Deny Read Access to a Group Policy on a non-networked PC

Posted on 2011-04-27
Last Modified: 2013-12-04
What I am trying to do is create a User Configuration Group Policy on a non-networked PC and then deny read rights to one local user so they are not affected by the Group Policy. I found the information below on Experts-Exchange, and followed the instructions but the user is still apparently reading the GP. Any ideas to what I may be missing?

Thanks in advance for your help.

1.After you have made the necessary changes to the group policy using gpedit.msc, go to c:\windows\system32 and look for the folder 'Group Policy'. Before this, make sure that your file system is NTFS and you have not checked 'Use simple file sharing [Recommended]' in the (open any folder) Tools>Folder Options (the last entry here). If you have it checked, uncheck it. Now that you see the group policy folder (it is a hidden folder so you need to enable the option to show hidden files and folders in the folder options) right click on the folder and click on 'sharing and security'. In the box that pops up, click on the user you wish that the group policy should not apply. Then in the 'deny' column for permissions, check the box for 'read'. the other permissions are set by default and leave them as it is. Now click on 'apply' and then on 'ok'. Log off and log on back again. Voila!

Of course, you need to set the policies in User Configuration>Administrative Templates.

2.There is no mechanism to 'filter' Local Group Policy, as there is for GPO in Active Directory (AD).
You can fake it out, by applying NTFS deny access permissions on the Group Policy.
You can set Local Group Policy for users and deny the Administrator Read access to the
%SystemRoot%\system32\GroupPolicy\User\Registry.pol file, effectively filtering the Local Group Policy.
Question by:covxx
    LVL 6

    Expert Comment

    Is the user in question a member of any other group that is affected by the GP?  That could be creating a conflict....

    Accepted Solution

    Got it figured out. I was denying rights at the Registry.pol level which for some reason was still letting the user have rights to read. My very smart co-worker suggested going to the Group Policy folder as the first instructions stated and it worked.

    Author Closing Comment

    I was able to figure this out with the help of my very smart coworker before anyone sent a n answer that worked.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    Not many admins are aware that GPOs can be activated and deactivated time-based. Time to change that :)
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now