Deny Read Access to a Group Policy on a non-networked PC
Posted on 2011-04-27
What I am trying to do is create a User Configuration Group Policy on a non-networked PC and then deny read rights to one local user so they are not affected by the Group Policy. I found the information below on Experts-Exchange, and followed the instructions but the user is still apparently reading the GP. Any ideas to what I may be missing?
Thanks in advance for your help.
1.After you have made the necessary changes to the group policy using gpedit.msc, go to c:\windows\system32 and look for the folder 'Group Policy'. Before this, make sure that your file system is NTFS and you have not checked 'Use simple file sharing [Recommended]' in the (open any folder) Tools>Folder Options (the last entry here). If you have it checked, uncheck it. Now that you see the group policy folder (it is a hidden folder so you need to enable the option to show hidden files and folders in the folder options) right click on the folder and click on 'sharing and security'. In the box that pops up, click on the user you wish that the group policy should not apply. Then in the 'deny' column for permissions, check the box for 'read'. the other permissions are set by default and leave them as it is. Now click on 'apply' and then on 'ok'. Log off and log on back again. Voila!
Of course, you need to set the policies in User Configuration>Administrative Templates.
2.There is no mechanism to 'filter' Local Group Policy, as there is for GPO in Active Directory (AD).
You can fake it out, by applying NTFS deny access permissions on the Group Policy.
You can set Local Group Policy for users and deny the Administrator Read access to the
%SystemRoot%\system32\GroupPolicy\User\Registry.pol file, effectively filtering the Local Group Policy.