Lately we have been given the task of locking down stand-alone W2K pro boxes. The catch is that the admin account must retain full access while the user account have the defined restrictions imposed.

In the past, I have used POLEDIT to achieve this but I can see by the design of the MS Group Policy Editor that this will not be so easy.

So far, I went to Microsoft who gave me a technet article which describes how to shift the Registry.pol file around to achieve what I need. This has failed. I found several edited versions of this doc all which have also failed.

After screaming about this for a while, I decided to manually edit the user's hive and found that this does work. I had to make the user an admin so that I could add keys and then I went on my merry way locking down the user. At the end of this exercise, I removed admin rights on the user account and everything was set.

Now, does anyone know of a utility that will do this for me? Somethingg that has the power of Group Policy Editor yet will work on local users (Local Policy Editor if you will). I know that Microsoft does not have one and I haven't seen one on the web. If no one has a lead on this, I think I will write my own and post a link to it as this has burnt about 6 hours of my time. Oh yes, I did export this registry so that I can use it to build an app that will allow me to do this with a nice HTML front end with checkboxes and such. I will be using Perl to build the backend.

Any thoughts would be most welcome.