How to Apply Local Group Policy to Non-Administrators in Windows 11 & 10

How to Apply Local Group Policy to Non-Administrators in Windows 11 & 10 blog banner image

This guide provides step-by-step instructions explaining how to apply Local Group Policy to non-administrators in Windows 11 and Windows 10, and how this can be useful for Windows system administration. It also includes information about Local Group Policy in Windows, troubleshooting tips, and best practices for managing Windows Group Policy at scale.

Being able to apply Local Group Policy settings only to non-administrators lets you control what other users can and can’t do on a Windows system while making sure your own administrator account is not affected.

Understanding Local Group Policy in Windows

Group Policy is a feature of the Windows Operating system that allows for the central administration of Windows devices, including system and user settings as well as application configuration. This includes managing security policies, user permissions, network configuration, and how user profiles are managed.

Group Policies consist of Group Policy objects (GPOs). Each GPO contains a set of configuration options that modify how the associated Windows feature or application behaves. GPOs can either be applied as a Computer Configuration (applying to a specific Windows device and any user who is logged in to it) or User Configuration (applying only to a single user account while they are logged in, regardless of which device they are logged in to).

Common configuration tasks performed using Windows Group Policies and Group Policy Objects include:

  • Automatically configuring network drives or shared printers.
  • Setting login scripts.
  • Automatically configuring web browser settings like search engines and home pages.
  • Enabling firewall and antivirus.
  • Blocking access to applications or Windows features (for example, disabling access to the Registry Editor for non-administrative users).

Windows Group Policy falls into two categories:

  • Local Group Policy: Local policies apply only to the individual machine they are configured on. Note that local Group Policy Objects are overruled by domain Group Policy Objects from Group Policy in Active Directory.
  • Group Policy in Active Directory: Group Policy Objects can be defined in an Active Directory domain, for control of users or computers in an enterprise environment. These policies are scoped based on the user or device’s Organizational Unit within Active Directory.

Why apply Group Policy to non-administrators?

Usually, Group Policy is used in enterprise environments as part of an Active Directory domain for centralized control of Windows devices. However, administrators of small-scale Windows deployments for businesses and home users can benefit from adding restrictions to non-administrative users, as it allows them to:

  • Prevent users from changing system settings and breaking their machines or disabling critical features such as firewalls or antivirus.
  • Prevent users from installing software and running scripts if they are prone to installing malware or opening suspicious email attachments.
  • Making sure Windows updates are regularly installed.
  • Enforcing default applications such as a specific web browser or mail client.
  • Enhancing the overall security and reliability of the Windows devices they oversee by making sure only they can make configuration changes that are tested and documented.

Prerequisites for applying Group Policy to non-administrators

Windows Group Policy is not available on Home editions of the Windows operating system. To leverage Both Local Group Policy and Group Policy in Active Directory you will need one of the following operating system versions:

  • Windows 10 Pro, Enterprise, or Education.
  • Windows 11 Pro, Enterprise, or Education.
  • Windows 7/8 Pro, Enterprise, or Ultimate (though, you should definitely not be running these versions of Windows as they are no longer supported).

You will also need a user account with administrative permissions and non-administrative users that you wish to manage using Local Group Policy.

Step-by-step guide: applying Local Group Policy to non-administrators

The most efficient way to manage Group Policy for non-administrators is to create a custom Microsoft Management Console (MMC) window that edits group policies only for non-administrative users. To do so, follow these steps:

  • Right-click on the Start button, then select Run.
  • Enter mmc, click OK, and click Yes on the User Account Control Prompt to open the Microsoft Management Console.
  • Next, click File in the menu bar, then select Add/Remove Snap-In…
  • Select Group Policy Object Editor from the list of Available snap-ins.
  • Click the Add > button to add it to the list of Selected snap-ins.

Click the Add > button to add it to the list of Selected snap-ins.

  • Click on the Browse button in the Select Group Policy Object window.
  • Select the Users tab and then select the Non-Administrators user group (or alternatively, any other user group you want to specifically apply a policy to) and then press OK.

Select the Users tab and then select the Non-Administrators user group

  • Click Finish in the Select Group Policy window and then press OK in the Add or Remove Snap-ins window.
  • The MMC window will now show your Local Group Policy Editor for non-administrative users in the navigation pane.
  • Click File then Save As, and save this custom Microsoft Management Console view to the desktop as Group Policy Editor for non-administrative users.
  • Now, you can skip all of the above steps whenever you want to manage user policies and use the MMC file saved to your desktop.

Any group policy changes you make in this MMC window will apply only to non-administrative users. For example, you could configure a group policy preventing non-administrative users from opening the control panel:

  • Open the Microsoft Management Console using the file you created above.
  • Navigate to Local Computer/Non-Administrators Policy/User Configuration/Administrative Templates/Control Panel.
  • Double-click on Prohibit access to Control Panel and PC settings setting.

Double-click on Prohibit access to Control Panel and PC settings setting.

  • Select Enabled in the settings window and then click OK.

Select Enabled in the settings window and then click OK.

  • To apply the changes, reboot or run the command gpupdate /force from PowerShell or the command prompt.

To reverse this, repeat the process but instead of selecting Enabled in the Prohibit access to Control Panel and PC setting, select Disabled or Not Configured.

Make sure you test any settings you alter using Local Group Policy after deploying them to ensure that they are having the intended effect.

Troubleshooting common Local Group Policy issues

If your changes to Local Group Policy are not being reflected for your non-administrative users, check the following:

  • Check the policies are assigned to the correct user group.
  • Ensure that the users you are trying to manage are members of the group the policy is assigned to.

If your changes are being applied to administrative users when they should not be, check that:

  • You have not assigned the policy to the machine instead of the intended user group.
  • Your policy targets the correct user group.

You can run gpresult /r to list all active group policies. The most restrictive of conflicting policies is always applied.

If you make a mistake when setting group policies and cannot determine the cause to revert an individual change yourself, you can revert all group policies by running the following commands as an administrator:

gpupdate /force

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

Reboot your device to complete the process – this will reset both the computer configuration and user configuration policies.

How to efficiently manage Windows Group Policy at enterprise scale

Managing Local Group Policy to restrict non-administrators from performing certain tasks for more than a handful of Windows devices can become time-consuming and error-prone. Windows Group Policy in Active Directory allows you to centrally manage thousands (or tens of thousands) of Windows machines and users, applying policies at a granular level depending on location, user role, or device type.

Being able to manage Windows and application configuration at scale isn’t enough, however. You must be able to deploy, verify, and test the impact of changes to ensure that they are effective, and keep them updated based on user behavior. This is especially important in a security context: you do not want gaps in your Windows configuration that allow users to perform potentially harmful acts (intentionally or unintentionally) such as installing malware.

NinjaOne provides a complete end-to-end endpoint management solution for Windows domains, with a centralized management interface and integration with endpoint protection to ensure that devices are properly configured, up-to-date, and secure.

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about Ninja Endpoint Management, check out a live tour, or start your free trial of the NinjaOne platform.

You might also like

Ready to simplify the hardest parts of IT?
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).