|
|
Module 4: Managing System Policies
System Policies control user environments and
actions |
- System Policy Editor can be used to create a policy to:
- Restrict options in Control Panel.
- Customize parts of the desktop.
- Control network logon and access.
- Poledit.exe is only included in NT Server
and appears on the Administrative Tools menu.
System policy is initiated through the
following processes:
- As user logs on, the operating system loads the user's
profile. Windows NT then checks the NETLOGON shared network directory on the logon server
for a Ntconfig.pol file.
- the NETLOGON share is the automatic name for the
\winnt_root\System32\Repl\Import\Scripts
folder
User |
If this defines settings for the user, it merges those
settings into the current user portion of the registry. |
Group |
If NO system policy is defined for the user, but only
for the group to which the user belongs, these settings are merged into the current user
portion of the registry. ( the group with the highest priority takes precedence if the
user is a member of two or more groups) |
Default |
If not defined for user and group, Windows NT uses the
Default User policy settings and merges them into the current user portion of the
registry. |
Default Computer
- If a system policy exists for the Default Computer, the
settings are merged into the local computer portion of the registry.
System policy for Users modifies:
HKEY_CURRENT_USER
System policy for computers modifies:
HKEY_LOCAL_MACHINE.
NOTE: If a trust exists b/w two domains, system policy
is taken from the domain that contains the user's account, regardless of the
domain in which the computer is located. This may cause confusion and affect security if a
Default Computer policy from another domain is applied. |
- Watch the little System Policy movie that comes with the MOC material
Implementing a Local Policy
- You are not restricted to use only one place from which to retrieve system policies
in a domain.
- An NT computer automatically downloads Ntconfig.pol from Domain Controller that
authenticated the user logon request.
- However, to use a system policy from a computer that is not a Domain Controller, you
need to change Remote Update from automatic to manual and specify
the computer and the path to the system policy file.
Exact procedure:
Poledit.exe-->File-->New Policy-->Default Computer-->Network-->System
Policies update-->Check Remote Update-->Click down arrow of Update Mode-->Click
Manual-->Type the path in the Path for manual
update-->OK-->File-->Save-->Click Network Neighborhood in Save in box-->The
name of NTS or NTW will appear in the list, click the computer and save policy file in the
same path as the path you indicated in policy file update setting.
System Policy Editor Mode
System policy editor has two modes: Registry mode and policy mode.
- Registry mode:
- When you select open registry (edit local registry) or connect (edit remote registry)
from File menu, you are in registry mode. The title bar will display Local Registry.
- Change in registry will take effect immediately after you save the registry
- REMEMBER YOU ARE ONLY WORKING ON THE LOCAL REGISTRY OF THE MACHINE YOU ARE ON OR
CONNECTED TO. ANY CHANGES WILL ONLY AFFECT THAT PARTICULAR MACHINE
- Policy mode:
- When you New Policy or Open policy from File menu, you are in policy mode. The title
bar display Untitled.
- Changes made in policy mode will take effect after policy file is saved as
Ntconfig.pol in Netlogon share on the PDC and is replicated to the BDCs and the users log
on to the domain.
Edit System policy:
- Check box for individual setting is either
- dimmed (default),
- checked (implemented) or
- cleared (unimplemented)
- You would leave a check box dimmed to increase logon speed because
dimmed options are not saved to the policy file and are not loaded across the network.
- When you use edit menu to add specific setting for specific user, group or computer,
user, group or computer will receive separate entries in the Ntconfig.pol file.
System Policy Templates
The policies that appear in System Policy Editor are provided by template files:
Winnt.adm |
Settings specific to the Win NT O/S and its registry |
Windows.adm |
Settings specific to the Win95 O/S and its registry |
Common.adm |
Settings common to both NT and Win95 O/S and registries and NOT in the other two. |
These policy templates can be edited using any text editor and then loaded into
System Policy Editor using Options | Policy Template
Additional Sundry Notes
Windows 95 Issues
- If you use the Win95, and Windows NT/WS platform, run
policy editor once from each platform. Store the Win95 created policy in config.pol and
copy it to the NETLOGON share on the PDC.
- User policy can be downloaded to NT computer or Win95 computer, but you can't use one
policy file for both. You need to create user policy in both Config.pol
and Ntconfig.pol.
- Group policies are not processed by all client computers running Win95 . For Win95 ,
Group Policy must be installed on a computer running Win95 not only to create group
policies, but to process them.
- LOAD BALANCING: W95 computers always look at the NETLOGON share of the PDC UNLESS
Load Balancing is selected as a policy.
- If it is selected, the W95 computer will get it from the PDC once more and then after
that from whatever logon server authenticates the user.
- REMEMBER, the directory replication service must be running between Domain
Controllers from this to happen.
MISC notes
- You can add users, groups, or computers that need
different policy settings to the Ntconfig.pol simply by clicking Edit --> Add User, Add
Group, or Add Computer.
- Policy options allow you to change the logon information
box, you can display a warning against unauthorized use, and you can prevent the
display of the last user in the logon box (to do this: select the Windows NT
system\Logon\Do not display last logged on user name option.
- Some of the things that can be restricted within the
user policy options:
- Remove run command from start menu
- Hide network neighborhood
- Hide all items from desktop
- Disable Shutdown command
- There is no limit to the number of users, groups or
computers that can be added to a policy file.
- User policies restrict access to certain programs in Control Panel, but the icons
still appear in control panel. System policy can restrict access, but cannot remove the
icon. To remove program icon, you need to modify the [don't load]section of Control.ini.
- Wallpaper assigned in policy doesn't appear on all clients' computers. Some system
policy settings require components to be installed locally on the computer where the
policy is applied.
|