Windows Tip Sheet
Policies, No Domain
If you need to implement system policies in a non-Active Directory environment, there's hope.
"Don, is there a way to have Group Policy without a domain?" I
was actually asked this twice last week, so it must be something in the air,
but it deserves a response. The short answer is, "No, not anymore than
you can play Doom without electricity." Fortunately, there's a long
answer.
Although Group Policy is inextricably linked to Active Directory, System Policies
-- the forerunner of Group Policy -- ain't. And WinXP, Win2003 and Win2000
will cheerfully use System Policies, which can be deployed without Active Directory,
if you tell them enough lies. Specifically, the lies listed in Knowledge Base
article 910203, a hefty pages-long treatise on the subject.
It's not so far-fetched. System Policies and Group Policy evolved from the
same, automated-registry-editing technique, and the ADM template files used
to extend Group Policy are typically usable by System Policies, too. The real
difference in them is how they're delivered, and in the fact that Group Policies
is a bit more flexible when it comes to undoing a policy application.
You can even -- and I shudder to think that this might happen somewhere --
deploy System Policies to a WinXP computer that belongs to an NT domain. Seriously.
Who knew? I think the most use for this technique, however, is in getting some
standardized configuration settings out to machines in a lab environment or
who, for various other reasons, don't have the pleasure of belonging to
a domain.
Additional Resources:
- Find the KB article here.
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.