Print
The group policy editor, as you’ve used it so far, is excellent for making changes to an entire system. But what should you do if you want to have several accounts on a single machine with different policies for each? For instance, what if you want to have an account for your friends to use, but you don’t want them installing stuff on your computer, or you’d like an account for your kids, which can’t change settings or delete files? Windows has made this possible in Windows Vista and later, with Multiple Local Group Policy Objects.
You are able to manage multiple policy objects by creating a custom control console, using the Microsoft Management Console. This console will contain 4 group policy editor "snap-ins," each with a different domain. One will effect the entire system, one will effect all administrator accounts, one will effect all non-administrator accounts, and one will effect a specific user account that you have created. When there are contradictions in group policy, the most narrowly-defined group takes precedence. That is to say, if you define one policy for the entire computer, and a conflicting policy for a single account,the policy specified for the single account will be the one applied.
Here’s how to set up a custom control panel with the ability to assign group policy to individual accounts:
1. If you don’t already have a secondary account on your computer, create a new one. This can be done by right clicking on My Computer and selecting Manage, then navigating to the Local Users and Groups > Users tab, and right-clicking. Make sure that the new account you create is not an administrator.
2. From your computer’s administrator account, open the Run dialogue, and type mmc.exe.
3. In the window labeled Console1, click on File > Add/Remove Snap-in.
4. From the Available Snap-ins list in the dialogue box that opens up, select Group Policy Object Editor, then click Add.
5. Another dialogue box, labeled Select Group Policy Object will open up. Under “Group Policy Object,” the Local Computer option should be selected. Click Finish.
6. Repeat steps 4-5, but when you get to the Select Group Policy Object dialogue box, click Browse and select the group called Administrators. Repeat this process two more times, once selecting the group called Non-Administrators and once selecting the individual account you want to be able to create policies for.
7. Finally, in the Console1 window, click File > Save, and choose a name and a location to save your custom console to. You’ll run this console whenever you want to edit group policy settings.
Now, you've got a single control console with policy editors that will allow you to specify exactly which policies apply to which users. Stricly speaking, you don't need the consoles for Administrator and non-Administrator Users if you just want to make one account with different policies, but it doesn't hurt to include them in the console, and including them illustrates how you can apply group policy to user groups, as well as individual users.
Comments are closed on this article
sleeperdoodledoo
October 14, 2009 at 1:56am
When I got to open gpedit.msc it opens with the wrong path and gives me this big ole error box! In the path it uses the old command (starts with an S) and I realized after 2 years I had been ignoring it and therefore eventually crashing! Can you tell me how to change the path?
(%windir%\security\database\secedit.sdb) I don't know how to change this and if I do does gpedit.msc have a database?
This is very tricky.
Thank you!-Sleeper
Blessed Are The Merciful For They Shall Obtain Mercy
JCBarry
October 07, 2009 at 11:55am
One of the most useful things I use gpedit for is logon and logoff scripts.
Quick and easy way to do it:
- Start.
- Run.
- gpedit.msc
- User Configuration > Windows Settings > Scripts (logon/logoff)
It's pretty self explanatory after that. I run some scripted backups using this method.
Jay Barry
MaxPC Profile | Jason Barry
COMMANDER_COOK
October 07, 2009 at 6:40am
Un-doing group policy settings is easy, here's how:
Just delete all files in C:\windows\system32\GroupPolicy
savage4naves
October 07, 2009 at 6:25am
There are multiple free programs online that allow you to customize your Windows 7 logon screen wallpaper
Sovereign
October 07, 2009 at 11:04am
http://tweaks.com/software/tweakslogon/
That is the fastest free way to do it. It even makes the image compliant with the 245kB size requirement without requiring anything more from the user than a simple button click.
