CHAPTER 4      

                           MANAGING SYSTEM POLICIES

 

 

Lesson 1:  The Purpose of System Policies

 

A system policy is a set of rules that controls what a user sees on their desktop and what they

can do with their computer.  When a system policy is used in a domain, it can establish a uniform

set of rules, or policy, for all users and computers running Windows NT or Windows 95. 

They give you the ability to:

 

Restrict options in Control Panel, such as hiding the Screen saver tab in the Display program,

which would prevent users from changing or configuring their screen savers.

Customize parts of the desktop, such as specifying the corporate standard wallpaper on all

computers.

Control network logon and access, such as creating a logon banner to display a message when

a user logs on.

 

NOTE:  the Poledit.exe is the system policy editor and is in Windows NT Server 4.0

 

 

Computer Policy and User Policy

 

When you create a new policy, System Policy Editor displays two icons, Default Computer

and Default User.  These icons display the individual policy options that give you the ability

to configure a computer policy for all computers in the domain that are running Windows

NT or Win95 and a user policy for all users that log on to one of these computers.

 

Default Computer.  These options apply to all computes in the domain and effect all users

that log on to those computers.

Default User.  User policy options are used to configure the user’s desktop.  You can set

these options to effect all users that log on to the domain.

 

Lesson 2:  Implementing a System Policy

 

How to implement a system policy in a domain:

 

•   Use System Policy Editor to create a new policy file.  Set the appropriate policy options in

Default Computer and Default User.

•   If you need to set specific policy options for a user, group or specific computer account, use

the Edit menu to add the account and then set the policy options.

 

 

 

 

 

=======================================================================

 

wntsup4.html                                                 PAGE 2                                                         2001/11/19

 

 

 

By default, Windows NT searches for the Ntconfig.pol policy file stored on the PDC in the

Netlogon share.  Windows 9X has the Config.pol file.   Therefore, name the policy file

Ntconfig.pol on the PDC in the following folder:

 

 

  *****  Systemroot\System32\Rep1\Import\Scripts   *********

 

 

Enable replication on all domain controllers so that the Ntconfig.pol file is

Replicated to the same folder on all backup domain controllers.

 

 

How a User Policy is Implemented when a User Logs on:

 

•   When a user logs on to the domain from a computer running Windows NT, the user’s user

profile is loaded.  Next, Windows NT searches for the Ntconfig.pol file on the domain

controller that authenticated the user logon request.

•   If a specific user policy exists for that user, those policy settings are merged into the current

user portion of the registry (HKEY_CURRENT_USER).

•   If the user cannot be found, it can find a group that the user belongs to.  The groups policy

settings are then merged into HKEY_CURRENT_USER  A group’s priority is configured

in System Policy Editor by clicking Group Priority on the Options menu. 

•   If system policy is not defined for the user or for the user’s group, the Default User policy

settings are merged into HKEY_CURRENT_USER.

 

 

NOTE:  Policies are applied only at the time a user logs on.  If a user is logged on when a

system policy change is implemented, the user must log off and log back on for the policy

change to take effect.

 

 

****  REVIEW CHART page 149 *****

 

 

Implementing a Local Policy

 

You are not restricted to using only one system policy in a domain.  However, by default a

computer running Windows NT automatically downloads the information in the Ntconfig.pol

file from the domain controller that authenticated the user logon request. 

 

 

Lesson 3:  Using System Policy Editor to Manage a System Policy

 

This System Policy Editor is available on Administrative Tools (common)/System Policy Editor.

 

• Modify default settings for the computer and user policy for the domain.

 

 

 

 

 

=====================================================================

 

wntsup2.html                                                  PAGE 3                                                    2001/11/19

 

 

 

• Create custom settings that apply to individual users, groups of users, or individual computers.
• Specify the manner and location from which to download policy for some or all users.

 

 

NOTE:  The default icons under New Policy are Default Computer and

              Default User.  Do not play with default policy users, or you will

              have to do a reinstall.

 

 

System Policy Editor Modes

 

There are two modes registry mode and policy mode.  When System Policy Editor starts, it is

not in any specific mode.

 

Registry Mode:

 

In registry Mode you can edit portions of the registry of the local computer or a remote computer. 

This is a direct edit of the local registry and changes are reflected almost immediately. 

 

 

Changing Registry Settings on a Local or Remote Computer

 

When System Policy Editor is used in registry mode, changes are made by selecting or clearing

specific registry options in Local Computer or Local User.

 

 

Policy Mode:

 

Policy mode is the mode you use to create and modify a system policy for a domain.  The policy

mode is used to create or modify system policy files (.pol).    View all the Policies

(Network/ System/Windows NT Network/ Printer/RAS Shell etc.)

 

The policy file is saved as Ntconfig.pol in the Netlogon share on the PDC.

Ntconfig.pol is replicated to the BDCs in the domain.

Users log on to the domain

 

 

·        Dimmed.  The registry key for the policy is not modifies.  This is the default setting.  Or grayed out.

·        Selected.  The policy is implemented. A Check Mark.

·        Cleared.  The policy is not implemented.  A square empty box.

 

When the policy is created, only the selected and cleared policy settings are saved to the policy file

(.pol).  You would leave a check box dimmed to increase logon speed.  This is because dimmed

options are not saved to the policy file and are not loaded across the network.

 

 

 

 

 

=====================================================================

 

wntsup2.html                                                  PAGE 4                                                    2001/11/19

 

 

 

Customize System Policy for Users, Groups and Computer:

 

 

The default settings established by system policy can affect the entire domain.  You can configure

users or groups differently by adding the groups to the domain system policy.

 

Any computers, users or groups that are different than the default system policy settings receive

separate entries in the Ntconfig.pol file.

 

 

Configure System Policy to Secure computers:

 

You know when you log on, you see the last user name appears, you can remove this from

changing the “prevent the display of the last logged on user”.

 

You can also display a warning by using the Logon Banner Option.

 

 

Supporting Windows 95 System Policy

 

For computers running Windows 95 the following rules also apply:

 

•   System policies can only be stored on the domain controllers.  Group policies, if used,

must be enabled on each computer running Windows 95.  You can enable group policies

when you install Windows 95, using a custom setup script, or use Add/Remove Programs

in the Control Panel after Windows 95 is installed.

•   Win 95 policy must be saved in a file named config.pol and stored in the Netlogon share of

the Primary domain controller, PDC.

    

 

Load Balancing:

 

Load balancing allows computers running Windows 95 to take policies from multiple domains

vs only the PDC. 

 

 

System Policy Templates:

 

The policies that appear in System Policy editor are provided by template files.  Windows NT

requires both the Winnt.adm and the Common.adm system policy templates.  Any Microsoft

program such as Office or Word has a template for the files, with .adm extension.  Try to

implement policies at the group level.  Eg. Sales, Accounting etc. 

 

 

E:\\WINNT\INF\COMMON.ADM

E:\\WINNT\INF\WINNT.ADM

 

 

=====================================================================

 

wntsup2.html                                                  PAGE 5                                                    2001/11/19

 

 

 

Directory Replication, export scripts folder, replicates to PDC and the BDC.

The Export scripts is not a live file, so you can edit it when people are working on the system,

without effecting them.

 

Try to co-ordinate editing of the Policy, the last save is the most current, obviously.

 

 

System Policy Issues:

 

Verify the following items when troubleshooting problems with system policies:

 

•   The individual policy option is set properly in the policy (.pol) file.
•   The policy file is located in the correct network location, and the network location is

accessible from the computer running Windows NT or Windows 95. 

•   The user name, group name and computer name are correct, and groups contain the

appropriate members. 

•   The hierarchy that computer looks for policies are firstly, personal, then group,

then default policy.  The level of priority, applies from the Bottom up? This does not

make sense.

 

 

 

Summary:

 

•   Only one Domain Policy file resides on the domain, and it is called Winnt.Pol. 

Within this Domain Policy file resides all the individual or personal policies and the

group policies.   ***** VERY IMPORTANT ****

•   Prior to implementing a system policy, plan the types of restrictions and customizations

that will be implemented by the policy.  Identify any specific policies for users, groups and

computers.  Notify users and groups before the policy is implemented to avoid possible

confusion once the policy is implemented. 

•   A system policy is made up of computer policy, user policy, group policy or any

combinations of these policies. 

•   By default,  to implement a domain system policy on computers running Windows NT,

the policy settings must be stored in a file named Ntconfig.pol in the Netlogon

share of the PDC. 

•   By default, to implement a domain system policy on computers running Windows 95, use the

Windows 95 System Policy Editor to create system policy on the operating system. 

•   These system policy settings must be saved to a file named Config.pol in the Netlogon share

of the PDC.

•  Both Ntconfig.pol and Config.pol must be stored on the PDC in the following folder: 

systemroot\System32\Rep1\Import\Scripts.  By default  this folder is shared as Netlogon.

 

 ***VERY IMPORTANT ******

 

•   Replication must be enabled for all domain controllers to receive copies of the Ntconfig.pol and
•   Config.pol files.  Remember, that load balancing must be enabled on computers running Windows 95

 

 

 

=====================================================================

 

wntsup2.html                                                  PAGE 6                                                   2001/11/19

 

 

 

in order for them to access Config.pol on BDCs. 

•   You can specify customized settings for individual users, groups and computers to meet the

needs of your organization.  System Policy Editor can be used to directly edit portions of the registry.

 

 

 

 

 

 

 

 

 

 

 

 

.