How to Apply Local Group Policies to Specific Users in Windows 11 and Windows 10

This guide provides detailed instructions on how to apply Local Group Policy settings to specific users or groups in Windows 11 and Windows 10. It includes tips on managing Local Group Policy in Windows, as well as troubleshooting and best practices for managing user-specific group policies at scale.

Learn how to apply Local Group Policies to specific users to help you retain control over what certain users can and can’t do on a Windows PC, allowing you granular control over what apps and functionality can be used.

💡If you want a visual walkthrough, you can watch our video guide: How to Apply Local Group Policy to Non-Administrators in Windows 11 & 10

Understanding Local Group Policy in Windows

Group Policy is a Windows feature that enables the centralized administration of Windows devices, including system and user settings, as well as application configuration. This includes managing security policies, user permissions, network configuration, and user profile management. Group Policy is only available in Pro and Enterprise versions of Windows — if you’re using Windows 11 Home or Windows 10 Home, you won’t be able to access this functionality.

Group Policies contain Group Policy Objects (GPOs), which are sets of configuration options that affect how the associated Windows feature or application behaves. GPOs are set up as either Computer Configuration (which applies to a specific Windows device and any user logged in to that device) or User Configuration (which applies to only a single specific user account for the duration of their login to a Windows device).

You may configure Local Group Policy for an individual user using Local Windows Group Policies and Group Policy Objects to:

• Automatically connect to network shares and online printers.
• Run scripts when the user logs on or off.
• Configure web browser security settings.
• Make sure that the firewall and antivirus are enabled (and that they can’t be turned off).
• Block access to specific applications or Windows features (for example, to disable access to the Command Prompt for certain users).

Windows Group Policy can be set up on the local machine, or as part of a Windows domain for enterprise usage:

• Local Group Policy: Local group policies are only applied to the specific machine they are set up. In the case of a conflict, Local Group Policy Objects are overruled by Domain Group Policy Objects from Group Policy in Active Directory.
• Group Policy in Active Directory: Group Policy Objects can also be defined in a Windows Active Directory domain (for example in a small business, education, or enterprise scenario). This grants you centralized control of users and computers connected to a network. Group policies in Active Directory are scoped based on the user’s or device’s Organizational Unit.

Why apply Group Policy to specific users?

Group Policy is Group Policy is typically configured in enterprise environments as part of an Active Directory domain to control Windows devices within a larger corporate IT infrastructure. However, it is also useful in small-scale Windows deployments as it allows small businesses and those who support home users to do things like:

• Configuring Windows Updates and making sure they are installed in a timely manner.
• Setting default applications such as a secure web browser or mail client.
• Enforcing system settings to prevent users from disabling important security features such as anti-malware and Windows Firewall.
• Stopping unauthorized users from installing apps and running scripts (especially if certain users frequently open malicious email attachments or download software from suspicious websites).
• Ensuring that specific users can only access certain applications, for example by setting up a user that can only access a specific app or website for use as well as a web kiosk or for product demonstrations.

Prerequisites to set Local Group Policies for certain users

Windows Group Policy is not available on Home editions of the Windows operating system. To leverage both Local Group Policy and Group Policy in Active Directory you will need one of the following operating system versions:

• Windows 10 Pro, Enterprise, or Education.
• Windows 11 Pro, Enterprise, or Education.
• Windows 7/8 Pro, Enterprise, or Ultimate (if you are still using these Windows operating systems, you should upgrade ASAP, as they are no longer supported).

You will also need to be logged in with a user account with administrative privileges.

Creating users and groups in Windows 11

To add, remove, or edit local users and groups on a Windows PC, follow these steps:

• Right-click on the Start button and click Run.
• Enter lusermgr.msc and click OK to open the Local User Manager.

• To add a new user, click “Users” in the sidebar, then select “Action” from the menu bar, and finally, click “New User”.
• To add a new group, click Groups in the sidebar, then click Action > New Group.
• Under Members, click the Add… button to select the users you want to add to a new group.

• Enter the usernames of the users you want to add to the group, and press OK.

Once you have added users and groups, you can target them specifically with Local Group Policies. Generally, it’s best to add users to a group so that you can then adjust settings for all users in that group, and later add new users to that group rather than having to apply the same settings to each user individually.

If you want to delete a user, watch our video guide on How to delete user profiles in Windows 10 and Windows 11.

Step-by-step guide: applying Local Group Policy to specific users

To apply Local Group Policies to individual users in Windows, you need to create a custom Microsoft Management Console (MMC) window that edits group policies only for those users or a specified group:

• Right-click on the Start button, then select Run.
• Enter mmc, click OK, and click Yes on the User Account Control Prompt to open the MMC.
• Click File in the menu bar, then select Add/Remove Snap-In…
• Select Group Policy Object Editor from the list of Available snap-ins.
• Click the Add > button to add it to the list of Selected snap-ins.

• Click on the Browse button in the Select Group Policy Object window.
• Select the Users tab and then select the specific users or user group and then press OK.

• Click Finish in the Select Group Policy window and then press OK in the Add or Remove Snap-ins window.
• The MMC window will now show your Local Group Policy Editor for specific users in the navigation pane.
• Click File then Save As, and save this custom MMC view to the desktop as Group Policy Editor for specific users (for convenience, include the group name in the MMC name).
• Now, you can skip all of the above steps whenever you want to manage user policies for that user or group, and use the MMC file saved to your desktop.

Any group policy changes you make in this MMC window will apply only to the specified users or group. For example, you could configure a group policy preventing members of a certain group from accessing the control panel:

• Open the MMC using the file you created above.
• Navigate to Local Computer/specific users Policy/User Configuration/Administrative Templates/Control Panel.
• Double-click on Prohibit access to Control Panel and PC settings setting.

• Select Enabled in the setting window and then click OK.

• To apply the changes, reboot or run the command gpupdate /force from PowerShell or the command prompt.

This can be reversed by navigating back to the Prohibit access to Control Panel and PC settings setting, and then selecting Disabled or Not Configured.

It is important to test any Group Policy Objects you create to make sure they have the desired effect.

Troubleshooting common Local Group Policy issues

To troubleshoot setting up Local Group Policy per-user, you can check the following:

• Make sure that the policies are assigned to the intended user or group.
• Confirm that the users you are trying to create policies for are members of the group the policy is assigned to.

To troubleshoot further, run gpresult /r to list all currently active group policies. Note that in case of a conflict, the most restrictive of the conflicting policies takes effect.

If you make a mistake when creating Local Group Policies or can’t narrow down the source of a problem, you can revert all group policies by running the following commands as an administrator:

gpupdate /force

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

After running the commands above and restarting your Windows PC, the computer configuration and user configuration policies will have been reset to their default.

How to efficiently manage Windows Group Policy at enterprise scale

Using Local Group Policy to restrict access to individual users  across multiple Windows devices while maintaining a secure and consistent configuration can be time-consuming. In addition, there is the risk of making mistakes that go unnoticed. For configuring more than a few Windows machines within an organization, it is best practice to set up an Active Directory domain, allowing Group Policy and other Windows configurations to be managed centrally. This offers more control and visibility over your IT assets.

To further ensure the consistency, reliability, and security of your vital IT infrastructure, consider deploying an endpoint management solution for Windows domains. Endpoint and remote monitoring and management from NinjaOne provides you with a centralized management interface that spans your entire Windows fleet, as well as Apple, Linux, and mobile devices, wherever they are located.