Distributing Policies

Once you’ve created policy files that contain the access controls you want to enforce, you still have to get those policies to each machine you want to be under policy control. This process, called policy distribution, is probably the most complex part of the policy development process, since how you do it depends on whether you want to use policies on one machine, a few machines, or many machines.

Applying Policies to One Machine at a Time

The simplest way to apply policies is to put them on individual machines. For example, you might want to apply policies to keep transient users from making changes to the configuration of public workstations in a library, factory floor, or conference room. For this type of requirement, you don’t need to blast policies to every machine on a network; a more surgical approach lets you put policies only where you really need them.

Setting policies on the local machine

POLEDIT allows you to edit the local computer’s Registry using the same interface you’d use to edit policies. When you use the FileOpen Registry command, POLEDIT acts as if you’d opened a new policy file, but it actually loads data from the local Registry and displays it as two user policies: “Local User” and “Local Computer” instead of “Default User” and “Default Computer.”

You can edit the contents of these policies as though you were editing any other policy. However, you can’t create new user, group, or computer policies while the local Registry is open. ...

Get Managing The Windows 2000 Registry now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.