Re: Group Policy in a NON Active Directory environment

From: karl [x y] (
Date: 07/23/02

From: "karl [x y]" <>
Date: Tue, 23 Jul 2002 12:55:28 -0400

No, I'm not sure about whether or not .POL files will work in Windows 2000
[I'm guessing they don't, but I would have to look up the correct answer].
What I'm describing is more or less the normal process for managing group
policy on a standalone windows computer. You can do Start, Run, MMC, add
the Security Configuration and Security Templates snap-ins. Use the
Security Configuration snapin to create a new database, import [if you wish]
the contents of a pre-existing template, modify the settings in your
security database, save and close the database/MMC [noting the location of
the policy database]. Then, do Start, Run, SECEDIT to access the help
documentation for Secedit, which is the command-line version of the Security
Configuration snapin. It can be used in a batch file or login script to
silently apply or re-apply one part or all parts of a group policy security

"Carl Hilton" <> wrote in message
> Our users are NOT local admins. Could you please explain further.... your
> script to roll out group policy? Do you mean to copy the *.POL files to
> users machines?
> "karl [x y]" <> wrote in message
> news:OebnIklMCHA.2340@tkmsftngp08...
> > You could use a batch file or other script to roll out group policy
> > databases that you have created and then execute the SECEDIT command to
> > apply them to the workstation. If the user is a local administrator on
> the
> > workstation, the changes can be undone.
> >
> >
> > "Carl Hilton" <> wrote in message
> > news:#5seoxkMCHA.2548@tkmsftngp08...
> > > Is it possible to implement a policy that is active across a site
> without
> > > Active Directory? I have a bunch of Win2K Pro machines... can I copy
> > the
> > > Registry.POL from a machine that I have modified and push it to other
> > > machines?
> > >
> > > 2) If I have screen saver stuff set in the .POL file, can the user
> > > change those settings following logon? I know I can use the registry
> > > permissions to prevent a user from changing any desktop setting, but I
> > would
> > > prefer to just prevent them from changing the screen saver settings.
> > >
> > >
> > >
> > >
> >
> >