Module 4: Managing
System Policies
| System Policies control user environments
and actions |
- System Policy Editor can be used to create
a policy to:
- Restrict options in Control Panel.
- Customize parts of the desktop.
- Control network logon and access.
- Poledit.exe is only included
in NT Server and appears on the Administrative Tools menu.
System policy is initiated through the following processes:
- As user logs on, the operating system loads
the user's profile. Windows NT then checks the NETLOGON shared network directory
on the logon server for a NTconfig.pol file.
- the NETLOGON share is the automatic name
for the
\winnt_root\System32\Repl\Import\Scripts
folder
| User |
If this defines settings for the user,
it merges those settings into the current user portion of the registry. |
| Group |
If NO system policy is defined for the
user, but only for the group to which the user belongs, these settings are
merged into the current user portion of the registry. ( the group with the
highest priority takes precedence if the user is a member of two or more
groups) |
| Default |
If not defined for user and group, Windows
NT uses the Default User policy settings and merges them into the current
user portion of the registry. |
Default Computer
- If a system policy exists for the Default
Computer, the settings are merged into the local computer portion of the registry.
System policy for Users modifies:
HKEY_CURRENT_USER
System policy for computers modifies:
HKEY_LOCAL_MACHINE.
| NOTE:
If a trust exists b/w two domains, system policy
is taken from the domain that contains the user's account,
regardless of the domain in which the computer is located. This may
cause confusion and affect security if a Default Computer policy from
another domain is applied.
|
- Watch the little System Policy movie that comes with the MOC material
Implementing a Local Policy
- You are not restricted to use only one place from which to retrieve
system policies in a domain.
- An NT computer automatically downloads NTconfig.pol from Domain Controller
that authenticated the user logon request.
- However, to use a system policy from a computer that is not a Domain
Controller, you need to change Remote Update from
automatic to manual and specify the computer and the path to the system
policy file.
Exact procedure:
Poledit.exe-->File-->New Policy-->Default Computer-->Network-->System
Policies update-->Check Remote Update-->Click down arrow of Update Mode-->Click
Manual-->Type the path in the Path for manual update-->OK-->File-->Save-->Click
Network Neighborhood in Save in box-->The name of NTS or NTW will appear
in the list, click the computer and save policy file in the same path as the
path you indicated in policy file update setting.
System Policy Editor Mode
System policy editor has two modes: Registry mode and
policy mode.
- Registry mode:
- When you select open registry (edit local registry) or connect (edit
remote registry) from File menu, you are in registry mode. The title bar
will display Local Registry.
- Change in registry will take effect immediately after you save the
registry
- REMEMBER YOU ARE ONLY WORKING ON THE LOCAL REGISTRY OF THE MACHINE
YOU ARE ON OR CONNECTED TO. ANY CHANGES WILL ONLY AFFECT THAT PARTICULAR
MACHINE
- Policy mode:
- When you New Policy or Open policy from File menu, you are in policy
mode. The title bar display Untitled.
- Changes made in policy mode will take effect after policy file is saved
as NTconfig.pol in Netlogon share on the PDC and is replicated to the BDCs
and the users log on to the domain.
Edit System policy:
- Check box for individual setting is either
- dimmed (default),
- checked (implemented) or
- cleared (unimplemented)
- You would leave a check box dimmed to increase logon
speed because dimmed options are not saved to the policy file and are not
loaded across the network.
- When you use edit menu to add specific setting for specific user, group
or computer, user, group or computer will receive separate entries in the
NTconfig.pol file.
System Policy Templates
The policies that appear in System Policy Editor are provided by template
files:
| Winnt.adm |
Settings specific to the Win NT O/S and its registry |
| Windows.adm |
Settings specific to the Win95 O/S and its registry |
| Common.adm |
Settings common to both NT and Win95 O/S and registries and NOT in
the other two. |
These policy templates can be edited using any text editor and then loaded
into System Policy Editor using Options | Policy Template
Additional Sundry Notes
Windows 95 Issues
- If you use the Win95, and Windows NT/WS
platform, run policy editor once from each platform. Store the Win95 created
policy in config.pol and copy it to the NETLOGON share on the PDC.
- User policy can be downloaded to NT computer or Win95 computer, but you
can't use one policy file for both. You need to create user policy in both
Config.pol and NTconfig.pol.
- Group policies are not processed by all client computers running Win95
. For Win95 , Group Policy must be installed on a computer running Win95 not
only to create group policies, but to process them.
- LOAD BALANCING: W95 computers always look at the NETLOGON share of the
PDC UNLESS Load Balancing is selected as a policy.
- If it is selected, the W95 computer will get it from the PDC once more
and then after that from whatever logon server authenticates the user.
- REMEMBER, the directory replication service must be running between
Domain Controllers from this to happen.
MISC notes
- You can add users, groups, or computers
that need different policy settings to the NTconfig.pol simply by clicking
Edit --> Add User, Add Group, or Add Computer.
- Policy options allow you to change the logon
information box, you can display a warning against unauthorized use, and you
can prevent the display of the last user in the logon box (to do this:
select the Windows NT system\Logon\Do not display last logged on user name
option.
- Some of the things that can be restricted
within the user policy options:
- Remove run command from start menu
- Hide network neighborhood
- Hide all items from desktop
- Disable Shutdown command
- There is no limit to the number of users,
groups or computers that can be added to a policy file.
- User policies restrict access to certain programs in Control Panel, but
the icons still appear in control panel. System policy can restrict access,
but cannot remove the icon. To remove program icon, you need to modify the
[don't load]section of Control.ini.
- Wallpaper assigned in policy doesn't appear on all clients' computers.
Some system policy settings require components to be installed locally on
the computer where the policy is applied.
Comments and suggestions? E-mail me at
grantwilson21@yahoo.com
I'm sorry, but I can't answer specific network-related, or exam-related questions. |
| Last Updated: August 6, 2001 |
Grant Wilson, Edmonton, AB
Canada |
