Modify "Policy" without Group Policy: Best Practice?

Question

I have a need to address some policy settings on a number of machines that are not on a domain. Specifically, we are dealing with a technology conference lab, built with loaner machines from various vendors, and I would like to lock down certain UI things like desktop background to maintain some consistency. I am creating my own user accounts, and attendees are NOT local admins (vendors ship us machines with admin accounts with no password. Yikes!) Anyway, this is usually a Group Policy thing, so as expected the Policy part of HKCU is off limits to a standard user. But since I also don't have a Group Policy infrastructure, I have a quandary. My thinking is to use PowerShell to modify the settings in question for the Default User prior to creating my users, so they inherit those settings. However, I suspect this is one of the things that doesn't work when the admin user has no password. I also thought about just changing the permissions on the default user, but that leaves parts of Policy exposed, which is not ideal. Both feel like a kludge, but I can't think of a "right" way to deal with this in a Workgroup setting. I know this is a subjective question, but hopefully it doesn't get down voted, doesn't get closed, and someone has some insight, either an actual good way to do this, or at least a suggestion that the default user approach isn't too bad an idea. ;)

Answer 1

Look into using Multiple Local Group Policy. You can configure local Group Policy for standard users that will apply to all standard users that log on. No need to muck with the Registry, Powershell or the Default User profile.

https://technet.microsoft.com/en-us/library/cc731758.aspx