March 27, 2008

How do I… Apply local Windows XP restrictions with the Group Policy Console

by Diana Huggins | Jan 19, 2006

Takeaway: In a domain environment, you can control workstations centrally with group policies from the domain. However, if you don't have a server, you can still use group policies locally in Microsoft Windows XP. Here's how, using the Group Policy Console.

People who read this, also read…

Use a group policy to control group policies
Streamline group policy distributions of Windows XP Service Pack 2 from Windows Server 2003 using the Group Policy Management Console
Learn generic viagra online pharmacy how to take advantage of the Group Policy Management Console
How software restrictions help secure Windows XP
Lock IT Down: Go the extra mile in securing the Windows administrator account

Keeping users focused, on track, and out of trouble is sometimes a dicey proposition. Since nothing is foolproof to a sufficiently talented fool, it's tough to keep users out of off-limit places and applications. Even though you have to be an administrator to make most system configuration changes, unwary users can still do damage to their machines. In addition, there's always the lure of the Internet Explorer icon right on users' desktops, tempting them away from work. And even the network sometimes proves to be a dangerous place for some users. The solution to these wayward users is to apply restrictions to what users can and can't do.

Click this tag search to find other How do I… articles and downloads.

This article is also available as a TechRepublic download.

This article was originally published on January 19, 2006.

Group policies

In a domain environment, you can use group policies to apply restrictions at several levels, including domain, site, and organizational unit (OU). For example, you can configure the interface to hide drives in My Computer, hide the Internet Explorer icon, disable Add/Remove Programs, and use a boatload of other restrictions to keep users focused and out of trouble. You can apply the restrictions on a per-user or per-group basis, giving you very granular control over who can do what, when, and where.

In a workgroup environment, however, accomplishing the same thing is a lot tougher because the local group policy is intended to apply to all users, regardless of account or group membership. But with a little finesse, you can apply restrictions to individual users.

The Group Policy console

You use the Group Policy console to apply restrictions. Before you go rushing off to lock down your users, however, keep this in mind: The changes you're going to make will initially affect the local administrator account on each computer. Don't apply any restrictions that will prevent you from later removing the restrictions from the administrator account. You might want to temporarily create an account with membership in the Administrators group to use in case you have problems and need to undo the restrictions.

Here's how to fool Windows XP Professional into using different restrictions for users:

Log on as Administrator.
Go to Start | Run and enter Gpedit.msc in the Open dialog box to start the Group Policy console shown in Figure A.
Open the User Configuration/Administrative Templates branch and change settings as desired to enable restrictions as needed. The settings for each restriction vary.
Close the Group Policy console and log off; then log on again as Administrator to apply the change.
Log off and log on as another user to verify that the restrictions are applied. Log off and then log on as each of the other users, in turn, to whom you want to apply the restrictions.
Log on as Administrator and copy the file %systemroot%\System32\GroupPolicy\User\registry.pol to a backup location and name it UserReg.pol. Copy the file %systemroot%\System32\GroupPolicy\Machine\registry.pol to the same backup location and name it MachineReg.pol.
Open the Group Policy console and remove the restrictions applied in step four. In some cases, you might need to use the opposite setting from the one applied in step three. For example, if you selected Enable to apply a given restriction, choose Disable to remove the restriction, rather than Not Configured (which applies no change to the registry).
Close the Group Policy console and then copy the backup UserReg.pol file created in step six back to %systemroot%\System32\GroupPolicy\User\registry.pol, making sure to rename the file Registry.pol. Copy the backup MachineReg.pol created in step six back to %systemroot%\System32\GroupPolicy\Machine\registry.pol, making sure to rename the file Registry.pol.
Log off as administrator and log on as one of the restricted users to verify that the restrictions are in place. Log off and then log back on as administrator to verify that the restrictions are not applied to the administrator account. As long as you didn't use your own nonadministrator account to log on in step five, that account will not have the restrictions applied.