Group Policy - Apply to a Specific User or Group

How to Apply Local Group Policies to Specific User or Group in Windows

   Information
Windows has three layers of local GPOs:

  • Local Group Policy Local Group Policy is the only local GPO that allows both computer configuration and user configuration settings to be applied to all users of the computer.
  • Administrators and Non-Administrators local Group Policy Administrators and Non-Administrators local Group Policy contains only user configuration settings. This policy is applied based on whether the user account being used is a member of the local Administrators group.
  • User-specific local Group Policy User-specific local Group Policy contains only user configuration settings. This policy is applied to individual users and groups.
These layers of local GPOs are processed in the following order: local Group Policy, Administrators and Non-Administrators local Group Policy, user-specific local Group Policy.


This tutorial will show you how to apply local group policies to only a specific user or group instead of all users in Vista, Windows 7, Windows 8, and Windows 10.

You must be logged in as an administrator to be able to do this tutorial.

   Note
A computer running Windows can have one or more local policy objects associated with it. Local Group Policy is managed through the local Group Policy object (GPO).

The local GPO is stored on individual computers in the hidden C:\Windows\System32\GroupPolicy system folder.

User-specific and group-specific local GPOs are stored in the hidden C:\Windows\System32\GroupPolicyUsers system folder.

   Warning
The Local Group Policy Editor will only be available in:

  • Vista Business, Ultimate, and Enterprise editions.
  • Windows 7 Professional, Ultimate, and Enterprise editions
  • Windows 8/8.1 Pro and Enterprise editions.
  • Windows 10 Pro and Enterprise editions.




Here's How:1. Open the Start Menu, then type mmc.exe in the search box and press Enter.
NOTE: In Windows 8, you could press Windows+R keys to open the Run dialog, then type mmc.exe, and click/tap on OK instead.

2. If prompted by UAC, then click on Yes (Windows 7/8) or Continue (Vista).

3. In the MMC Console window, click on File (Menu bar) and Add/Remove Snap-in. (see screenshot below)Step1.jpg

4. In the left pane, select Group Policy Object Editor, and click on the Add button. (see screenshot below)Step2.jpg

5. Click on the Browse button. (see screenshot below)Step3.jpg

6. Click on the Users tab, select an available user account (ex: Test) or a group from the list that you want to only have group policy applied to, and click on OK. (see screenshot and table below)
   Note
The other names (Test and User-name) listed are user accounts on my computer. You will have your own user account names listed instead.


Group NameDescription
AdministratorName of Built-in Administrator account user
HomeGroupUser$All HomeGroup Users group
AdministratorsAll Users in the administrators group
Non-AdministratorsAll users except administrators group



Step4.jpg

7. Click on the Finish button. (see screenshot below)Step5.jpg

8. Click on OK. (see screenshot below)Step6.jpg

9. In the MMC Console window, click on File (Menu bar) and Save As. (see screenshot below)Step7.jpg

10. Select to save to your Desktop, type in a name (ex: Test_Group_Policy) that you would like to have for this "specific" group policy MSC file, then click on the Save button. (see screenshot below)
NOTE: You can use any name you like, but it would make it easier for you to know what user (ex: Test) or group this "specific" group policy MMC console was for later if you included the user or group name.Step8.jpg

11. Move the MSC file (ex: Test_Group_Policy.msc) for the specific user or group to where you would to keep it saved at. (see screenshot below)
NOTE: You can also Pin to Taskbar or Pin to Start Menu this MSC file.Step10.jpg

12. Whenever you open this MSC file (ex: Test_Group_Policy.msc), you will be able to apply group policies to only this specific user (ex: Test) or group. (see screenshot below)Step9.jpg

13. Repeat the above steps if you wish to create a new MSC group policy file for a different specific user or group.




That's it,
Shawn Brink


Related Tutorials

 
Last edited:
Click to expand...
Yes you can!

So this forum was a great help to me and I figured it was time to return the favor.

Login as local administrator and follow the original post to set the policies for the specific user on the local PC. This will create the necessary files. When you create a policy for a specific user on the local PC it creates a directory ("user") and a file (gpt.ini) in:

--C:\Windows\system32\GroupPolicyUsers--

Inside, there is a folder named with a SID. To copy the original settings to another computer (in my case the local account was named the same and had the same password) you'll have to go through the same procedure as stated by the original post on the other computer to create a new policy on the target PC. You don't need to save the MMC. You only do this to create the new SID directory. So, you'll see two entries in the path stated above. Go by the date modified to see the one you should modify. You can then copy the "User" directory and "gpt.ini" that you got from the original computer and override them on the target computer.

Log off and then login as the specific user and verify that settings have applied. Hope this helps.
 

My Computer My Computer

At a glance

Windows 7 Pro 32 & Windows 8 Pro x64
Computer type
PC/Desktop
OS
Windows 7 Pro 32 & Windows 8 Pro x64
Configured,

You are a life saver! I am now able to create user specific profiles without having to manually recreate the GPOs across each machine. I wish I could deploy a domain, but it is not in the client's interest.
 

My Computer My Computer

At a glance

Windows 7 ProfessionalAMD E350 APU4 GBE350 APU
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom
OS
Windows 7 Professional
CPU
AMD E350 APU
Motherboard
Gigabyte mini-ITX
Memory
4 GB
Graphics Card(s)
E350 APU
Antivirus
Spybot and Malwarebytes
Browser
Chrome
How to Apply Local Group Policies to Specific User or Group in Windows,.

This also not works. Suppose there are 2 type of groups Administrator and Administrators then if i follow your above steps then as the topic title says that only 1 particular group will be affected ! But if i change any settings in Administrators group then it also affects Administrator group :(

Is there any working thing which will affect only 1 group out of 2 :\
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel i7 4790k8
Computer type
PC/Desktop
Computer Manufacturer/Model Number
custom build
OS
Windows 7 Ultimate x64
CPU
Intel i7 4790k
Memory
8
Hello Adonix, :)

"Administrator" is for the built-in elevated Administrator account.

"Administrators" is for the group that all administrator accounts are added to by default.
 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
so friend could you give me some tut so that i can create some new group like Administrators but with some disabled/less permissions ?
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel i7 4790k8
Computer type
PC/Desktop
Computer Manufacturer/Model Number
custom build
OS
Windows 7 Ultimate x64
CPU
Intel i7 4790k
Memory
8

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
Brink said:
You could create a new group, then add users to the group. Afterwards, set policies for this group.

http://www.sevenforums.com/tutorials/202251-user-group-create-new-delete.html

http://www.sevenforums.com/tutorials/103570-user-accounts-add-remove-groups.html

However, as administrators, they have the rights to undo any set policy though.
Click to expand...

Ok friend,..last thing any trick that if we add some extra user with administrators power, then is it possible to disable some settings for administrators group ? like disable access to many pc internal settings,..so that settings could not apply to administrator group :\
Or is it possible to create some special type of group which have features like "remote desktop users" group just the gifference will be that they can able to install softwares or able to use cmd ??

Kindly help.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel i7 4790k8
Computer type
PC/Desktop
Computer Manufacturer/Model Number
custom build
OS
Windows 7 Ultimate x64
CPU
Intel i7 4790k
Memory
8

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
Last edited:

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel i7 4790k8
Computer type
PC/Desktop
Computer Manufacturer/Model Number
custom build
OS
Windows 7 Ultimate x64
CPU
Intel i7 4790k
Memory
8
I'm not sure that installing software can be performed by any other group than administrators. :(
 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
Brink said:
I'm not sure that installing software can be performed by any other group than administrators. :(
Click to expand...

:'( then what's the benefit of making new group ourselves :'(
If you know any way then must share friend.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel i7 4790k8
Computer type
PC/Desktop
Computer Manufacturer/Model Number
custom build
OS
Windows 7 Ultimate x64
CPU
Intel i7 4790k
Memory
8
Hi,


I am trying to manage some users via a group. I made a group and added some users to it. Thus far no problem.
After that in MMC I wanted to add a module to the editor as discribed above. After clicking on the Brows button I did not see my new Group! Only all users and the Group Administrators and the group all nonadministrators.
What do I have to do to see my own new Group? Or is this not possible this way?

windows server 2012

I referred this answer:

It appears that new custom groups are not available to be selected for this.

You could create one per specific user of the group, or use Local Security Policy in Local Policies -> User Rights Assignment to add and set for a custom new group.

but,

in local security policy -> user rights assignments ->? here which policy i need to change to view my custom groups in group policy object? or is there any other way to add newly created group in gpo?
 

My Computer My Computer

At a glance

Maharashtra
Computer type
PC/Desktop
OS
Maharashtra

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
Thank you for prompt response:)

what i want to do is, i want to restrict my custom group of user to use specific program, which we easily able to do for single user by using GPO,

so after clicking on the Browse button in step 5, 6, 7 ( like you have added groups say "Test" & "HomeGroupUser$") I did not see my created local Group of users! Only all users and the Group Administrators and the group all non-administrators I can see,

so i wanted to know in user rights assignments is there any policy to modify to allow my local user groups to be set restrictions to? (or say how did you added these "Test" & "HomeGroupUser$" two custom groups in there?)
 

My Computer My Computer

At a glance

Maharashtra
Computer type
PC/Desktop
OS
Maharashtra
There's nothing in Security Policy for restricting programs for users.

I'm not sure you can apply a policy to custom groups, and can only do so per user since you don't want to do all.
 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
How to Push MMC files to more than one device

Hi Brink,

I knew how to configure the policy, and it worked perfectly, I am just wondering how can I push this policy to 5K+ users? Through MDM or whatever?
 

My Computer My Computer

At a glance

Windows 10
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Lenovo
OS
Windows 10
Ruba Abudia said:
Hi Brink,

I knew how to configure the policy, and it worked perfectly, I am just wondering how can I push this policy to 5K+ users? Through MDM or whatever?
Click to expand...


Hello Ruba, and welcome to Seven Forums. :-)

I'm afraid that I do not know how to either.
 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
You must log in or register to reply here.

Similar threads

copy a local group policy from one computer into another computer
Replies
4
Views
3K
red99
R
Did anyone try to apply Group Policy Objects to Edge on Win7?
Replies
1
Views
1K
iko22
I
Windows 7 Local Group Policy: How to Remove Orphan\Broken IEM Folders
Replies
0
Views
1K
B0bbyP
B0bbyP
Solved Local Group Policy Editor - Way To Save Changes
Replies
4
Views
9K
J.R.
J
How to delete Group Policy and stop server search
Replies
4
Views
2K
rjdriver
R
Back
Top