Locking down a standalone Windows 7 machine without affecting the Administrator account

By | March 25, 2015

Exam laptops are often required under strict rules one of the main been that you are not allowed network connections, the other only allowing to access a limited number of applications.

This causes an issue for network admins as how do you apply a local group policy using gpedit.msc without that policy affecting the administrator account.

Well you’ll be glad to hear that is is easy as using setting file permissions.

Whether your running 32 or 64bit locate the folder


if it doesn’t exit simply create a new folder.

now open gpedit.msc under the account you wish to lock down

now simply set the file permissions on the above folder to

Administrator deny read/write

Setup your policy (User only) for the logged in account and you will see the changes taking effect.  Once complete and you happy with the changes log out and in a Administrator and you will notice that the policy doesn’t apply.

The only problem is that you can not edit the policy under the Administrator and if you lock the exams account down too much you won’t be able to edit it from there either.  If you find yourself in a stuck situation simply Delete the GroupPolicy folder above, delete the user profiles (don’t forget the associated reg key in HKLM\Software\Microsoft\WindowsNT\Current Version\Profilelist) and log back in.  I found having a third account with deny read/write helped in such a scenario but you could easily use a recovery disk to manipulate the disk without booting the OS.

Another simpler way is to domain join the PC but allow the laptop to cache the logins therefore allowing the “exams” account to login without network connection.  Set all your desired policies on the domain against the user “exams” and once you’re complete login as local admin and disable all the network adapters.  If you need to make changes simply enable the adapters, make your changes on the domain, login with the domain “exams” account once while connected to update the policies and then simply disable the network adapters again.  Either option is feasible but it really depends on the rules your governed by with regards the device.