I am trying to figure out how to manage users and groups as well as security settings. Specifically, how I can define my security settings, my users, my groups, my passwords, and which users belong to which groups, but to do it in an equivalently easy way as running a batch file since I have to do it on hundreds of computers without a domain controller.
1. I have identified the following interfaces that seem to deal with users and groups: User accounts (control panel), Computer Management – local users and groups (admin tools in control panel), and I have heard rumors of a cmd line interface for doing this. What is the difference between these interfaces? Which should I use? Why does group policy not have a section for user/group management? Why are there so many ineffective interfaces for dealing with the same subject?
2. Is there a way to include the computer management snap in, the group policy snapin and possibly others in a custom console such that I can edit all the settings in the console, save the console without implementing these changes on this computer, port the custom console to all the various computers and implement the settings previously defined? Ie if I make a change in the custom console, how do I ensure it is not going to go into effect on this computer? I don’t want it to. I just want to create an LGPO and my users and groups in a sort of planning LGPO, but not to implement it until it is ported to another computer.
3. Why does the “security templates” snap-in under “account policies” have a section called “Kerberos Policy” while the “local computer policy” snap in does not? Should it not be identical? The exact same situation seems to be present in the sections titled “event log”, “system services”, and more. I suppose that each of these snap-ins operates on different parts of the same data set, overlapping at times. Is this accurate? If so, the question 2 above becomes very important.