HOW TO: Apply Local Policies to All Users Except Administrators on Windows Server 2003 in a Workgroup Setting (325351)

SUMMARY

This article describes how to apply local policies to all users except administrators on a Windows Server 2003-based computer that is in a workgroup setting.

When you use a Windows Server 2003-based computer in a workgroup setting (not a domain), you may have to implement local policies on that computer that can apply to all users of that computer, but not to administrators. This exception permits the administrator to retain unlimited access and control of the computer, and also permits the administrator to restrict the users who can log on to that computer.

The Windows Server 2003-based computer must be in a workgroup setting for this procedure to work. In this situation, the domain policies cannot overwrite the local policies because the domain policies do not exist. Microsoft recommends that you make backup copies of all the files that you edit during this procedure.

back to the top

Apply Local Policies to All Users Except Administrators

To implement local policies to all users except administrators, follow these steps:

1. Log on to the computer as an administrator.
2. Open your local security policy. To do this, do one of the following:
   
   
   • Click Start, click Run, type gpedit.msc, and then press ENTER.
     
     -or-
   • Click Start, click Run, type mmc, press ENTER, add the Group Policy Object Editor, and then configure it for the local security policy.
   If the removal of the run command is one of the policies that you want, Microsoft recommends that you edit the policy by means of Microsoft Management Console (MMC), and then save the results as an icon. Then, you do not need the run command to reopen the policy.
3. Expand the User Configuration object, and then expand the Administrative Templates object.
4. Enable whatever policies that you want (for example, Desktop for "Hide My Network Places" or "Hide Internet Explorer Icon on Desktop").
   
   NOTE: Make sure that you select the correct policies; otherwise, you may restrict the ability of the administrator to log on to the computer (and to complete the necessary steps to configure the computer). Microsoft recommends that you record any changes that you make (you can also use this information for step 10).
5. Close the Gpedit.msc Group Policy snap-in. Or, if you use MMC, save the console as an icon to make it accessible later, and then log off the computer.
6. Log on to the computer as an administrator.
   
   You can verify in this logon session the policy changes that were made earlier, because, by default, the local policies apply to all users, which includes administrators.
7. Log off the computer, and then log on to the computer as all of the other users for this computer for whom you want these policies to apply. The policies are implemented for all of these users and the administrator.
   
   NOTE: Any user account that is not logged on to the computer at this step cannot have the policies implemented for that account.
8. Log on to the computer as an administrator.
9. Click Start, point to Control Panel, and then click Folder Options. Click the View tab, click Show Hidden Files and Folders, and then click OK so that you can view the Group Policy hidden folder. Or, open Windows Explorer, click Tools, and then click Folder Options to view these settings.
10. Copy the Registry.pol file that is located in the %Systemroot%\System32\GroupPolicy\User folder to a backup location (for example, to a different hard disk, floppy disk, or folder).
11. Open your local policy again by using either the Gpedit.msc Group Policy snap-in or your MMC icon, and then enable the exact features that were disabled in the original policy that was created for that computer.
    
    NOTE: When you do this, Policy Editor creates a new Registry.pol file.
12. Close your policy editor, and then copy the backup Registry.pol file that you created in step 10 back into the %Systemroot%\System32\GroupPolicy\User folder.
    
    When you are prompted to replace the existing file, click Yes.
13. Log off the computer, and then log on as an administrator.
    
    You can verify that the changes that were originally made are not implemented for you because you have logged on to the computer as an administrator.
14. Log off the computer, and then log on as another user (or users).
    
    You can verify that the changes that were originally made are implemented for you because you have logged on to the computer as a user (not an administrator) to that computer .
15. Log on to the computer as an administrator to verify that the local policy does not affect you as the local administrator to that computer.

back to the top

Restore Original Local Policies

To reverse the process described in the "Apply Local Policies to All Users Except Administrators" section of this article, follow these steps:

1. Log on to the computer as an administrator.
2. Click Start, point to Control Panel, and then click Folder Options. Click the View tab, click Show Hidden Files and Folders, and then click OK so that you can view the Group Policy hidden folder. Or, open Windows Explorer, click Tools, and then click Folder Options.
3. Move, rename, or delete the Registry.pol file from the %Systemroot%\System32\GroupPolicy\User folder.
   
   Another default Registry.pol file is created by the Windows File Protection system after you log off from or restart the computer.
4. Open the local policy. To do this, click Start, click Run, and then type gpedit.msc. Or, click Start, click Run, type mmc, and then load the local security policy. Then, set all of the items that are set to either disable or enable to not configured to reverse any policy changes that were implemented to the Windows Server 2003 registry as specified by the Registry.pol file.
5. Log off the computer as an administrator, and then log on to the computer again as an administrator.
6. Log off the computer, and then log on to the computer as all of the users on the local computer so that the changes can be reversed on their accounts too.

back to the top