Deny Read Access to a Group Policy on a non-networked PC

Posted on 2011-04-27
Medium Priority
Last Modified: 2013-12-04
What I am trying to do is create a User Configuration Group Policy on a non-networked PC and then deny read rights to one local user so they are not affected by the Group Policy. I found the information below on Experts-Exchange, and followed the instructions but the user is still apparently reading the GP. Any ideas to what I may be missing?

Thanks in advance for your help.

1.After you have made the necessary changes to the group policy using gpedit.msc, go to c:\windows\system32 and look for the folder 'Group Policy'. Before this, make sure that your file system is NTFS and you have not checked 'Use simple file sharing [Recommended]' in the (open any folder) Tools>Folder Options (the last entry here). If you have it checked, uncheck it. Now that you see the group policy folder (it is a hidden folder so you need to enable the option to show hidden files and folders in the folder options) right click on the folder and click on 'sharing and security'. In the box that pops up, click on the user you wish that the group policy should not apply. Then in the 'deny' column for permissions, check the box for 'read'. the other permissions are set by default and leave them as it is. Now click on 'apply' and then on 'ok'. Log off and log on back again. Voila!

Of course, you need to set the policies in User Configuration>Administrative Templates.

2.There is no mechanism to 'filter' Local Group Policy, as there is for GPO in Active Directory (AD).
You can fake it out, by applying NTFS deny access permissions on the Group Policy.
You can set Local Group Policy for users and deny the Administrator Read access to the
%SystemRoot%\system32\GroupPolicy\User\Registry.pol file, effectively filtering the Local Group Policy.
Question by:covxx
  • 2

Expert Comment

ID: 35484169
Is the user in question a member of any other group that is affected by the GP?  That could be creating a conflict....

Accepted Solution

covxx earned 0 total points
ID: 35485394
Got it figured out. I was denying rights at the Registry.pol level which for some reason was still letting the user have rights to read. My very smart co-worker suggested going to the Group Policy folder as the first instructions stated and it worked.

Author Closing Comment

ID: 35510851
I was able to figure this out with the help of my very smart coworker before anyone sent a n answer that worked.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introducing Priority Question, our latest feature.
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question