Group Policy per user

[Nick]

I have seen various pieces of information regarding Group
Policy when searching on the Internet. Many say there are
work arounds to setting individual policies on each user,
but nobody seems to know or be willing to tell how to
accomplish that. I am using XP Pro on my own pc, although
on a network, the policies would be in effect only on my
machine. An article on Microsoft's site explains how to
set group policy for non-administrative users, but when I
have gone through that process, it applies only to the one
user that I administrative account that I have applied the
changes in. All other admin accounts are blocked from
access to the disabled features. The article number is:
293655. I understand that the article is for Win 2000
Pro, but I figure enough of the basics should stay the
same for this to work. Also, I have seen that Doug Knox
has some software that can help with this. Not that I
don't want or need the software, but I would like to know
how to do this manually as well if it is possible. Can
anyone provide assistance with this matter? I would
greatly appreciate it.

 

[Doug Knox MS-MVP]

The User level group policies are Per-User. So when you log into the machine as the Administrator, copy the Registry.pol file, make your GPEDIT changes, then copy the Registry.pol file back, you've only affected the Administrator. You need to repeat these steps for all Administrator level users.

9) Copy the Registry.pol file that is located in the %Systemroot%\System32\GroupPolicy\User folder to a backup location (for example, to a different hard disk, to a floppy disk, or to a folder).

10) Open your local policy again by using either the Group Policy Object Editor or your MMC console icon, and then reverse the changes that you made in step 3. For example, to reverse the changes that you made in step 3, double-click Hide My Network Places icon on desktop, click Disabled, click Apply, and then click OK.

Note When you do this, Policy Editor creates a new Registry.pol file.

11) Close Group Policy Object Editor or MMC, and then copy the backup Registry.pol file that you created in step 9 back to the %Systemroot%\System32\GroupPolicy\User folder.

When you are prompted to replace the existing file, click Yes.

12) Log off from the computer, and then log on to the computer as an administrator. You can see that the changes that you made in step 3 are not implemented because you have logged on to the computer as an administrator.

Otherwise, you have to manipulate each User's Registry (NTUSER.DAT file) manually, via Regedit, or some 3rd party application, like mine.

You might want to try this as an alternate method. Say you have 6 accounts on the computer. 2 Administrator and 3 Users, plus the built in Administrator account.

User1 = Admin
User2 = Admin
User3 thru 5 = Users

1) Log in to the computer with the built in Administrator account.
2) Copy the NTUSER.DAT files for User1 and User2 to a different folder. Do not delete them, just copy them.
3) Log off the Administrator and log in to User1's account.
4) Copy the Administrators NTUSER.DAT file to a different folder.
5) Still logged into User1's account, open GPEDIT.MSC and apply all the changes that you want, then close GPEDIT.
6) Log off User1, and log into each user account on the system, including the built in Administrator.
7) Log off the last account you used and log back in as User1.
6) Replace the Administrator and User2's NTUSER.DAT files with the backed up copies.
7) Log off User1 and log into the Administrator account.
8) Replace User1's NTUSER.DAT file with the backed up copy.