Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows NT
    - Admin Tips
      - Security
        Group Policy without Active Directory

Section(s): Security
Published on Oct 19, 2005.
Last Modified on Oct 19, 2005.
Last Modified by MitchTulloch.
Rated 3.3 out of 5 based on 8 votes.

Can Group Policy be configured on a per-user basis without Active Directory?

A question I often get asked about Group Policy is whether you can have policy settings apply differently to different users on a standalone computer in a workgroup. The reason people ask this is because you can configure Local Group Policy on standalone computers, and this is done two ways:

Using Local Security Policy in Administrative Tools. This method gives you access to a small subset of policy settings for the local machine.
Start --> Run --> gpedit.msc --> OK. This method gives you access to all the policy settings on the local machine.

What people want to know is, can you use either of these tools to configure one set of policy settings for one local user account, and a different set of policy settings for a second local user account. Unfortunately the answer is no--local Group Policy is machine-wide in scope and can't be configured on a per-user basis. You need Active Directory to do that.

Cheers,
Mitch Tulloch
ITreader.net

About MitchTulloch

Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is the book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. Mitch was also the author of Introducing Windows Server 2008 and technical project lead for the Microsoft Office Communications Server 2007 Resource Kit, both books also from Microsoft Press. For more information on these and other books by Mitch, see http://www.mtit.com .