The magic of Win 2003's local strategy

When using a Windows Server 2003-based computer in a workgroup setting instead of a domain, you might need to implement a local policy on that computer that can be applied to all users of that computer, but not to administrators. With this exception, administrators can retain unrestricted access and control of the computer and can also restrict who can log in to the computer.

Apply local policies to all users except administrators

To implement local policies for all users except administrators, perform the following steps:

to manage Log in to the computer as a member.

Open the local security policy. To do this, do the following:

Click Start\\Run, type gpedit.msc, and then press ENTER.

Or click Start\\Run, type mmc, press ENTER, add “Group Policy Object Editor”, then configure it for your local security policy.

If deleting a run command is one of the strategies you need, Microsoft recommends that you edit the policy through the “Microsoft Management Console (MMC) and save the result as an icon. This way, you don't need to use the run command to reopen the policy.

Expand the User Configuration object and then expand the Administrative Template object.

Enable any strategy you need (for example, “Hide ‘My Network Places’” or “Hide the Internet Explorer icon on the desktop”).

Note: Be sure to choose the right strategy, otherwise you may limit the ability of the administrator to log in to the computer (and complete the steps required to configure the computer). Microsoft recommends that you document any changes you make.

Close the “Gpedit.msc Group Policy<; snap-in, or, if you use MMC, save the console as an icon so you can access it later and then log out of your computer.

Log in to the computer as an administrator.

You can verify previous policy changes in this login session because local policies are applied to all users, including administrators, by default.

Log out of the computer and log in to the computer as all other users of the computer (you want them to apply these policies). These policies are implemented for all of these users and administrators.

Note: These policies cannot be implemented for any user account that is not logged into the computer at this step.

Log in to the computer as an administrator.

Click Start, point to Control Panel, and then click Folder Options. Select the View tab, check “ Show hidden files or folders & rdquo;, then click OK to view the “Group Policy Hide folder. Alternatively, open “Windows Explorer>, click Tools, then click Folder Options to view these settings.

Copy the Registry.pol file located in the %Systemroot%\\System32\\GroupPolicy\\User folder to the backup location (for example, to another hard disk, floppy disk, or folder).

Use the “Gpedit.msc Group Policy  snap-in or your MMC icon to open the local policy again and then enable the actual features that were disabled in the original policy created for this computer.

Note: When you do this, the "policy editor" creates a new Registry.pol file.

Close the Policy Editor and copy the created backup Registry.pol file back into the %Systemroot%\\System32\\GroupPolicy\\User folder.

When prompted to replace an existing file, click Yes.

Log out of the computer and log in as an administrator.

Since you are logged in to the computer as an administrator, you can verify that the initial changes were not implemented. Log out of the computer and log in as another user.

Since you are logged in to the computer as a user (not an administrator), you can verify that the initial changes were implemented.

Log in to the computer as an administrator to confirm that the local policy does not affect your ability to log in to the computer as a local administrator.

Reverting the original local policy

To undo the process described in the "Applying local policies to all users except administrators" section, follow these steps:

Log in to the computer as an administrator.

Click Start, point to Control Panel, and then click Folder Options. Click the View tab, click “Show hidden files and folders  and click OK to view the “Group Policy Hide folder. Alternatively, open “Windows Explorer>, click Tools, then click Folder Options.

Move, rename, or delete the Registry.pol file from the %Systemroot%\\System32\\GroupPolicy\\User folder.

After you log out of your computer or restart your computer, <;Windows File Protection" will create another default Registry.pol file.

Open a local policy. To do this, click Start\\Run and type gpedit.msc. Alternatively, click Start\\Run, type mmc, and load the local security policy. Then, set all items that are set to disabled or enabled to unconfigured to undo any policy changes to the Windows Server 2003 registry implementation specified by the Registry.pol file.

Log out of the computer as an administrator and log in to the computer as an administrator again.

Log out of your computer and log in to the computer as a user on your local computer, so you can also undo changes to their accounts.