2

Background

The scenario I am struggling with is the following: I have a standalone Windows 10 Enterprise system (not connected to any network / AD) which I want to configure with local group policies. The group policies should be different for different user groups. (User Groups: custom_admin, custom_user1, custom_user2)

Issue

What I have done so far is to create local GPOs for the machine via gpedit and GPOs for the "Admin" users via mmc (as shown here).

Now I want to also configure different GPOs for the custom_user1 and custom_user2 user groups, so that all users that will be created and assigned to these groups are restricted by these policies.

So far I have not been able to find a solution to this, but I suppose this has to be possible somehow. Is there any way to achieve this?

Edit:

I tried using the tool LGPO to export and import the policies. This works well for "administrators", and there is also a way to import specific policies to a certain user. But I can't seem to find a way to import policies for a specific local user group.

Improve this question
1
  • @PimpJuiceIT Yes exactly. The user groups are defined by me, and later on, specific users will be created and assigned to that user groups. And on logon of these users, I want the according specific GPOs (user configuration) to be applied to that user. What you said about the logon script sounds like it might actually work, but I'm not too knowledgable in this field. Do you have a resource where I can read up it more specifically? Unlucky that there is no easier way to do this, I didn't think that my use case is this specific and niche.
    – maloomeister
    Commented Oct 29, 2020 at 6:57

1 Answer 1

Reset to default
1
+50

Using the PowerShell method to get local computer user and group membership from the Check if user is a member of the local~ post, here's some conditional PowerShell logic that will help.

You only need to...

  1. Set the local group names to check membership against within the $groups = variable values

    • Enclose each value in a double quote and separate each by a comma

  2. Set the Switch values to match the values set in the $groups variable keeping enclosed by double quotes

    • Each of the values expression logic should point to correlated LGPO import file

Standardizing the local group names, and the local policy import folder structure, should help keep the logic simplified and easy to scale up (or down) for your needs. This will at least take care of the trivial part of the logic you need to get going in the right direction to get a working solution.

Obviously, you should test this first and adjust the logic or use another variation of it that'll work best in your case, but this should handle the task accordingly for your local computer policy needs at a minimum.

PowerShell Script

$user = "$env:COMPUTERNAME\$env:USERNAME"
$groups = "User Policy 1","User Policy 2","User Policy 3"

$groups | % { Process {
    If ( (Get-LocalGroupMember $_).Name -contains $user ) {
    $group = $_;

        switch ($group)
        {
    "User Policy 1" 
        {
            ##LGPO.exe /u path\registry.pol
            Start-Process LGPO.exe "/u C:\Policies\User\UserPolicy1\registry.pol"
            break;
        }
    "User Policy 2" 
        {
            Start-Process LGPO.exe "/u C:\Policies\User\UserPolicy2\registry.pol"
            break;
        }
    "User Policy 3" 
        {
            Start-Process LGPO.exe "/u C:\Policies\User\UserPolicy3\registry.pol"
            break;
        }
}     
    }
}};

Running as a logon script

Since you are using Windows 10 Enterprise and you need this to run as a logon script, it's easy to setup a logon script that will run for every user that logs onto the machine using a local group policy setting.

I'll outline one way to run logon scripts via local group policy below. However, I'm not certain if the applied LGPO policy will affect it so test and see how it goes.

There could be trouble with this after rebooting and an LGPO policy is applied. If so, you could also put the logon script configurations into the LGPO policy definitions too. This will help ensure the logon script configurations are reapplied after LGPO applied policies update.

You should test both reboots, and logoffs and logons without a reboot to help see what it'll take.

  1. Run gpedit.msc and then navigate accordingly via User Configuration | Windows Settings | Scripts | and then double click Logon. Select the PowerShell Scripts tab and then press the "Add" button and then type in the full path to the logon script location in the Script Name field and plug in -ExecutionPolicy Bypass into the Script Parameters field.

enter image description here

enter image description here

Supporting Resources

An Alteration—Startup Script (Bonus OP Material)

The OP determined that LGPO.exe could not stay on the machine(s) it was run so adjusted logic to:

  1. Check if the user is part of the corresponding group
  2. Under C:\Windows\System32\GroupPolicyUsers create a folder with the name matching the SID of the account
  3. Manually copy Registry.pol to this location SID created locations

It turns out, configuring a Logon Script will not run the PowerShell script with elevated privileges. However, running it as a Startup Script under Computer Configurations/Windows Settings/Script/Startup works fine.

There is a caveat for newly created user profiles per machine with an applicable policy, the policies for the user will not be effective until a reboot occurs after the account profile is created.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .