A previous collegue who handled windows XP/2000 security at our location has now left. He used three batch files as admin which control the permissions on registry.pol in the user and machine sub directories of group policy, and also the gpt.ini file. These batch files altered the permissions on these files (enabling/disabling the group permissions settings I believe), the third allowed editing of the group policy, but only while it was open. All made use of cacls to contol the permissions. Has anyone heard of a scheme like this, and could either write or direct me to an explanation of how it works and how to implement it. Also, does this method provide any real security advantages over the standard windows setup.