Computer policies consist of settings that affect the machine regardless of who logs on to that machine. They include network share settings, remote access settings, the placement of customized shared folders such as the Start menu, and how user profiles are downloaded.
Computer settings are configured with the Policy Editor in either Registry or File mode. Your first decision is whether you need to make changes on one single machine, in which case Registry mode is available, or whether the changes will have to be implemented on many machines, in which case File mode will be used to save the changes for later implementation.
Of the two available modes for implementing system policies, File mode is the most commonly used. The ability to make the settings changes and store them for later user, coupled with the ability to implement the settings uniformly throughout the domain, make this the sensible choice for managing access to resources on the machine and administering security there. The procedure below uses the System Policy Editor in File mode to amend registry settings for the computer. Almost all policy work carried out in a domain is done in this mode.
Start the Policy Editor (use the shortcut created earlier in Administrative Tools) to open a blank policy sheet.
Select File > New Policy to open a new policy file containing the Default Computer and Default User icons.
Double-click Default Computer. Figure 6 shows the eight standard categories available for the default computer.
The eight categories shown in Figure 6 above are defined in the two template files that are loaded by default at Policy Editor startup. These are Common.adm and Winnt.adm. Each of the categories is described in more detail in this next section.
Network
The Network category comes from the Common.adm template file. Figure 7 shows the available settings for this category. Only one key value is set here, although up to four registry keys are affected.
You can use the setting for Remote Update to change the update type from Automatic to Manual and back again. You can also set the path to the remote location from which the system policy file should be downloaded.
This is a valuable setting if you do not intend to use the default policy file name or location. By default, the workstations are set to use Automatic mode and only look in the Netlogon share for the default policy file name. If you are set up in a workgroup instead of a domain, the Netlogon share will not necessarily exist. To overcome this problem, you can set the update mode to Manual and set a different path and file name to be downloaded. Follow the procedure below to do this.
Ensure there is a check mark in the Remote update check box. The Settings for Remote update dialog box is now available for use.
Set the Update mode to Manual.
Enter a UNC path for the new policy file. Remember to include both the path and file name.
Select Display error messages and Load balancing if necessary (see below).
Move on to the next category, or select OK to finish editing the computer settings.
The Load balancing check box allows the policy download to come from the same path on another domain controller. This feature is used in Automatic mode where the downloading workstation is a domain member. If the validating server that is being used is busy then the workstation looks for another domain controller from which to receive the policy.
To cause the Manual update setting to take effect you must do one of two things:
Set the policy locally on the machine through Registry mode. The next time the machine reboots, the new setting is read from the registry and the new location and file name are downloaded.
Or
Set the Manual update in the NTCONFIG.POL file and place the updated file on the Netlogon share. All of the workstations will be set to Automatic mode by default and so will look at this policy file the first time they are started. They will then have the registry setting changed and will look at the manual update path and file from then on. Even if the manual update policy file is deleted, the workstations will simply fail to load the profile. They will not change back to Automatic update mode until another policy change is made and implemented.
System
The System category comes from the Common.adm template file. Figure 8 shows the available settings for this category.
SNMP manipulates information about a TCP/IP host on a network. It is generally used for status and error message logging but can also be used to set parameters on the host.
The Run key is a useful setting; it can be used as a replacement for the Startup folder on the system so that any program listed is definitely run. The problem with the Startup folder is that users could interfere with the running of a program. This registry key is inaccessible to the users (with the correct registry security) and so cannot be altered. Programs such as anti-virus suites or system audit suites that look for unauthorized software are likely candidates for this setting. You can look at the list of programs or add or remove programs from the list by selecting the Show button. Figure 9 shows the Show Contents dialog box for this option.
The Run key setting is split into two sections. The Value is the path and program name that you wish to run at startup. The Value Name is used as a label for the program if it is still in memory after the Explorer shell starts.
Note: Any programs placed here run before the Explorer shell.
Select the Add button to place more programs in the list, or highlight an entry and select the Remove button to delete an existing entry. An entry in the list should contain the full path and file name for the program as well as any parameters needed to run the program successfully.
Windows NT Network
The Network category comes from the Winnt.adm template file. Figure 10 shows the available settings for this category.
This category controls the creation of some of the administrative shares on an NT workstation and NT server. Some administrators consider the <drive_letter>$ administrative shares to be a security risk. I personally use them for administrative ease on workstations and do not create them on servers. Use your own judgement, bearing in mind that the share permissions cannot be changed on these administrative shares and are secured as described in Chapter Three, File and Directory Security.
Windows NT Printers
The Printers category comes from the Winnt.adm template file. Figure 11 shows the available settings for this category.
Use the first setting to remove from the browser list the printer share that exists on the target machine. The share will not appear in the browser lists from then on, but the share can still be connected to if a user knows the exact name. Use second setting to change the priority of print jobs in relation to other tasks running on the machine. The choices here are Above Normal, Normal, and Below Normal. Setting this key to Above Normal can increase printing speed but usually to the detriment of other running threads. The third and final setting in this category enables a beeping sound every 10 seconds when a remote job error occurs on a print server. Use your own judgement as to whether this is a bonus or a real pain.
Windows NT Remote Access
The Remote Access category comes from the Winnt.adm template file. Figure 12 shows the available settings for this category.
This category can help secure your RAS access and should be set on the RAS server only.
Use the first setting to set a maximum number of logon attempts before the service is disconnected. Use the next setting to set the maximum time that the RAS service will wait between a dial-in connection being made and the authentication details being passed through. The default setting is 20 seconds; you can lower it to approximately 10 seconds before real users start having problems entering their credentials. The rationale for this setting is that somebody trying to break in will hesitate when trying to decide which password to use.
Use the third setting to set the time interval between disconnecting the incoming call and starting the dial-back procedure. Use the last setting as a time-out interval for auto-disconnect on an unused line. This feature is useful if your modems are highly utilized or to ensure that unattended client machines are not left connected for too long.
Windows NT Shell
The Shell category comes from the Winnt.adm template file. Figure 13 shows the available settings for this category.
This category centralizes the look and feel of the Start menu and Startup folder. The registry settings changed under this category point by default to the local All Users profile directory. If you want to provide the same icons and shortcuts for many users on just one machine, then it is simpler to just place the appropriate icons and shortcuts in their relevant place in the All Users folder structure. The procedure below shows you how to change the settings so that the folders can be centrally stored and used on many machines.
Customized Shared Programs Folder
The first setting controls the items that appear in the Programs folder. To control the items that appear here, follow these steps.
Create a centralized folder and set the correct access permissions for your users (Read should be enough).
Share the folder out and set the correct share permissions if necessary.
Place shortcuts to your applications in this folder.
Install the necessary applications either centrally on the server or locally. The location must be correctly defined in the shortcut.
Select the Custom shared Programs folder check box and enter the path to the shared folder.
This procedure can be useful if you have a strict set of available programs that should appear in the Programs folder. By combining policies for different groups and this setting, you can give each group a different Programs folder. Even if users have access to the registry to undo this setting, it will be redone the next time the system is started.
Customized Shared Desktop Icons
The second setting controls the icons that appear on the desktop. To make the same icons appear on many desktops, follow this procedure.
Create a centralized folder and set the correct access permissions for your users.
Share the folder out and set the correct share permissions if necessary.
Place in this folder the icons that you want to appear on the desktop.
Install the necessary applications either centrally on the server or locally. Remember that these icons are usually just shortcuts to programs in another location.
Select the Custom shared desktop icons check box and enter the path to the shared folder.
Customized Shared Start Menu
The third setting controls the items that appear on the Start menu. To make the same icons appear on everyone’s Start menu, follow this procedure.
Create a centralized folder and set the correct access permissions for your users.
Share the folder out and set the correct share permissions if necessary.
Place in this folder the icons that you want to appear on the desktop.
Select the Custom shared Start menu check box and enter the path to the shared folder.
Customized Shared Startup Folder
The fourth setting controls the programs that start automatically at logon time. To add a program to the Start folder, follow this procedure.
Create a centralized folder and set the correct access permissions for your users.
Share the folder out and set the correct share permissions if necessary.
Place in this folder the icons that you want to appear on the desktop.
Install the necessary applications either centrally on the server or locally.
Select the Custom shared Startup folder check box and enter the path to the shared folder.
Those who think that this setting is similar to the earlier Run setting in the System category are right. The only differences between the two are that this setting causes the program to run after Explorer starts up and the setting is visible to the user (a shortcut exists in the Start menu). The visibility may be important if the program is closed during the user session and the user wants to run it again.
Windows NT System
The Windows NT System category comes from the Winnt.adm template file. Figure 14 shows the available settings for this category.
There are two subcategories in this section: Logon and File System.
Logon
The Logon category allows you to change registry settings that affect the choices available to users when they attempt to log on to a machine.
Logon banner • The Logon banner displays a message after the Secure Attention Sequence (<Ctrl> Alt> <Del>) is used. To create a banner, follow this procedure.
Place a check mark in the Logon Banner check box. The Settings dialog box is now available.
Enter the Caption header. This header will appear above the main text of the message.
Enter the text of the message in the Text box.
This setting can be used as an informational message for all users or as a legal notice before logon.
Enable shutdown from Authentication dialog box • This setting allows you to set a registry key that either enables or disables the shutdown option that appears as you press <Ctrl> <Alt> <Del> on a machine. By default, this setting is enabled on a Windows NT Workstation and disabled on an NT server.
If you disable this selection, then a user must log on to the machine successfully before being able to shut it down. This option is of little use if a user can access the power switch or electrical outlet for the machine. In these cases, a genuine user may well be tempted to power off the machine if he has difficulty logging on, and a malicious individual who wants to deny access to a service on the machine will welcome the chance to power off and possibly cause more damage than denial of service.
The option is of more use on systems that are locked away or have the power button and electrical feed protected in some way. If you have a showroom with machines open to the public, you could consider this option.
This setting also gives some protection against an individual booting into another operating system and possibly using that OS to circumvent the NT file and directory security. Again, the setting is of little use on its own, and you should consider physical protection in the form of a lockable cabinet for the machine base.
Do not display last logged-on user name • By default, a Windows NT system displays the user name of the last user to log on. If a hacker decides to break into your system and is able to gain access to the screen, then he has part of the information required to break in, namely, a valid username. This can also be a problem if you use an administrative equivalent user name for troubleshooting a user machine. Your user name is left behind when you leave.
If you enable this setting, the username field in the logon dialog box is left blank after every logout or reboot. This option is useful if machines are constantly used by different individuals.
Run logon scripts synchronously • This setting defines the order of logon script processing and shell activation. When enabled, user logon scripts must complete before the shell starts to run applications in the Startup folder. Use this option to ensure that all required drive mappings are available to run the applications.
File System
The File System category only affects the Windows NT file system. These are the available settings in brief.
Do not create 8.3 file names for long file names • This setting disables the creation for an old-style DOS 8.3 file name for every long file name created on the system. The old file names are only used by programs that require DOS format name. The Win16 subsystem does not use these file names but rather has equivalent file names created as they are needed. Unless you have an application that requires these file names to already exist, then turning off this option saves system effort at file creation time.
Allow extended characters in 8.3 file names • Whenever an 8.3 file name is created on a Windows NT system, an extended character set is available. Enabling the use of the extended character set may make a file name unreadable on a system that does not have a character code page available containing the item used. If the setting is disabled and the 8.3 file names are created, you are limited in the extended character range that you can use.
Do not update last access time • This setting only affects files when they are read. Every time a file is accessed for read or write, the Last Accessed flag is set by default. Changing this setting disables the update of that flag whenever a file is accessed for read-only. If the file is accessed in any other way, the flag is still set. Setting this option speeds up disk access time on read-only jobs because the overhead of writing to the disk is minimized.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
