In some cases, you may find yourself with the need to use Local Computer Policies. This may be because you do
not have an Active Directory domain, or you simply have to apply a set of policies to only one computer or a small
subset of computers and you prefer to use local policy rather than group policy. In a domain environment, you
should always try to shy away from using local computer policies for the simple fact that a group policy linked
to the site, domain, or organizational unit (OU) level has the potential for overwriting your local settings.
Assuming that you do continue down the path of using local computer policies, you will quickly figure out that the
local policy will apply to all users that log onto the computer, even Administrators. Applying local policy to all
users may not be exactly what you intended for. Fortunately, there is a work-around that is easy to implement and
maintain.
A hard drive formatted using the NTFS file system provides the ability to secure resources using a discretionary
access control list (DACL). In essence, you could allow or deny access to certain users or groups. We can take
advantage of this powerful feature. Fortunately, the local computer policy files are stored in a folder within
the %systemroot% directory, specifically at this location: %systemroot%\system32\GroupPolicy. The way to filter
out the users that you do not want the local policy to apply to is to simply assign the DENY READ permission to
any user or group of your choice. You may note that GroupPolicy folder is hidden by default. You will need to
configure your system to show hidden folders before you can change the NTFS permissions on the folder. Restart
the computer the settings in your policy will take effect.
Did you find the page informational and useful? Share it using one of your favorite social sites.
Recommended Books & Training Resources
