Lockdown by group using Local Computer Policy without Active Directory

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

You want to begin using some of the power of Active Directory's Group Policy Objects (GPO) but for many reasons, it is not available. You have been experimenting with securing your Windows 2000 boxes using the Local Computer Policy. Its a lot easier and safer to than registry hacks but you quickly learn that any policies set apply to everyone, including the administrator. Almost never what you want. If the %systemdrive% is NTFS, you can use NTFS file and directory permissions to get around this. Windows 2000 and Windows XP 's Local Computer Policy User policies depend on read access to the %systemroot%\system32\GroupPolicy folder. The trick: deny read access to any group you do not want the local policies to apply. This technology is limited in that you can only have two types of policies per system. This doubles the default. You have to go to Active Directory GPO's to implement a fully feature security model.

  • Set your policies via Local Computer Policy.
    If you haven't used the mmc
    • Click Start | Run, type mmc and press enter
      Console1 window pops up
    • Click Console
    • Select Add/Remove Snap-in...
    • Click Add button
    • Scroll to Group Policy within the Add Standalone Snap-in dialog
    • Highlight Group Policy snap-in and click Add button.
    • Click Finish when prompted to finish with Local Computer as the Group Policy Object.
    • Click Close
    • Click OK
      Console1 window is back
    • Change console mode from author to user mode
      • Click Console
      • Click Options
      • Select User mode - limited access - single window from the Console change mode dropdown
      • Click OK (take defaults)
    • Click Console
    • Click Save As...
    • Enter name of choice for the console (my policy, wayne's local policy, user policy, whatever
    • Click Save
    • Exit Console1
    • Edit the local policies as you need
      your user console is part of your Admin Tools
      • Click Start
      • Select Programs
      • Select Administrative Tools
      • Select Wayne's Local Policy
        or whatever you called the mmc console
  • Set NTFS permissions to explicitly deny read to folder %systemroot%\system32\GroupPolicy for the group you do not want tha policies to apply to.

    The %systemroot%\system32\GroupPolicy folder is hidden. You will have to change your folder options to display hidden files.

  • If admin is excluded from the policies, logoff and back on.
This technique can be very useful in kiosk or shared PC environments. This tips is Windows 2000 and Windows XP compatible.

David sent me the following valuable addition:

However I ran into a problem... I made the %SystemRoot%\system32\GroupPolicy\ accessable by Administrator so I could run gpedit.msc and edit the policy file and then would make the directory un-accessable by administrator once I was done. However, some policies take place as soon as you enable them, and I ended up locking myself out of the policy editor :)

If you go in Computer Configuration\Administrative Templates\System\Group Policy and end enable "Turn off background refresh of Group Policy", then reboot, it makes using local policies a little easier. It won't enable policies until the user logs back in, so you don't screw the Administrator account while logged on as it mucking around with the policies.

See Also

Featured Links