Setting Group Policy on a local Computer

By SuperG - Last updated: Saturday, June 23, 2012 - Save & Share - Leave a Comment

The majority of this information can also be found here, but I include pictures to make it easier to understand.
This post is for farzinkanzi, and was originally posted here:
This describes one setting and how to make that setting apply to everyone on the computer except one user.

In this case: “Removable disks: Deny read access” needs to apply to everyone except farzinkanzi.

And while I am at it I’ll also answer his question posted here: (since they are almost the same)
Ok on a Windows 7 Professional computer I have 3 Accounts:

ABC – Administrator

ADM – Administrator

XYZ – User

We want to set a policy to prevent everyone from reading USB drives.

So start an MMC by typing MMC at the run.

Once the MMC starts click: File -> Add/Remove Snap-in…

Select “Group Policy Object Editor” and click add

On the welcome screen leave “Local Computer” click finish

Back on the “Add or Remove Snap-ins” screen select “Group Policy Object Editor” and click add, yes again

This time on the welcome screen click ‘Browse…”

On the “Browse for group Policy Object” Screen, make sure ABC is highlighted then click OK.

Then click finish on the welcome screen

Click ok on the “Add or Remove Snap-ins” screen

You now have two Policies listed in the MMC

Local Computer Policy – Which applies to everyone who uses the computer

Local Computer\ABC Policy – Which only applies to ABC
First we will set the policy for all users of the computer.

Navigate to “User Configuration\Administrative Templates\System\Removable Storage Access” Make sure you use USER and not Computer.

Here you will find the setting for “Removable disks: Deny read access” set this to enabled.

Next we do not want this to apply to ABC so we need to navigate to “User Configuration\Administrative Templates\System\Removable Storage Access” under the Local Computer\ABC Policy, and set this to Disabled

Local policies are written in this order: Local Computer, Group, User
The last written setting wins

This means that for users ADM and XYZ that they would be denied read access to Removable Drives

And user ABC would have access to read to Removable Drives, because the deny would be disabled.
This is also how you would set a policy to only one user.

The version of Windows required is Professional or better, this will not work with any version of Home or Starter. You can still make these types of changes on Home and Starter but its much harder as you would have to edit the registry directly.


I got an e-mail yesterday from a Microsoft employee, thanks Tim.  The e-mail was about KB2532445-v2, having to do with Office macros and AppLocker.  Not really sure how this applies to what I reported here, but the hotfix he gave me worked.

After Applying the hotfix the rules no longer gave the error and office worked as expected.

Again thank you Tim.


Posted in Security • Tags: , Top Of Page

Write a comment

You need to login to post comments!