|
Radimus,
I'm sorry but I would have to disagree. GPO is much more powerful then just scripting entries into the Registry. Many of which are outlined above. As an Administrator, I can apply policies to your system that you CAN NOT prevent me from doing. If you place a DENY ACCESS on a key, I can over ride it and place a DENY ACCESS to you. You would have to take ownership back before you could undo my changes. Try running some tight policies and then trying to "UNDO" them with just the Registry. Many changes require a reboot, which won't work, because policy will be reapplied during logon again. Via a logon script it would be VERY difficult to even attempt to check every key and see if it has the rights to write there, if it was applied, etc... Just being a local administrator does not necessarily give you the right to write to every key in the registry. If the user placed a DENY ACCESS to EVERYONE on the key, your logon script would never be able to modify that key, using GPO I could force the modification anyway.
Don't get me wrong, I LOVE KiXtart, but in order of preference and power. GPO is much more powerful then doing it via script. There are also hidden registry entries that only being logged onto the system as SYSTEM will allow you to view. You can not (even as local adminstrator) view these entries.
As for Win9x, yes you can apply many policies, but since they don't actually "belong" to the Domain the security is no where near what NT/2000/XP are like. The registry has no security to stop anyone from modifying it like the others do.
Then again, how many users (outside of IS) know enough about this kind of stuff to alter or stop it much??? In a company of over 3,000 desktops... we rarely see anyone alter or attempt to alter these policies or registry changes.
| 
