[Samba] gpedit.msc as centralized policy for 2k/xp clients

[richard]

aahhhh.........

Local Group Policy does not allow you to apply security filters or to
have multiple sets of Group Policy objects, unlike Active
Directory?based Group Policy objects. You can, however, set
Discretionary Access Control Lists (DACLs) on the
%systemroot%\System32\GroupPolicy folder so that specified groups are
either affected or are not affected by the settings contained within the
local Group Policy object. This option is useful if you have to control
and administer computers that are used in situations such as kiosk
environments, where the computer is not connected to a local area
network (LAN). Unlike Group Policy administered from Active Directory,
the local Group Policy object uses only the Read attribute, which makes
it possible for the local Group Policy object to affect ordinary users
but not local administrators. The local administrator can first set the
policy settings he or she wants and then set the DACLs to the local
Group Policy object directory so that administrators as a group no
longer have Read access. For the administrator to make subsequent
changes to the local Group Policy object, he or she must first take
ownership of the directory to give him or herself Read access, make the
changes, and then remove Read access.