Group Policy Settings vs. Registry Entries

In the Microsoft Windows operating system, when you make settings in the group policy (gpedit.msc), the settings will also create registry entries in the registry database.

The table below tells you where to look for the key when the settings in the group policy are applied.

Group Policy Settings	Registry Entries
Computer Configuration	HKLM\Software\Policies, Or HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
User Configuration	HKCU\Software\Policies, Or HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

For example:

In the local group policy editor, when you enable “Lock the Taskbar” setting under User Configuration\Administrative Template\Start Menu and Taskbar, you also create a registry entry referenced to “Lock the Taskbar” in HKCU\\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer].

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"LockTaskbar"=dword:00000001

This value 1 means “LockTaskbar” is enabled, while the value 0 means “LockTaskbar” is disabled.  You can either enable or disable “Lock the Taskbar” group policy setting by just changing the value of the “LockTaskbar” registry entry.

How to make a local Group Policy not apply to Administrators

Local Group Policy settings apply to all user accounts who log on to the computers and who have READ permission to %SystemRoot%\System32\GroupPolicy folder. However, policies are not applied to users who do not have READ permission. Therefore, by denying READ permission to Administrators or other users whom you don’t want to restrict, you free those users from control by group policies.

To use this method, follow the steps:

1. Make the Group Policy setting changes that you want.
2. In Windows Explorer, right-click the %SystemRoot%\System32\GroupPolicy folder and choose Properties. (GroupPolicy is a hidden folder; if you can’t find it in System32, choose Tools > Folder Options > View > Show Hidden Files and Folders.)
3. On the Security tab of the GroupPolicy Properties dialog, select the Administrators group and select DENY check box for READ permission.

Note: After you give DENY access to Administrators and if you want to change or modify the policy setting, you will not be able to run MMC or Group Policy Editor when you log in to the computer as Administrator unless you give back Administrators full rights to the GroupPolicy folder. To give Administrators FULL ACCESS, in Windows Explorer, right-click %SystemRoot%\System32\GroupPolicy folder > choose Properties > choose Security tab > select FULL CONTROL check box.

Recommended Books:

• Group Policy: Fundamentals, Security, and Troubleshooting (Paperback) by Jeremy Moskowitz (Author)
• Windows® Group Policy Administrator’s Pocket Consultant (Paperback) by William R. Stanek (Author)
• Group Policy: Management, Troubleshooting, and Security: For Windows Vista , Windows 2003, Windows XP, and Windows 2000 (Mark Minasi Windows Administrator Library) (Paperback) by Jeremy Moskowitz (Author)