use group policy editor non-stupidly


ms gpedit.msc is computer-wide, which is dumb.

fix: use permissions on regkeys for policies (see that kb article) to lock them. then use gpedit, and the admin user's locked key remains untouched.