Can gpedit.msc be used to only affect certain user accounts?

By fnanfne ·
Hi forum readers.

I've been doing my own research for some time and exhausted all possible avenues(even my good friend Google) but I'm still at an impasse with no straight answer. (even asked Leo!)

My question regards to restricting only certain users from performing various actions using Windows. I've been using SiteCafe(from Provisio) for a long time but due to the recession, I've had to make some cuts. I don't charge my members to use our internet but I do want to restrict them from doing anything other than browsing the Internet and playing the games already installed on the systems.

I've been using the Group Policy Editor (gpedit.msc) and it does work extremely well but the settings in GPE gets applied to the whole system and not just for a specific user.(user config /computer config)

So I have to leave all the computers insecure just so I can administer them from time to time. i.o.w, I can't disable the command promt because then I won't be able to access gpedit.msc any more.

So just to summarize:

Can gpedit.msc be used to only affect certain user accounts? and
Could this be done on a domain to ease administration?

Thanks for reading!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by Wizard-09 In reply to Can gpedit.msc be used to ...

GPO can and is best suited for a domain, you can use GP Edit to lock down the work station for users and groups below maybe of so help to you, below will show you how to do it locally.

hope it helps you out

Collapse -


by fnanfne In reply to Yes

Thank you Wizard-09, now I know how to implement gpedit a lot better in a non-domain environment. I wondered why Microsoft didn't have a simpler solution but then I found they have! It's called SteadyState from Microsoft

Thanks again!

Collapse -

Of course

by Brenton Keegan In reply to Can gpedit.msc be used to ...

You asked if it can be done on a domain, and the answer to that is yes, it's what it's designed to do.

I assume you have a Windows domain server. Part of the functionality of a domain server is really as a group policy server.

Download Group policy management console:

Open the console and connect it to your domain controllers (or one of your domain controllers). You should see a A/D OU structure.

You can create "Group Policy Objects" which change a particular setting. You should be able to right click on Group Policy Objects and create a new GPO. Then you should be able to right click on it and edit it. It will bring up the familiar gpedit.msc console. Keep in mind that you want to edit user settings and not computer settings if you want the settings to be specific to the user.

To specify which users it apply too. Go back to the group policy management console and define the scope. I'd use a security group. Then link the GPO in the OU that has the user accounts.

This is not a step-by-step guide. Just an off the top of my head explanation of how to do it. Should point you in the right direction.

Collapse -

Thank you!

by fnanfne In reply to Of course

I have successfully created and used a GPO following your advice.
But I almost made a big booboo because a new GPO includes all Administrator accounts by default!

I decided to only change a few settings in order to test it out. I then restarted my server(updates were installed) and also saw the GPO working with the user accounts on the other PC's.

When I logged back on to the server, I immediately saw the GPO's effect on my Administrator account, whoops! No Start button, system tray or desktop!! Luckily I could still access the command prompt via the Windows Hot Keys, so I quickly amended the GPO.

Thanks again Brenton!


Steven Spray.

Collapse -


by Brenton Keegan In reply to Thank you!

Should have made mention that by default the scope is "Authenticated Users" so basically everyone. You need to remove this from the scope and add the desired security group.

It's also OU specific. SO if you link a GPO to a OU it will apply only to AD objects in that OU. It will also be passed down to children OU. You can tell it not to inherit but that gets messy real fast.

Related Discussions

Related Forums