Hi Darren Remeber i told you that a custom program apply custom restrict policy to a specific local user? So...I find out that this program creates the following registry keys: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Update] "UpdateMode"=dword:00000002 "NetworkPath"="C:\\WINDOWS\\system32\\policy.POL" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update] "UpdateMode"=dword:00000002 "NetworkPath"="C:\\WINDOWS\\system32\\policy.POL" The program also puts the name o the user created inside the pol file and the pol file is copied to: C:\\WINDOWS\\system32\\policy.POL Unfortunately, this pol file is encrypted. So, my question is: Do you wonder what could associate this pol file to a specific user mentioned in the own pol file? Thanks again. ________________________________ De: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] Em nome de Darren Mar-Elia Enviada em: quinta-feira, 16 de outubro de 2008 11:43 Para: gptalk@xxxxxxxxxxxxx Assunto: [gptalk] Re: RES: Re: Help With Local GPO Well, you can certainly create a .pol file programmatically outside of GP, but you can't just put it anywhere. Windows looks specifically in the locations I mentioned below and only there. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Maurit Pereira Fagundes Sent: Thursday, October 16, 2008 6:39 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] RES: Re: Help With Local GPO Importance: High Darren Thanks for your help. Let me ask you one more thing: Can I create a custom pol file, put it in an different location (system32, for instance) and apply it to a specific local windows xp user? Is that possible? I know a program made by a developer that creates a local user and applies to the user a restricted desktop. I think it is by GPO, but no other users are affected. Unfortunately I do not have access to the source code. I will look for it, if I find any new information, I let you know. Thanks again. ________________________________ De: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] Em nome de Darren Mar-Elia Enviada em: quarta-feira, 15 de outubro de 2008 20:37 Para: gptalk@xxxxxxxxxxxxx Assunto: [gptalk] Re: Help With Local GPO You can hack this after a fashion, but it requires some real tweaking. Namely, depending upon what policy you want to control, you can use file permissions on the underlying GP settings storage in the local GPO to control who gets it. For example, if you want to control Admin Template policy on the local GPO, you can permission the registry.pol file within either C:\windows\system32\grouppolicy\machine or C:\windows\system32\grouppolicy\user so that it can only be read by the user account that you want to apply the policies to. It's a serious hack, but it has been done successfully in the past. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie Sent: Wednesday, October 15, 2008 11:00 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Help With Local GPO Well, only a local GPO would work but I don't think there is any way to use security filtering at the local level; therefore, your GPO is going to apply to all local users, and potentially some domain users as well. And because a local user account does not process domain-based GPOs, I think you're unfortunately out of luck. Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 | http://www.dvn.com <http://www.dvn.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Maurit Pereira Fagundes Sent: Wednesday, October 15, 2008 11:48 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Help With Local GPO Importance: High Hello everyone. I need to create a program that creates a local user in windows XP and associates it a specific GPO created by me to the user the program created only. The other local users must not be affected by the GPO. How can I do this? I am searching for a solution but nothing up to now. I´m ok with the program, my problem is how to associate a custom GPO to a specific local windows xp user without affect the others local users. Can someone help me on this? Thanks in advance. MT ________________________________ Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.