Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows NT
    - Admin Tips
      - Security
        Group Policy without Active Directory

Section(s): Security
Published on Oct 19, 2005.
Last Modified on Oct 19, 2005.
Last Modified by Mitch Tulloch.
Rated 2.8 out of 5 based on 10 votes.

Can Group Policy be configured on a per-user basis without Active Directory?

A question I often get asked about Group Policy is whether you can have policy settings apply differently to different users on a standalone computer in a workgroup. The reason people ask this is because you can configure Local Group Policy on standalone computers, and this is done two ways:

Using Local Security Policy in Administrative Tools. This method gives you access to a small subset of policy settings for the local machine.
Start --> Run --> gpedit.msc --> OK. This method gives you access to all the policy settings on the local machine.

What people want to know is, can you use either of these tools to configure one set of policy settings for one local user account, and a different set of policy settings for a second local user account. Unfortunately the answer is no--local Group Policy is machine-wide in scope and can't be configured on a per-user basis. You need Active Directory to do that.

Cheers,
Mitch Tulloch
ITreader.net

About Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .