Microsoft KB Archive/293655

= How to apply local policies to all users except administrators in a workgroup setting in Windows 2000 =

Article ID: 293655

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q293655





IN THIS TASK

 * SUMMARY
 * Apply local policies to all users except administrators
 * Restore original local policies



SUMMARY
This step-by-step article describes how to apply local policies to all users except administrators on a Microsoft Windows 2000-based computer that is in a workgroup setting. The article also describes how to restore the original local policies.

When you use either a Windows 2000 Professional-based or a Windows 2000 Server-based computer in a workgroup setting (not in a domain), you may have to implement local policies on that computer that can apply to all users of that computer, but not to administrators. This exception allows the administrator to have unlimited access and control of the computer, and to be able to restrict the rights of users who log on to that computer.

The Windows 2000 Professional-based computer or Windows 2000-based member server must be in a workgroup setting for this procedure to work. In this situation, the domain policies cannot overwrite the local policies because the domain policies do not exist. Microsoft recommends that you make backup copies of all the files that are edited.

Back to the top.

Apply local policies to all users except administrators
To apply local policies to all users except administrators, follow these steps.

Warning Microsoft strongly recommends that you perform a full backup before you start this procedure.  Open Group Policy Object Editor. To do this, click Start, click Run, type gpedit.msc, and then click OK.

Note If one of the policies that you want to apply is the removal of the Run command, Microsoft recommends that you use the Microsoft Management Console (MMC) to edit the policy and that you then save the results as an icon so that you will not have to use the Run command to complete some of the other steps in this procedure. To do this, follow these steps:  Click Start, click Run, type mmc, and then click OK. Click Console, and then click Add/Remove Snap-in. On the Standalone tab, click Add. In the Add Standalone Snap-in window, click Group Policy, and then click Add. In the Group Policy Object box, type Local Computer (if it is not already there), and then click Finish.</li> In the Add Standalone Snap-in window, click Close. In the Add/Remove Snap-in dialog box, click OK.</li> Click Console, click Save. In the Save in list, click Desktop.</li> In the File Name box, type a name for the console, and then click Save.</li></ol> </li> Expand User Configuration, and then expand Administrative Templates.</li> Click the folder that contains the policy that you want to enable, double-click a policy, and then enable it. For example, if you want to hide the My Network Places icon, click Desktop, double-click Hide My Network Places icon on desktop, click Enabled, click Apply, and then click OK.

Note Make sure that you select the correct policies. Otherwise you may restrict the ability of the administrator to log on to the computer (and complete the necessary steps to configure the computer). Microsoft recommends that you record the changes that you have made.</li> Close the Group Policy Object Editor or MMC, and then log off.</li> Log on to the computer as an administrator. You can see in this logon session that the policy changes that you made are applied. By default, the local policies apply to all users, including administrators.</li> Log off from the computer, and then log on to the computer as one of the non-administrator users of this computer for whom you want these policies to apply. Repeat this step for each user of this computer for whom you want these policies to apply. The policies are implemented for all these users and for the administrator.

Note You must log on as each user of the computer. User accounts that do not log on during this step will not have the policies implemented for that account.</li> Log on to the computer as an administrator.</li> Turn on the Show hidden files and folders option. To do so, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, point to Settings, and then click Control Panel.</li> Double-click Folder Options, click the View tab, click Show hidden files and folders, and then click OK.</li></ol> </li> Copy the Registry.pol file that is located in the %Systemroot%\System32\GroupPolicy\User folder to a backup location (for example, to a different hard disk, to a floppy disk, or to a folder).</li> Open your local policy again by using either the Group Policy Object Editor or your MMC console icon, and then reverse the changes that you made in step 3. For example, to reverse the changes that you made in step 3, double-click Hide My Network Places icon on desktop, click Disabled, click Apply, and then click OK.

Note When you do this, Policy Editor creates a new Registry.pol file.</li> Close Group Policy Object Editor or MMC, and then copy the backup Registry.pol file that you created in step 9 back to the %Systemroot%\System32\GroupPolicy\User folder.

When you are prompted to replace the existing file, click Yes.</li> Log off from the computer, and then log on to the computer as an administrator. You can see that the changes that you made in step 3 are not implemented because you have logged on to the computer as an administrator.</li> <li>Log off from the computer, and then log on to the computer as another user (or other users). You can see that the changes that you made in step 3 are implemented because you have logged on to the computer as a user (not as an administrator).</li> <li>Log on to the computer as an administrator to verify that the local policy does not affect you as the local administrator of that computer.</li></ol>

Back to the top.

Restore original local policies
To reverse the process that is described in the &quot;Apply local policies to all users except administrators&quot; section of this article, follow these steps: <ol> <li>Log on to the computer as an administrator.</li> <li>Turn on the Show hidden files and folders option. To do so, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, point to Settings, and then click Control Panel.</li> <li>Double-click Folder Options, click the View tab, click Show hidden files and folders, and then click OK.</li></ol> </li> <li>Move, rename, or delete the Registry.pol file from the %Systemroot%\System32\GroupPolicy\User folder. Another default Registry.pol file is created by the Windows File Protection system after you log off from or restart the computer.</li> <li>Open the local policy. To do this, click Start, click Run, and then type gpedit.msc or mmc, and then click OK. Load the local security policy. Then, set all the items that are set to either &quot;Disabled&quot; or &quot;Enabled&quot; to &quot;Not defined&quot; to reverse any policy changes that had been implemented to the Windows 2000 registry as specified by the Registry.pol file.</li> <li>Log off from the computer, and then log on to the computer as an administrator.</li> <li>Log off from the computer, and then log on to the computer as one of the non-administrator users so that the changes can be reversed on that user's account also. Repeat this step for each non-administrator user of this computer.</li></ol>

Back to the top.

<div class="moreinformation_section">

Note If the profile does not load, the subsequent logon by the administrator will be locked down to the point that the computer cannot be unlocked.

Keywords: kbhowtomaster kbenv KB293655

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.