Hi everyone,

I'm the system administrator for the computer science
department at a university. Our labs run Windows XP, and
are not part of any domain.

I'm trying to "lock down" the lab computers using Group
Policy, using the "two profiles" technique listed at
www.is-it-true.org. In a nutshell, I make a restrictive
policy set, then deny Administrators read access to the
GroupPolicy folder. Thus, when a normal user logs on,
they are restricted from installing software, etcetera,
but an Administrator has no policy applied since it can't
read the GroupPolicy folder.

Anyways, back to the problem at hand. After installing
SP1, it seems to have problems logging on the "locked
out" Administrator account. An error message is given,
with the title "Windows Product Activation" and I'm
returned to the log in screen.

I know that SP1 has increased "security" to reduce
piracy, but that shouldn't involve the GroupPolicy
folder, should it? Is there a better way to apply Group
Policy outside of an Active Directory context? Any help
is greatly appreciated!