| There's nothing "clandestine" or "semi-secret" about it.
It's clandestine insofar as people generally don't see
admin effects in their own settings. It's secret insofar as
many common settings are not well documented. In
some cases, with recent versions of Internet Explorer,
there may be a message shown saying something like
"This setting has been adjusted by your administrator".
But in general, the group policy settings, and others like
them, have been designed to override user choice
throughout the Windows OS without letting the user
of the computer know about it. For example, user-level
IE security settings show in the security tab of Internet
Options. But there's a particular Registry setting, not
commonly known, that will override those with machine-level
settings controlled by admin. (Or malware.) The person
adjusting their own settings is deliberately misled.
| Anybody with a
| copy of the Administrator's Pocket Companion has a lot of information
| about it,
Obviously, anyone who learns all about the ins and outs
of the Windows Registry will be able to find out what their
administrator is doing.... assuming admin hasn't disabled
Registry tools in the Group Policy Editor, in which case
one will be unable to run Regedit; and no explanation will
be provided. But the settings work *because* they're secret
for all practical purposes. Many admins don't even understand
much of it. They're trained to run various scripts that adjust
settings on company workstations. Often the people running
the scripts have little understanding of what the scripts do.
IE security settings alone can be controlled from 8 different
locations, only 4 of which are available at user-level;
only one of which is commonly known....
On Windows 7 a special command-line operation is required
to enable oneself to log on as a real administrator, with actual
admin rights....
It's all designed to prevent people from understanding it,
because Windows is designed to be a corporate workstation
OS used by employees who have no business doing anything
but their assigned work on their PC.
| Administrators generally don't give employees a list of group policies
| that have been set mostly because it wouldn't make much sense to them if
| they weren't IT people.
|
The whole point of admins is to control use of company
computers to prevent damage, security problems, etc.
The whole point of group policy settings is to control
the computer at a level *not accessible to employees*.
Secrecy, obscurity and manufactured abstruseness are
the main means of making it all work as intended, while
minimizing confrontation between admin and employees.
That's what group policy is all about. That's what circuitous,
obscure Registry settings are all about. That's why the
Internet has thousands of Windows tweak sites... Because
Microsoft systematically designs the system so that most
people will never understand it. (Of course, it also doesn't
hurt Microsoft's bottom line that they've created a trumped
up system of paid-for courses and certifications through their
Rube Goldberg system of manufacturing abstruseness. And it
helps the IT "ecosystem": Just like other professional certifications
and licenses, the system inflates the income levels of people
who do Windows IT work.)