I want to know where to set such things as "hide control panel" to a certain user. I tried it myslef, but it affected all users, and I didn't want that. Can someone tell me how to prohibit a single user on my 2k box from accessing control panel? (a quick walk-through (even just a basic few-liner) would make a world of difference if you have a few minutes) Thanks, Mike

Open the MMC by typing MMC in the Run command line. Go to the File menu and select Add/Remove Snapin and add a snapin for Group Policy and select local machine. Look in there and you will find what you are looking for. Be careful and the best advice is to experiment on a test machine first. Good luck

if you are not on an active directory network, you can't do this via user using a local group policy. (local group policies are all or nothing). However, you have got two choices 1) use group membership to conlrol the user (there is really not much you can do in the control panel as a simple user) 2) if you are familiar with the old nt 4.0 policy editor (poledit.exe) it is alive and well in windows 2000. you can try it that way. just be sure to document what you do for troubleshooting purposes. good luck

You most certainly can do this without Active Directory. You can do as I described on a single computer. Try it. What do you mean, "Group policies are all or nothing"?

Didn't mean to mislead. You are right in that group policies most certainly can be applied to a local pc without using active directory by using the method you described. The manner in which i interpreted the question was that the desire was to apply the group policy to a single user on a machine. Using the mmc group policy snap-in will apply the group policy to the Local machine, and not to a user or group in the machine. With active directory you gain the flexibility to apply a group policy to an ou, a security group, etc and therefore can gain some user level control over the policy rather than machine level control. That's what i meant by all or nothing, just that a local group policy would be applied to the machine, not the user. If you applied a local policy on the machine using the mmc snap-in (which is the way to go for non active directory machine lockdown) then it would be applied to all users which Mike S said was undesirable.

How do I access poledit.exe, I searched and found it nowhere on my 2k machine, it's 2k pro? Thanks, Mike

Poledit is not installed by default in 2k pro, only server. You have to install it (you will need a server disk to do this however). Article Q269799 will give details on how to set it up and articles Q318753 and Q185589 give good implementation tips. However let me take a moment to just make sure that you're going about this the right way. I've noticed on earlier posts you (or someone with the same post name) have mentioned the use of active directory on your network. If that is so, i would not recommend using poledit to solve your problem, rather use group policy. Your solution options vary, depending on your setup. 1) IF you are using ACTIVE DIRECTORY and the pc you wish to limit is WINDOWS 2k/XP use group policy. If you want GP only to apply to specific users/machines, isolate them by either placing them in a seperate ou, or through the use of the "Apply group policy" permission (click the properties button of the GP and click the securities tab-- create a security group and put whoever you want the gp to apply to in there, and give ONLY that group read and apply group policy permissions. NOTE native mode is a big plus here) 2) If you are NOT using active directory and you want to control a specific machine then use the LOCAL GROUP POLICY procedure that Glen spoke of earlier in this post. NOTE this will lock down the machine reguardless of the user that logs into it-- useful if the same person always logs into the same machine, or if the machine is being placed somewhere where it will recieve uncontrolled general use-- like the lookup machines at the library, however this is not useful if multiple users log into the machine throughout the day and you want to control only one of them. 3) if none of these options work for you then turn to using POLEDIT. this option is useful to work around the problem described in option 2, or if you've got a winnt 4.0 domain with 2k/nt4.0 clients and wish to control your domain in the same manner. however, you either have to contact microsoft to get a copy, or get it from your server cd (i want to say that nt 4.0 was the same way... may be mistaken though). I hope this helps