Article ID: 274478 - View products that this article applies to.
This article was previously published under Q274478
This article explains how to apply group policies to Microsoft Windows 2000 Professional-based computers which are installed in a Microsoft Windows NT 4.0 domain or in a workgroup.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
Normally, administrators use a Windows 2000 Active Directory to distribute Group Policy settings. In this situation, the administrator creates Group Policy objects which contain policy settings, and then uses Active Directory to target the delivery and application of these settings. When you use Windows 2000 clients in an environment where there is no Active Directory, you can distribute policy settings using Windows NT 4.0-style system policies or Local Group Policy.
Security permissions on this folder can be changed to deny access to administrators to ensure that the policy does not apply to the local administrators.
If you use the preceding method, you must exercise much care because anything that is set on the original system that is specific to that particular computer is unsuccessful on the new target computer. In particular, many of the security settings for the computer should be avoided. If you are only interested in the administrative templates settings, copy the Registry.pol file to the target computer.
The method of setting the access control lists (ACLs) on the folder to prevent the local administrators from being affected can work with any local built-in group as well. When a change to the policy settings is required, the local administrator must take ownership, change the ACLs, make the change to the LGPO, and then change the ACLs back to deny for the local administrator. A failure to do this when combined with a certain set of policies could make it impossible to make any further changes.
Consider, for example, if the "Disable registry editing tools" or "Take ownership of files or other objects" policy is set and the "Deny access to this computer from the network" policy is set. This can lead to a situation where administrators can find themselves locked out of a system.
In general, to avoid problems, be aware of the following suggestions: