

0
 
msk100Author Commented:
the user is part of the local 'users' group

to simplify, lets assume this PC is not part of a domain. Let's assume you want to resctrict one of your children from shutting off the firewall on your home windows xp pro machine. But you want to be able to turn it on and off when you log on as the administrator. Is this possible?

0
 
Toni UranjekConsultant/TrainerCommented:
Not with Windows XP. For instance firewall setting are part of Computer Settings which applies to all users. Technically, there is workaround, you could deny Read permission for certain user on this folder C:\Windows\System32\GroupPolicy and settings will not apply to this user.
Of course if you deny read permission to administrator for this folder, you will not be able to edit policy until security settings are corrected. ;)
0
 
msk100Author Commented:
As a user they still have access to the windows firewall settings, they just cant modify them. Remember this is xp pro.
0
All Courses

From novice to tech pro — start learning today.