Gpedit.msc Workaround?

[Dan Kauffman]

I'm setting up an XP image for a high school computer
lab. I've been using gpedit.msc for locking everything
down, and it's been working great. However, it locks me
out too! This is the side effect of not being part of a
windows 2000 domain (using linux).

Is there any sort of workaround so I don't have to go
through every single aspect of gpedit when I need to
troubleshoot a machine? Thanks.

I'm open to any suggestions.

p.s. If anyone could further this idea....

two registries. One that's locked down, and one that's
not. If I could somehow find out the differences between
them, could I create reg file that takes security on and
off? hmmmm

 

[Doug Knox MS-MVP]

http://support.microsoft.com/?id=293655
HOW TO: Apply Local Policies to all Users Except Administrators on Windows
2000 in a Workgroup Setting

Also see www.dougknox.com, Win XP Utilities, Windows XP Security Console.

 

[Roger Abell]

Alternatively, if you just want to exempt the admins,
you can place a Deny on system32\GroupPolicy for
Administrators when you want to log in without the
policies impacting the admin account.
While this is in place you cannot edit policies, so the
scenario runs: log in and set deny, log off and back in,
remove the deny and edit. If you do not then reset the
deny, all accounts are subjected to policy, which may
be an added advantage for classroom machines, you
only need to set the deny, log off and in when you need
to be free of the policies.