Windows NT User Profiles
The Windows NT User Profiles category comes from the Winnt.adm template file. Figure 15 shows the available settings for this category.
This category contains some settings that affect the way user profiles are downloaded and cached.
Delete Cached Copies of Roaming Profiles
The first setting saves disk space by deleting the locally cached copy of the user’s profile when they log off. The locally cached copy of the profile is used if the roaming profile that is stored on the network is unavailable (because of a slow network connection or some other reason). Unless your workstations are running very low on disk space, you should not use this setting.
Automatically Detect Slow Network Connections
The second setting detects a slow network connection. Your authentication server may be on the other side of a bridge or router and there may be a delay in downloading your profile. If your profile is large, the problem will be more apparent. In this case, the NT system defines the network as being slow and asks if you would like to use the locally cached version of your profile. This setting is turned on by default, and you can use this option to turn it off if you do not require system intervention for slow networks.
Slow Network Connections Timeout
Here is how the NT system decides that you have a slow connection: A timeout limit of just 2000 milliseconds is set by default. If you are using the slow network detection setting, then this is how long the system will wait before giving you a message asking whether you want to wait or use the locally cached profile.
Timeout for Dialog Boxes
The dialog boxes that appear as part of the slow network detection process and user profile date checking process are on a timer. The default time setting is 30 seconds, after which one of the choices is implemented. You can increase this timeout value to give the user more time to consider the question, or you can decrease it if you are happy with the default answers and just want the process to finish as quickly as possible.
INDIVIDUAL COMPUTER POLICY
Policy settings can be applied to single computers instead of to all machines. Follow the steps below to configure settings for an individual user on your domain.
Start the System Policy Editor.
Open the domain policy file that you have already created, or select File > New Policy to start a new policy file.
Select Add Computer from the Edit menu.
Enter the netbios name of the computer that you want the policy to apply to. You can type the name or browse for the name. If you type the name, make sure it is spelled correctly. There is no error checking to make sure a user exists.
Select OK. An icon is added to the policy file desktop named after the computer.
Double-click the new icon.
The registry settings exposed here are exactly the same as they are for the Default Computer policy. All settings are defined in the same way, and the only difference is that settings defined here only apply to the one named computer (regardless of user).
Repeat the steps above for as many computers for which you need to define separate policies.
DEFAULT USER POLICY
As with Default Computer policies, when configuring user settings, you must first decide whether to make changes on one single machine, in which case you will use Registry mode, or whether to implement the changes on many machines, in which case you will use File mode to save the changes for later implementation.
Of the two available modes for implementing system policies, File mode is also the most commonly used for implementing user settings. To start configuring the user portion of the system policy, follow this procedure.
Select OK in the Default Computer Properties policy screen, as shown in Figure 6 in the Default Computer Policy section previously, and skip to step 3.
Or
Start the Policy Editor, using the shortcut created earlier in Administrative Tools, to open a blank policy sheet.
Select File > New Policy to start a new policy file;
Or
select File > Open Policy to open a previously saved policy file.
Double-click Default User. Figure 16 shows the six standard categories available for the default user.
The categories shown in Figure 16 are described in more detail in the next section.
Control Panel
The Control Panel category comes from the Common.adm template file. Figure 17 shows the available settings for this category.
This category restricts changes of some potentially harmful display-related settings and enables you to be extremely pedantic in your control of user activities.
When you choose to implement a restriction, you should look at why it is implemented. Because a function "is not required for business reasons" does not mean that it should be restricted. Putting restrictions in place simply because the ability exists may make your users feel like they are being treated like children.
The five available restrictions are described below.
Deny Access to Display Icon
This restriction will still allow the display icon to be seen in Control Panel, but when users try to run the applet, a message will inform them that the Administrator has disabled this function. Unless you have a very good reason for this restriction, such as a public machine with a shared user ID, then this is not a security issue.
Hide Background Tab
Here is a prime example of being overzealous in restricting users. Short of a corporate standard requiring the organization’s logo as a background, then this setting can do no harm. User’s ability to remind themselves during those long work hours that they do have a family may be the only thing keeping them sane.
If the selection is checked, the Background tab will not appear as a selection in the display properties.
Hide Screen Saver Tab
This restriction is slightly more useful. Some screen savers can consume large amounts of CPU time, while other third-party screen savers can damage the system.
A screen saver set to Blank Screen can be password protected and set to come on after a specific time delay after inactivity. This should be enough to protect systems while allowing programs that are running on the machine to continue using the CPU without interference.
Selecting this check box removes the Screen Saver tab from the display properties screen.
Hide Appearance Tab
Again, this is a restriction that is usually set just for the sake of setting it. I have come across only one problem in the past that would justify this setting. A user once set the font color and the background color to be the same (both white instead of black on white) and could not understand why all of the writing disappeared in the windows. If you have never had to fix a problem caused by users changing color schemes, then this option is one to ignore.
Selecting this check box removes the Appearance tab from the display properties screen.
Hide Settings Tab
This setting is also useful. There should be no need for the users to change their own screen size and display settings. Programs may need a particular minimum color palette size. The display driver can be changed using this setting. This is a system function and should be controlled.
Selecting this check box removes the Settings tab from the display properties screen.
Desktop
The Desktop category comes from the Common.adm template file. Figure 18 shows the available settings for this category.
The two items controlled by this category are Wallpaper and Color scheme. As mentioned earlier, these are not sensitive settings and can give the user some feeling of freedom. The procedure for setting both of these items is self-explanatory.
Shell
The Shell category comes from the Common.adm template file. Figure 19 shows the available settings for this category.
The Shell restrictions category contains some important settings. You can enable any of these settings by placing a check mark in the appropriate box.
Remove Run Command from Start Menu
The Run command on the Start menu can be used to start nonstandard applications, which may cause some damage or bring into question licensing issues. You can help to avoid this problem by selecting the check box for this option. Remember that as long as the users can get to an Explorer screen, they can still run the application from there.
Remove Folders from Settings on Start Menu
This setting limits the access a user has to system settings. Placing a check mark in this check box removes the Control Panel and Printers folders from the Settings menu. Users can subvert this limitation by selecting the Run option mentioned above and entering Control.exe to run the control panel that gives access to the Printers applet. If used in conjunction with the setting for the Run option, this option can place slightly more security on the use of your systems. Again, if users know where the Control.exe file resides, then they can navigate to the directory and run the program with a simple double-click.
Remove Taskbar from Settings on Start Menu
The taskbar menu can be used to set taskbar options and Start menu options as well as to browse the profile storage folders. To restrict users from accessing this system tool, simply place a check mark in the appropriate box. Again, users can still browse the profiles directory with Explorer if they can find it.
Remove Find Command from Start Menu
This setting removes the Find option from the Start menu and from Explorer, including context-sensitive menus. This makes it difficult for users to find files on the system. If you implement correct permissions on the files and directories, then you can leave this setting to be used as it was intended — as a file and directory navigational aid.
Hide Drives in My Computer
This setting removes the drives from view in Explorer and My Computer. There is not much point to either of these views if the drives are removed. This is an extreme measure that may be useful on a public system that has shortcuts to all of the allowed programs.
Programs can still be run from shortcuts or with the Run command if the user knows the exact path and file name.
Hide Network Neighborhood
As you would expect from the name, this setting removes the Network Neighborhood icon from view on the desktop. This setting could be used in a situation where you wish to restrict network browsing (for bandwidth issues or some other purpose), but unless you are sure that all connections that are necessary for the user are already mapped, it can be a pain.
No Entire Network in Network Neighborhood
This setting is a less drastic step than the previous one but still of little benefit. The restriction here stops browsing on the wide area. Only the local domain or workgroup is accessible. Remember that this is a browser setting and as such will not prevent a drive being mapped to an unseen host with the correct permissions and network connectivity.
No Workgroup Contents in Network Neighborhood
Again, a browser setting. It prevents nondomain machines from appearing in the browser list in Network Neighborhood. Members of workgroups do not appear here. This could prevent a small security loophole where workgroup members are not protected by the domain security policy and so may be slightly exposed if they can be browsed.
Hide All Items on Desktop
Well, what can I say about this one? I’ve never had use for this setting and find it difficult to envisage when I ever will. A public machine set up to demonstrate one program or feature may benefit from fewer distractions on the desktop and no ability for the public to make alterations. Apart from that, definitely one to stay away from.
Disable Shut Down Command
This setting removes the ability to shut down the machine except through the Secure Attention Sequence. As any administrator knows, the temptation for users to power down NT machines without a proper shutdown is already quite strong.
If you disable the shutdown routine for some reason, then the machine needs to be protected against powerdown from the power switch or electrical outlet.
Don’t Save Settings at Exit
When you log off your machine, Explorer remembers the status and position of certain programs and windows (Explorer windows, Control Panel etc.) This can be useful or it can be a pain. In the good old days of Windows 3.x, this feature was a menu setting. You can switch this off so that no windows are opened by default when you log on again. This can speed up the logoff and logon process and aid in the appearance of a common desktop.
System Restrictions
The System Restrictions category comes from the Common.adm template file. Figure 20 shows the available settings for this category.
Two options are available in the System Restrictions category.
Disable Registry Editing Tools
The registry editors (Regedt32.exe and Regedit.exe) are available to all users by default. The registry itself should be protected by the correct security settings, but as another precaution, this setting can be used to withdraw all access to this sensitive area. This withdrawal also prevents the user from using the tools to access a remote registry that may not be as well protected. With this setting enabled, the registry editing programs will not run. Renaming the programs will make no difference.
Tools such as Poledit.exe and Control Panel applets are types of registry editing tools in that they can make changes directly into the registry. These tools are not affected by this setting.
Run Only Allowed Windows Applications
Of all the settings available here, this one gives the tightest security. With this setting enabled, the user can only run the executables that are listed in the table accessed through the Show button. When entering programs here, you should only put in the program name and extension as shown in the example in Figure 20.
Remember that this setting works on file names, if users can rename an executable, they may be able to run it.
This setting is very restrictive and could possibly restrict business activities if used unwisely. Again, the setting is generally reserved for a situation where you must restrict access to the machine such as a public-use workstation.
Windows NT Shell
The Windows NT Shell category comes from the Winnt.adm template file. Figure 21 shows the available settings for this category.
There are two subcategories under this heading.
Custom Folders
The Custom Folders category contains settings that are similar in nature to those configured in the Default Computer properties for the Windows NT Shell category. The main difference is that the settings discussed below are set for a user or groups of users regardless of where in the domain they log on and the similar settings (discussed in the previous sections) are set for the machine(s) that are defined to use the policy regardless of the user.
The benefit of the settings contained in this category is the centralized management and standard desktop look that can be provided.
Custom programs folder • Custom programs folders give the same Program folder look to a group of users. This setting can be implemented on a departmental basis. Follow these instructions to implement this setting.
Create a centralized folder and set the correct access permissions for your users.
Share the folder out and set the correct share permissions if necessary.
Place shortcuts to your applications in this folder.
Install the necessary applications either centrally on the server or locally. The location must be correctly defined in the shortcut.
Select the Custom Programs folder check box and enter the path to the shared folder.
When assigning a policy setting like this one, it makes sense to assign it via group membership instead of using the Default User. This subject is covered later in the chapter.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
