GSW Home

  Windows NT Server 4.0 Notes


Module 4: Managing System Policies

System Policies control user environments and actions
  • System Policy Editor can be used to create a policy to:
    • Restrict options in Control Panel.
    • Customize parts of the desktop.
    • Control network logon and access.
  • Poledit.exe is only included in NT Server and appears on the Administrative Tools menu.

System policy is initiated through the following processes:

  • As user logs on, the operating system loads the user's profile. Windows NT then checks the NETLOGON shared network directory on the logon server for a Ntconfig.pol file.
  • the NETLOGON share is the automatic name for the
    •    \winnt_root\System32\Repl\Import\Scripts        folder

User If this defines settings for the user, it merges those settings into the current user portion of the registry.
Group If NO system policy is defined for the user, but only for the group to which the user belongs, these settings are merged into the current user portion of the registry. ( the group with the highest priority takes precedence if the user is a member of two or more groups)
Default If not defined for user and group, Windows NT uses the Default User policy settings and merges them into the current user portion of the registry.

Default Computer

  • If a system policy exists for the Default Computer, the settings are merged into the local computer portion of the registry.

System policy for Users modifies: HKEY_CURRENT_USER
System policy for computers modifies: HKEY_LOCAL_MACHINE.
 
 

NOTE:

If a trust exists b/w two domains, system policy is taken from the domain that contains the user's account, regardless of the domain in which the computer is located. This may cause confusion and affect security if a Default Computer policy from another domain is applied.

  • Watch the little System Policy movie that comes with the MOC material

Implementing a Local Policy

  • You are not restricted to use only one place from which to retrieve system policies in a domain.
    • An NT computer automatically downloads Ntconfig.pol from Domain Controller that authenticated the user logon request.
    • However, to use a system policy from a computer that is not a Domain Controller, you need to change Remote Update from automatic to manual and specify the computer and the path to the system policy file.

Exact procedure:
Poledit.exe-->File-->New Policy-->Default Computer-->Network-->System Policies update-->Check Remote Update-->Click down arrow of Update Mode-->Click Manual-->Type the path in the Path for manual update-->OK-->File-->Save-->Click Network Neighborhood in Save in box-->The name of NTS or NTW will appear in the list, click the computer and save policy file in the same path as the path you indicated in policy file update setting.

System Policy Editor Mode

System policy editor has two modes: Registry mode and policy mode.

  • Registry mode:
    • When you select open registry (edit local registry) or connect (edit remote registry) from File menu, you are in registry mode. The title bar will display Local Registry.
    • Change in registry will take effect immediately after you save the registry
    • REMEMBER YOU ARE ONLY WORKING ON THE LOCAL REGISTRY OF THE MACHINE YOU ARE ON OR CONNECTED TO. ANY CHANGES WILL ONLY AFFECT THAT PARTICULAR MACHINE

  • Policy mode:
    • When you New Policy or Open policy from File menu, you are in policy mode. The title bar display Untitled.
    • Changes made in policy mode will take effect after policy file is saved as Ntconfig.pol in Netlogon share on the PDC and is replicated to the BDCs and the users log on to the domain.

Edit System policy:

  • Check box for individual setting is either
    • dimmed (default),
    • checked (implemented) or
    • cleared (unimplemented)
  • You would leave a check box dimmed to increase logon speed because dimmed options are not saved to the policy file and are not loaded across the network.
  • When you use edit menu to add specific setting for specific user, group or computer, user, group or computer will receive separate entries in the Ntconfig.pol file.

System Policy Templates

The policies that appear in System Policy Editor are provided by template files:
 

Winnt.adm  Settings specific to the Win NT O/S and its registry
Windows.adm Settings specific to the Win95 O/S and its registry
Common.adm Settings common to both NT and Win95 O/S and registries and NOT in the other two.

These policy templates can be edited using any text editor and then loaded into System Policy Editor using Options | Policy Template
 

Additional Sundry Notes

Windows 95 Issues
 

  • If you use the Win95, and Windows NT/WS platform, run policy editor once from each platform. Store the Win95 created policy in config.pol and copy it to the NETLOGON share on the PDC.
  • User policy can be downloaded to NT computer or Win95 computer, but you can't use one policy file for both. You need to create user policy in both Config.pol and Ntconfig.pol.
  • Group policies are not processed by all client computers running Win95 . For Win95 , Group Policy must be installed on a computer running Win95 not only to create group policies, but to process them.
  • LOAD BALANCING: W95 computers always look at the NETLOGON share of the PDC UNLESS Load Balancing is selected as a policy.
    • If it is selected, the W95 computer will get it from the PDC once more and then after that from whatever logon server authenticates the user.
    • REMEMBER,  the directory replication service must be running between Domain Controllers from this to happen.

MISC notes

  • You can add users, groups, or computers that need different policy settings to the Ntconfig.pol simply by clicking Edit --> Add User, Add Group, or Add Computer.
  • Policy options allow you to change the logon information box, you can display a warning against unauthorized use, and you can prevent the  display of the last user in the logon box (to do this: select the Windows NT system\Logon\Do not display last logged on user name option.
  • Some of the things that can be restricted within the user policy options:
    • Remove run command from start menu
    • Hide network neighborhood
    • Hide all items from desktop
    • Disable Shutdown command
  • There is no limit to the number of users, groups or computers that can be added to a policy file.
  • User policies restrict access to certain programs in Control Panel, but the icons still appear in control panel. System policy can restrict access, but cannot remove the icon. To remove program icon, you need to modify the [don't load]section of Control.ini.
  • Wallpaper assigned in policy doesn't appear on all clients' computers. Some system policy settings require components to be installed locally on the computer where the policy is applied.

 


E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Friday, March 05, 1999 Grant Wilson, Tisdale, SK. Canada