I need to prevent group policy from being applied to the Administrator group on my local machines. I know that I can add permissions to the Group Policy Object's (GPO's) ACL to deny Apply Group Policy access to the Administrator account. Must I have a Windows 2000 Active Directory (AD) server? (I won't have a Win2K server in my Windows NT domain when I roll out the desktops.)
To take full advantage of Win2K's new security and management features, you need to implement AD. Win2K Professional computers by themselves offer few advances beyond easier installation and better device recognition. In your situation, without AD installed, the only GPOs applied are the local GPOs on each computer. Each computer's local GPO is applied whenever the computer boots or someone logs on. Unfortunately, you can't shield administrators from the policies defined in local GPOs.