HOW TO: Apply Local Policies to All Users Except Administrators on Windows XP in a Workgroup Setting
You use the Group Policy console to apply restrictions. Before you go rushing off to lock down your users, however,
keep this in mind: The changes you're going to make will initially affect the local administrator account on each computer. Don't apply any restrictions that will prevent you from later removing the restrictions from the administrator account. You might want to temporarily create an account with membership in the Administrators group to use in case you have problems and need to undo the restrictions.
- Log on as Administrator.
- Go to Start | Run and enter Gpedit.msc in the Open dialog box to start the Group Policy console.
- Open the User Configuration/Administrative Templates branch and change settings as desired to enable restrictions as needed. The settings for each restriction vary.
- Close the Group Policy console and log off; then log on again as Administrator to apply the change.
- Log off and log on as another user to verify that the restrictions are applied. Log off and then log on as each of the other users, in turn, to whom you want to apply the restrictions.
- Log on as Administrator and copy the file %systemroot%\System32\GroupPolicy\User\registry.po l to a backup location and name it UserReg.pol. Copy the file %systemroot%\System32\GroupPolicy\Machine\registry .pol to the same backup location and name it MachineReg.pol.
- Open the Group Policy console and remove the restrictions applied in step four. In some cases, you might need to use the opposite setting from the one applied in step three. For example, if you selected Enable to apply a given restriction, choose Disable to remove the restriction, rather than Not Configured (which applies no change to the registry).
- Close the Group Policy console and then copy the backup UserReg.pol file created in step six back to %systemroot%\System32\GroupPolicy\User\registry.po l, making sure to rename the file Registry.pol. Copy the backup MachineReg.pol created in step six back to %systemroot%\System32\GroupPolicy\Machine\registry .pol, making sure to rename the file Registry.pol.
- Log off as administrator and log on as one of the restricted users to verify that the restrictions are in place. Log off and then log back on as administrator to verify that the restrictions are not applied to the administrator account. As long as you didn't use your own nonadministrator account to log on in step five, that account will not have the restrictions applied.
Source:
How do I
Apply local Windows XP restrictions with the Group Policy Console