yeah.

the active directory api is pretty important, it turns out. i need it for:

1) the security tab in windows explorer.

2) to even open regedit.

3) to let the mmc load the gpedit.msc module

so, the whole "you don't need the gui. just do it in the registry." argument is actually unsustainable, in the face of regedit's need for the api.

now, if i was designing this, i'd undo that. there's some logic in using the active directory api to call the group policy editor, and it's at least efficient to use it for the security tab. but, if i really, really want to disable this, i shouldn't lose access to the registry as a result of it. you essentially can't use windows without access to the registry. that makes the core functionality impossible to rip out of the os.

but, i'm not designing this, and i'm kind of stuck.

hopefully, i can still disable the drivers. and, maybe i can alter the security descriptor on the api, so only the precise users that need to use it can use it.

it's enough to make you want to move to linux, it really is.