We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Deny Read Access to a Group Policy on a non-networked PC

Medium Priority
Last Modified: 2013-12-04
What I am trying to do is create a User Configuration Group Policy on a non-networked PC and then deny read rights to one local user so they are not affected by the Group Policy. I found the information below on Experts-Exchange, and followed the instructions but the user is still apparently reading the GP. Any ideas to what I may be missing?

Thanks in advance for your help.

1.After you have made the necessary changes to the group policy using gpedit.msc, go to c:\windows\system32 and look for the folder 'Group Policy'. Before this, make sure that your file system is NTFS and you have not checked 'Use simple file sharing [Recommended]' in the (open any folder) Tools>Folder Options (the last entry here). If you have it checked, uncheck it. Now that you see the group policy folder (it is a hidden folder so you need to enable the option to show hidden files and folders in the folder options) right click on the folder and click on 'sharing and security'. In the box that pops up, click on the user you wish that the group policy should not apply. Then in the 'deny' column for permissions, check the box for 'read'. the other permissions are set by default and leave them as it is. Now click on 'apply' and then on 'ok'. Log off and log on back again. Voila!

Of course, you need to set the policies in User Configuration>Administrative Templates.

2.There is no mechanism to 'filter' Local Group Policy, as there is for GPO in Active Directory (AD).
You can fake it out, by applying NTFS deny access permissions on the Group Policy.
You can set Local Group Policy for users and deny the Administrator Read access to the
%SystemRoot%\system32\GroupPolicy\User\Registry.pol file, effectively filtering the Local Group Policy.
Watch Question

Is the user in question a member of any other group that is affected by the GP?  That could be creating a conflict....
Unlock this solution and get a sample of our free trial.
(No credit card required)


I was able to figure this out with the help of my very smart coworker before anyone sent a n answer that worked.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.