The Most Frequently Asked Question About Group Policy In A Workgroup Situation

23 Jan
Posted on Author admin
The Most Frequently Asked Question About Group Policy In A Workgroup Situation

http://www.theeldergeek.com/gp07.htm

Q: “I have <insert number> users on my computer and want to use Group Policy to set different policies for each user. How is this done?”
A: Install Windows 2000 Server or Windows Server 2003. This allows having multiple Active Directory based Group Policy objects. In Local Group Policy you can’t have multiple Local Group Policy objects.

That’s the bad news. The good (or at least better) news is that it’s kinda-sorta possible to tweak Group Policy in the local setting. In the previous section I said to remember that Computer Configuration Registry.pol is implemented at the time the system is loaded. User Configuration Registry.pol comes into play when a user logs into the system.

There is nothing you can alter about the Computer Configuration side of Group Policy because it loads when the system boots. There just simply isn’t any opportunity to specify breaking it apart into different users or groups. What that means is when you set a policy in the Computer Configuration section of Local Group Policy it’s going to apply to the entire computer — everyone — that uses the machine. No exceptions.

In the User Configuration section of Local Group Policy we have a bit more latitude since the Registry.pol is ‘read’ when the user logs into the system, and that delayed ‘read’ is the key. By altering Read permissions on the Group Policy folder it’s possible to divide the User Configuration portion of Local Group Policy into two distinct groups of users;

  • Users that are affected by the settings in Local Group Policy User Configuration.
  • Users that are not affected by the settings in Local Group Policy User Configuration.

Use the following steps to separate the users or groups into the two categories.

  • Institute the policies you want for Local Group Policy – User Configuration.
  • Navigate to C:\Windows\System32\GroupPolicy folder, right click and select Properties.
  • Click the Security tab on the GroupPolicy Properties dialog box. (Fig. 07)
  • Highlight the Group or Username that you want to exclude from being affected by the User Configuration part of Local Group Policy.
  • In the Permissions section, change the Read permission from Allow to Deny.
  • Click Allow. Click OK.


Fig. 07

In the example above, Administrators was selected and the Read permission changed to Deny. Selecting Administrators automatically includes Admin #1 and Admin #2, making them able to run Messenger while User #1 and User #2 are prohibited by Group Policy from running Messenger. It’s certainly possible to create new groups using Computer Management to organize the machine users, and using the Add and Remove buttons in Fig. 07 they can be controlled for Group Policy purposes. Still, unless you move to a server product and use Active Directory, this workaround is limited to the User Configuration section of Local Group Policy and it only provides an On/Off function because of the one Local Group Policy object limitation.

A Final Note

After experimenting with Group Policy you may find that when you go back to make additional changes an Access Denied error message is received when accessing Group Policy settings. Navigate back to GroupPolicy Properties dialog box and reset the account permissions to Full Control.