How can I use and apply Group Policy to limited accounts on a single Windows computer?

Izieh November 18, 2010
Ads by Google

So I know how to access Group Policy in Windows. When I change things in there, like removing display settings from the control panel, they are only applied to the account that I accessed the gpedit.msc from, i.e. the admin account. They don’t rollover to the limited account, where I want them to be applied.

Also, is there a Group Policy that allows the limited account to repair a network connection, or is there a way to enable that setting from the limited account? I tried a batch file but the limited account doesn’t have the rights to do it.

  1. Izieh
    December 17, 2010 at 11:45 am

    I don't have an Active Directory, would you mind explaining how to apply group policy to a non-admin user only [in windows XP Pro], Using anything but the Active Directory (alternatively you can show me how to set up an AD without a server).

  2. Anonymous
    November 19, 2010 at 9:20 am

    First you have to give windows version.A user can be an administrator on a local machine without being a domain administrator.However, by default domain administrators are added to the local administrators group of the computers that belong to the domain. Domain controllers (Windows 2000 servers or Windows Server 2003 computers) don’t have functional local administrator accounts; a local administrator account is created when you set up the server, but is disabled when it is promoted to DC. Domain controllers are administered by members of the domain administrators group.

    Some applications require that you be logged on as a local administrator to run them. When giving users administrative rights for this purpose, be sure you give them only local administrative rights; do not make them domain admins. You can add users’ Active Directory accounts to the local administrators group via a logon script or by using Restricted Groups for instructions on how to do this.

    Start Active Directory Users and Computers, right-click the organizational
    unit, and then click Properties.
    Click the Group Policy tab, click NEW, and then name the policy.
    Click the policy, and then click Edit.
    Right-click Restricted Groups (under Computer ConfigurationWindows
    SettingsSecurity SettingsRestricted Groups), and then click Add Group.
    Click Browse. Focused on the local computer, click the group to which you
    want your global group to be a member (in this case, the "Administrators"
    group), click ADD, and then click OK. You are returned to the group policy
    and you see the administrators group listed in the Restricted Groups window.
    Right-click the group, and then click Security.
    To the right side of the Members of this Group box, click ADD, and then
    click Browse.
    Locate the group in the organizational unit that you want to place in the
    administrators group, and then add it the group. After you do so, close the
    group policy.
    At a command prompt, type gpupdate /force, and then press ENTER.

    In Windows Vista and later you can apply policies only to a specific account, but you have to load the group policy object editor from the Microsoft Management Console, not by opening the snapin directly.

    1.Open mmc.exe
    2.When the MMC console opens, click "File" -> "Add/remove snapin"
    3.Select "Group Policy Object Editor" and click the "Add >" button
    4.In the dialog which appears, click "Browse".
    5.Click the "users" tab and select a user.

    6.Click "OK", then "Finish", then "OK" again
    You will now have a group policy user object for the selected user. Apply whatever restrictions you want. You may be interested in checking out "Hide these specified drives in My Computer" in User Configuration > Administrative Templates > Windows Components > Windows Explorer

    You would have to makes these group policy changes from an administrator account, not from the limited account.

    There are two different policy types...those that apply to only users accounts and those that apply to computers.
    When you create your policy you will select...Computer Configuration or User Configuration

    If you want to apply the same settings to all users on specific computer, use loopback procesing.
    "Loopback processing of Group Policy"

    To do this you can create whats called machine policy. First create an AD Group put the computer accounts into that you want to apply the policy. Then just apply that policy to that user group. Then change the policy order to apply before any user policies. Here is great resource if your new to Group Policies If you want the policy you have for your users you can just apply to that active directory group with the computers into it and it will apply, as a computer policy. Please note that you need to figure out how fast the connection speed from the Domain controller to the remote PC, because there are serval constriants when dealing with computer policies. One tool that will make your life easier is group policy manager.

    • Izieh
      November 19, 2010 at 11:31 am

      Okay sorry, I have Windows XP Pro. I'm not using a server or network, I have one computer and I'd like to allow the limited user to have some added permissions.