Split Policy

By russell.stamper ·
I need a method to set up stand alone computers so that I can restrict users from access certain desktop items, but still let the administrator have full access when the administrator logs in. When I set policies on XP it sets the policies for all users and administrators.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Which items?

by Toivo Talikka In reply to Split Policy

Instead of storing all the desktop icons in the Desktop folder of the profile 'All Users', you can tailor the desktop folder in each user's profile.

If you want to prevent ordinary users from modifying certain settings, make those users Limited Users instead of Administrators.

Collapse -

Split Policy

by russell.stamper In reply to Which items?

Basically, I have students. And they like to try what ever they can to disrupt and change settings. We are on one workgroup so I can?t use domain policies. The students need to use only one icon on there desktop and they can not go to the internet or anywhere else. The students should not be able to make any changes or go to any part of the hard drive.

When I login as administrator I go to the run command and type gpedit.msc I can make all the restrictions that I want but they apply to the administrator as well. I need policies that apply only when the student logs in and not to the administrator when the administrator logs in.

Collapse -

Use login scripts

by Toivo Talikka In reply to Split Policy

You can work around the lack of Group Policy Objects by making the changes in a login script. You can store the login script on each PC in C:\Windows\System32\Group Policy\User Scripts\ - the default location in gpedit.msc which you have to use to set it up, unless you want to manually edit the scripts.ini in the folder.

The script will need to check which user is running it, an ordinary, restricted user or the local administrator. I suggest you hard code the login name of the local administrator into the script.

As I suggested in my previous reply, the ordinary users must be 'limited' or restricted users so that they cannot change the settings or peek and poke around the system. You can use any available commands like CACLS in the script. If you think the batch command language is limited, look at KiXtart at

The other option is to make those changes manually by setting the folder access rights and so on while logged in as the local administrator.

If you have heaps of these desktops and especially if you have to wipe them every now and then, you are probably ghosting or cloning them. Still, using either the manual setup or the login script method you should be able to save the restrictions and/or the login script into the disk image and achieve what you want.

Related Discussions

Related Forums