Q: How can I apply different software restriction policy (SRP) rules to different user accounts on my home computer, which stands alone and isn’t part of a domain? For example, I want to restrict my kids’ Windows accounts from using certain programs.

A: You can configure SRP rules from the Group Policy Object (GPO) settings. SRP rules are in the User Configuration\Windows Settings\Security Settings\Software Restriction Policies container. In your case, I advise you to configure an SRP hash or path rule for restricting user access to certain programs. Because your home computer isn’t joined to a Windows domain, you must use Local GPO (LGPO) settings to set up the restrictions.

The main disadvantage of using LGPO settings is that OSs released before Windows Server 2008 and Windows Vista let you configure only a single LGPO, and that LGPO applies to all users on a machine. This means you can’t create different settings for different users or groups. In your case, you can’t configure different SRP rules for your personal user account and your kids’ accounts in Windows XP and earlier OSs.

Server 2008 and Vista support multiple LGPOs—an administrator can configure one global LGPO for the computer and add multiple LGPOs for local user accounts, the local Administrators group, and the non-Administrators group if needed.

To create a user-specific LGPO, load the Microsoft Management Console GPO Editor snap-in. In the Select Group Policy Object dialog box, click the Browse button, then select the Users tab, as shown in Figure 1. Select the user for which you want to create the LGPO and click OK. If you want, for example, to create different LPGOs for the local accounts Jan and Joe, GPO Editor will look similar to Figure 2.


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.