To set the local policy application for Windows 2003

This article describes how to apply a local policy to all users except administrators on a Windows Server 2003-based computer in your workgroup settings.

When you use a Windows Server 2003-based computer in a workgroup setting (rather than a domain), you may need to enforce local policies on that computer that apply to all users of that computer, but not to administrators. With this exception, administrators can retain unrestricted access and control over the computer, and can also limit the users who can log on to the computer.

Apply a local policy to all users except administrators

To implement a local policy for all users except administrators, perform the following steps:

Log on to the computer as an administrator.

Open the local security policy. To accomplish this, do the following:

Click Start \ Run, type gpedit.msc, and then press ENTER.

or click Start \ Run, type mmc, press ENTER, add Group Policy Object Editor, and then configure it for your local security policy.

If removing the Run command is one of the policies that you need, Microsoft recommends that you edit the policy through Microsoft Management Console (MMC) and then save the results as an icon. This way, you do not need to use the Run command to reopen the policy.

Expand the User Configuration object, and then expand the Administrative Template object.

Enable any policies that you want (for example, "Hide My Network Places on the desktop" or "Hide Internet Explorer icons on the desktop").

Note: Be sure to select the correct policy, otherwise you may limit the ability of an administrator to log on to the computer (and to complete the steps required to configure the computer). Microsoft recommends that you record any changes you have made.

Close the Gpedit.msc Group Policy snap-in, or, if you are using MMC, save the console as an icon so that you can access it later, and then log off from your computer.

Log on to the computer as an administrator.

You can verify previously made policy changes in this logon session because, by default, the local policy applies to all users, including administrators.

Log off from your computer, and then logon to the computer as all other users of this computer (you want them to apply these policies). These policies are implemented for all of these users and administrators.

Note: You cannot implement these policies for any user accounts that are not logged on to the computer in this step.

Log on to the computer as an administrator.

Click Start, point to Control Panel, and then click Folder Options. Select the View tab, select Show hidden files or folders, and then click OK so that you can view the Group Policy hidden folder. Alternatively, open Windows Explorer, click the Tools, and then click Folder Options to view these settings.

Copy the Registry.pol file located in the%Systemroot%\System32\GroupPolicy\User folder to the backup location (for example, copy to another hard disk, floppy disk, or folder).

Use the Gpedit.msc Group Policy snap-in or your MMC icon to open the local policy again, and then enable the actual functionality that is disabled in the original policy that was created for the computer.

Note: When you do this, the policy Editor creates a new Registry.pol file.

Close the policy Editor, and then copy the created backup Registry.pol file back to the%Systemroot%\System32\GroupPolicy\User folder.

When you are prompted to replace the existing file, click Yes.

Log off from your computer, and then log on as an administrator.

Because you are logged on to the computer as an administrator, you can verify that the original changes were not implemented. Log off from your computer, and then login as a different user.

Because you are logged on to the computer as a user (not an administrator), you can verify that the changes you made initially were implemented.

Log on to the computer as an administrator to confirm that the local policy does not affect you logging on to the computer as a local administrator.

Restore original Local Policy

To undo the procedure described in the "apply local policies to all users except Administrators" section of this article, perform the following steps:

Log on to the computer as an administrator.

Click Start, point to Control Panel, and then click Folder Options. Click the View tab, click Show hidden files and folders, and then click OK so that you can view the Group Policy hidden folder. Alternatively, open Windows Explorer, click the tool, and then click Folder Options.

Move, rename, or delete registry.pol files from the%Systemroot%\System32\GroupPolicy\User folder.

After you log off or restart your computer from your computer, the Windows File Protection system creates another default Registry.pol file.

Open the local policy. To do this, click Start \ Run, and then type gpedit.msc. Alternatively, click Start \ Run, type MMC, and load the local security policy. Then, set all items that are set to Disabled or enabled to be not configured to undo any policy changes that are enforced on the Windows Server2003 registry specified by the Registry.pol file.

Log off the computer as an administrator, and then log on to the computer again as an administrator.

Log off from the computer, and then logon to the computer as all users of the local computer, so that you can also undo the changes for their account.