Did you find this useful?
Socialize it today.

Filtering Administrators From Local Computer Policy

Friday, October 28, 2011

In some cases, you may find yourself with the need to use Local Computer Policies. This may be because you do not have an Active Directory domain, or you simply have to apply a set of policies to only one computer or a small subset of computers and you prefer to use local policy rather than group policy. In a domain environment, you should always try to shy away from using local computer policies for the simple fact that a group policy linked to the site, domain, or organizational unit (OU) level has the potential for overwriting your local settings.

Assuming that you do continue down the path of using local computer policies, you will quickly figure out that the local policy will apply to all users that log onto the computer, even Administrators. Applying local policy to all users may not be exactly what you intended for. Fortunately, there is a work-around that is easy to implement and maintain.

A hard drive formatted using the NTFS file system provides the ability to secure resources using a discretionary access control list (DACL). In essence, you could allow or deny access to certain users or groups. We can take advantage of this powerful feature. Fortunately, the local computer policy files are stored in a folder within the %systemroot% directory, specifically at this location: %systemroot%\system32\GroupPolicy. The way to filter out the users that you do not want the local policy to apply to is to simply assign the DENY READ permission to any user or group of your choice. You may note that GroupPolicy folder is hidden by default. You will need to configure your system to show hidden folders before you can change the NTFS permissions on the folder. Restart the computer the settings in your policy will take effect.

local GPO filtering

Please help us spread the word by socializing it today!

email contact us

Did you find something wrong with the information on this page? Please take a moment to report it to us so that we can continue to improve the quality of the information on this site. Click here to report an issue with this page.

Recommended Books & Training Resources

MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647 Windows Server 2008 R2 Unleashed