This is what all the choices refer to:
- Local GPO: the GPO you see when you use the real Local Group Policy Editor
- Local Registry/Current Registry: the real live Registry of the current system or user (no POL file)
- POL file: edit an arbitrary POL file on disk
- User GPO: a per-user GPO; the browse button shows a username-to-SID translation tool
- User hive: an ntuser.dat file; the browse button shows a list of user profiles
- Scratch space (null): absolutely nothing - appears totally blank and saving it goes nowhere
The User GPO option deserves a little more explanation. The GroupPolicyUsers folder under System32 can contain folders named for the SID of the corresponding user. If such a folder has an appropriate gpt.ini and User\Registry.pol, it will be automatically processed as an extra GPO for the user. As far as I can tell, the normal Group Policy Editor can't view or edit these. They also don't appear to be documented anywhere. Somehow my user account on my machine has one, and has had it for quite a while. Sneaky!
The "User hive" option's browser just enumerates the subfolders of Users (excluding junctions and symbolic links) and checks whether write access can be gained to ntuser.dat. It uses that information to show whether the user hive is currently accessible.
 |
| Not running as admin |
In other news, I found out from a Blog On The Internet that the "Group Policy Objects" key I was concerned about yesterday is actually just a temporary artifact of the normal Group Policy modification API. In most cases, it only exists while the real Group Policy Editor is open. Therefore, I can completely ignore it.
Tomorrow, I'll hopefully be able to actually open and save all these things.
No comments:
Post a Comment