Abstract
This chapter introduces the concept of system policies, which are used with the Policy Editor to control the look and feel of a desktop and also to control system settings on a per-machine basis. The chapter discusses the default values available with the Policy Editor and takes you through each setting in detail. All of the behind-the-scenes portions of the Policy Editor such as template files are discussed, and the links between these and the various registry values covered by the Policy Editor are exposed.
INTRODUCTION
System policies are made up from a set of registry entries that control the computer resources available to a user or group of users. These registry entries can be applied to individual users, groups of users, or to anybody logging on to a particular machine.
The system policies can be used to control access to many different resources on the local machine. Desktop settings and user access to resources can be controlled easily. Settings such as the contents of the Start menu and the application icons that are to appear on the desktop are examples of the controls that can be applied.
System policies are defined with the System Policy Editor tool, POLEDIT.EXE. This program is not installed on an NT system by default and needs to be loaded (see the instructions in the next section). Poledit is a graphical user tool that presents you with an easy-to-use browser list of available settings.
You may be forgiven for wondering about the differences between user profiles and system policies. In reality, many of the settings that can be controlled by user profiles can also be set in system policies. The main difference between the two methods of system control is the way in which they are applied.
User profiles are applied when the user logs on and reads in the settings from the profile directory. User profiles are applied before the user portion of the system policy. System policies are applied either at system startup (for machine settings) or as the user logs on. These settings are copied from the policy file and permanently change settings in the local registry. The user portion of the system policy is applied to the user after the user profile and overwrites any settings that may have already been applied. In this way an administrator can allow user profiles to be amended by the user but, by means of the system policy, can apply settings that should not be changed (system policy settings cannot be changed by the user).
When a user profile is applied, registry settings are changed in the HKEY_USERS registry hive for any portions relevant to the user. System policy settings are made to the same registry hive, and computer-specific settings are made in the HKEY_LOCAL_MACHINE registry hive, so when you apply a system policy which contains settings that may conflict with profile settings, the policy settings overwrite the profile settings in the registry. This gives the ultimate control of the available settings back to the Administrator.
System policies can be applied to all users, individual users, groups of users, all computers, and individual computers.
POLICY EDITOR INSTALLATION
The System Policy Editor is made available on all Windows NT 4.0 Server CDs, although it can be installed on Windows NT 4.0 workstation as well. A Windows 95 version of the System Policy Editor is provided on the Windows 95 CD. The following sections describe the installation procedures for each type of machine.
Windows NT Server
Follow the procedures below to install the System Policy Editor on a Windows NT server machine.
Log on locally as Administrator or attach to a network share connected to the %SystemRoot% drive of the server.
Load the NT Server CD into an available drive.
Copy the files Common.adm, Windows.adm, and Winnt.adm to the server’s %SystemRoot%\inf directory (which is hidden by default). Set your view option to Show all files to see this directory.
Copy the Poledit.exe file to the %SystemRoot% directory.
Copy the Poledit.cnt and Poledit.hlp files to the %SystemRoot%\Help directory.
Create a shortcut to the Poledit.exe program in the Administrative Tools folder.
The System Policy Editor is now ready for use on the NT server machine.
Windows NT Workstation
Log on locally as Administrator or attach to a network share connected to the %SystemRoot% drive of the workstation.
Load the NT Server CD into an available drive.
Copy the files Common.adm, Windows.adm, and Winnt.adm to the servers %SystemRoot%\inf directory (which is hidden by default). Set your view option to Show all files to see this directory. Copy the Poledit.exe file to the %SystemRoot% directory. Copy the Poledit.cnt and Poledit.hlp files to the %SystemRoot%\Help directory.
Or
Run the \Clients\Srvtools\Winnt\Setup.bat file. This will install the client-based server administration toolkit, which includes the System Policy Editor.
Create a shortcut to the Poledit.exe program in the Administrative Tools folder.
The System Policy Editor can now be used from the Windows NT workstation.
WINDOWS 95
The Windows 95 Policy Editor installation is slightly more involved than the previous two. Follow exactly the procedure outlined below to make sure the programs are installed correctly. Do not copy the file as in the examples above; otherwise, you risk damage to your system when trying to use the Policy Editor.
Make sure the machine has a CD-ROM drive available (or you can attach to a network shared CD-ROM drive).
Run the Add/Remove Programs applet in Control Panel.
Select the Windows Setup tab.
Select Have Disk.
Enter Z:\Admin\Apptools\Poledit, where Z: is the drive letter mapped to your CD-ROM drive.
Select OK. Figure 1 shows the resulting dialog box with the two possible program choices.
Select both Group Policies and System Policy Editor. Both of these choices are required for full operational benefit of system policies on a Windows 95 machine.
Select Install. The required system files are copied.
SYSTEM POLICY EDITOR MODES
The System Policy Editor works in two modes. These are Registry mode and File mode. The settings exposed in both modes are the same. These settings are controlled by administrative template files (.adm) loaded at program initialization time. These files are used to expose only those parts of the registry required for this operation.
Registry Mode
Registry mode allows you to open the local registry and make changes to the settings presented to you through the System Policy Editor. In this mode, the System Policy Editor acts as a user-friendly registry editing tool. Only the settings made available by the templates are exposed making this tool a safe way to implement registry changes.
File Mode
File mode allows you to change registry settings in the same manner as above but does not implement the changes in real time. Instead, the changes are saved to a policy file that can be applied to any number of machines at a later date. A default policy file can be saved on a domain controller (and replicated to all other validating servers) so that it is loaded as users log on to the domain. Windows 95 machines have a different registry format, which is not compatible with Windows NT machines. The Windows 95 policy file is saved in ASCII format, and the Windows NT 4.0 policy is saved in Unicode format. Therefore, any policy file created on a Windows 95 machine cannot be applied to a Windows NT machine (and vice versa) and you must use the Policy Editor natively to manipulate policy files on each of the two systems.
Registry Mode vs. File Mode
The interface options available to you with the two different modes are exactly the same. The main difference between the two modes is that one of them (Registry) is used to make changes directly to the registry either on the local machine or directly to the registry on a machine to which you can make a remote connection. In either case, the change is made to the registry on that specific machine. The other mode (File) is used on any machine to make registry changes that are then saved to a file. It doesn’t matter which machine you use to create the file (other than remembering that Windows NT 4.0 and Windows 95 machines are not interchangeable) because the settings are not implemented locally as they are in Registry mode. The changes are saved and implemented when a user logs on to the domain from a networked PC.
In summary, Registry mode is used for instant changes to the registry on a single local or remote machine; File mode saves the changes for later implementation, possibly on all machines within the domain.
AVAILABLE SETTINGS GROUP
As well as there being two modes for setting registry entries, there are two available groups of entries that can be set. These groups are defined as computer and user.
Computer Settings
Computer settings manipulate registry entries that control such things as the creation of default drive shares, SMMP settings, remote access settings, and logon banner settings. These entries are all made on a computer-by-computer basis and are not affected by the user logging into the machine. These registry settings are applied before the user gains control of the system and so cannot be affected by the user.
User Settings
User settings manipulate registry entries that control such things as system display settings, control panel availability, wallpaper settings, and the ability to use the registry editor. These settings can be applied for all users, for a single user, or for groups of users. The settings are applied after the computer-specific settings.
WINDOWS NT 4.0 POLICY EDITOR INTERFACE
The System Policy Editor in Windows NT 4.0 is a simple graphical tool that simplifies the difficult task of changing registry settings. To use the Policy Editor, ensure that you have installed the necessary files according to the instructions above. The remainder of this chapter presumes that a shortcut to the Policy Editor has been added to the Administrative Tools folder on the NT workstation or server.
To start the Policy Editor, simply double-click on the shortcut created earlier. The Policy Editor starts up but no policy is loaded. Figure 2 shows the System Policy Editor at startup and the available File menu options. Figure 3 and Figure 4 show the available options in the Edit and Options menus, respectively.
Categories
When you configure a policy (either directly in the registry or in file mode) a list of available settings is offered. These groups of settings are known as Categories. Each main category contains one or more subcategories or a set of policies. Figure 5 shows the default user policy with the system category expanded to show one subcategory (Restrictions) and two policy settings.
Policy Settings
The policy settings contained within the categories described above actually map to a registry key where the setting of registry values takes place.
You enable the policy value by selecting the square check box preceding the policy description. The three available settings are:
Checked box. This activates the setting in the policy that you are configuring. The registry key is activated (or added if it does not already exist).
Blank box. This deactivates the setting from the policy that you are configuring. The registry key is added if it is needed and set to off.
Grayed box. This excludes the setting from the configuration. The current setting in the registry (at the time that the policy is implemented on a machine) remains the same. If the key does not exist, it is not created. If the key exists, the setting is not changed.
It is important to understand the difference between deactivated and excluded. When policies are applied, a user may take settings from many different sources. If a user belongs to a group that has a defined policy and to a second group with a defined policy, then settings may conflict. If this happens, the policies are applied in a specific order, as described later in the chapter. If a key in the first applied policy is set as activated and the second applied policy has the key set to deactivate, then the key will be deactivated, overriding the first setting. If, however, the second policy had the key set as excluded, the setting is left as activated because the excluded setting leaves the key untouched. Remember this distinction and think about what you are trying to achieve. Do you care what a key value is set to? If not, leave it as excluded. If you do, set it to activated or deactivated as necessary.
Template Files
The categories, subcategories, and policy keys discussed above appear in the Policy Editor because they are included in a template file automatically loaded at program startup. These template files have a .adm extension and usually exist in the %SystemRoot%\inf directory (which is hidden by default). The template file should have been copied into this directory by you at installation. The three standard template files are Common.adm, Winnt.adm, and Windows.adm.
Winnt.adm
The Winnt template file contains computer and user categories and keys that can be set only for a Windows NT 4.0 system. This file is loaded by default when you first start up the Windows NT version of the Policy Editor. This template file and the ability to create custom template files are discussed later in this chapter.
Windows.adm
The Windows template file contains computer and user categories and keys that can only be set for a Windows 95 system. This file is not loaded by default in the Windows NT version of the Policy Editor and is not covered in any more detail in this chapter.
Common.adm
The Common template file contains computer and user categories and keys that are common to both of the operating systems mentioned above. To be included in this template file, a registry key must have exactly the same name in both systems and have the same supported values.
It may seem strange that there is a common template file when the system policy file cannot be shared between the two operating systems because of the difference in registry structure. It is strange. There seems to have been a plan at some point in the design of the two operating systems to bring the registry structures in line with each other. This never happened.
This Common template file is loaded by default the first time you start up the Windows NT version of the Policy Editor. This template file and the ability to create custom template files are discussed later in this chapter.
Policy File
When you choose to use the program in file mode, you must eventually save the settings to a file. Windows NT 4.0 systems and Windows 95 systems both receive policy updates by default in what is known as Automatic mode. This means that the systems automatically look for a policy file on the Netlogon share of the validating server with a file name of NTCONFIG.POL for NT systems and CONFIG.POL for Windows 95 systems. If you are using any of the standard domain structures, this setting will work well. All Windows NT or 95 workstations that belong to a domain will go to this network share by default to look for a profile. It is only under certain circumstances, such as when the machines are part of a workgroup and so cannot see a Netlogon share, that you may need to set the update mode to Manual. Setting the mode to Manual and amending the location and file name are discussed later in the chapter.
Replication
If you choose to leave the policy update mode as Automatic, then you must ensure that the policy file is replicated either automatically, using the Replication service, or manually to all validating servers. If the policy file is not available for some reason, you may find that a user profile overrides a previously set policy definition and the resulting user access could cause problems.
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Windows IT Pro
Register
