Home >Administration >Information Systems >Tutorials >System Policies
Creation of Windows System Policies
Using the System Policy EditorTo implement system policies, Microsoft developed the System Policy Editor (SPE). In this tutorial, we'll show you how to create system policies for Windows 9x and Window NT Workstation clients using the SPE.
Creating Windows 9x policies
You must have different system policies for your Windows 9x and Windows NT workstations. System policies consist of registry changes that control what your users can do on their workstations. When Microsoft designed Windows NT, it created a different registry database for NT than Windows 95—this incompatibility keeps you from using system policies you design for Windows NT workstations on your Windows 9x workstations.
Instead, you must create policies specifically for each operating system. Complicating matters further, you can only create system policies for an operating system using a workstation that runs that operating system. In other words, you must create system polices for Windows 9x workstations using a Windows 9x workstation and for NT workstations using an NT workstation. (Fortunately, policies that you create for and on Windows 95 workstations work on Windows 98 workstations.)
Microsoft includes a SPE with both operating systems. You can also use the SPE that comes with NT Server to create policies for Windows 9x workstations; to do so, you must run it from a Windows 9x workstation.
When you create policies, you can use some of the templates that come with the SPE as a start. However, things once again differ from operating system to operating system. Both OSs share information from the COMMON.ADM template. You'll find Windows 9x-specific options in the WINDOWS.ADM file and Windows NT-specific options in the WINNT.ADM file.
Finally, after you create your policies, there's one last difference: Windows 9x system policies are stored in the CONFIG.POL file, whereas Windows NT policies are stored in the NTCONFIG.POL file. You place both these files in the NETLOGON share of your server.
The Windows 9x Setup program doesn't automatically install or configure the SPE. You must manually install it on your workstation before you can create system policies for the Windows 9x workstations on your network.
To install the SPE on your workstation, you'll need your Windows 9x CD-ROM. Click Start and choose Control Panel from the Settings menu. In Control Panel, double-click Add/Remove Programs. Place the CD-ROM in your workstation and click the Windows Setup tab. Next, click Have Disk. When the Install From Disk dialog box appears, type your CD-ROM's drive letter followed by
:\ ADMIN\ APPTOOLS\ POLEDIT\
and press [Enter]. When you do, you'll see the dialog box shown in Figure A.
Figure A Select Group Policies and System Policy Editor to install the SPE on your Windows 9x workstation.
Select both Group Policies and System Policy Editor and click Install. The Add/Remove Programs utility will then copy the group policy and SPE files to your workstation and create the appropriate shortcuts in your Start menu.
To start the SPE, click Start and select Accessories from the Programs menu. Next, select System Tools and choose the System Policy Editor icon. When you do, the SPE will appear.
To begin creating a new system policy, choose New File from the File menu. Default User and Default Computer icons will appear, as shown in Figure B.
Figure B The SPE automatically creates the Default User and Default Computer policies.
These icons represent basic default user and default computer policies. You can use these policies as the basis for your own policies or modify them as you wish. To view the current settings, select the policy and choose Properties from the Edit menu.
Viewing the properties for the default user policy shows you the parameters you can modify for user and group policies. When you choose Properties from the Edit menu for the Default User item, the Default User Properties dialog box will open, as shown in Figure C.
Figure C You can view the settings of the default user policy.
The SPE places all your options in an easy-to-navigate tree. The major areas you can change appear in groups. For user and group policies, you can select from Control Panel, Desktop, Network, Shell, and System groups. You can then perform such tasks as:When you make changes within one of the option groups, you set policies. If you check a box, it enables the policy; if you clear a box, it disables the policy. If the policy was previously set on the workstation, the appropriate registry settings for the policy are removed. If you leave a box unavailable, this policy isn't implemented and has no effect on the workstation—no registry changes are made from unavailable options.
- Stopping the user from accessing Control Panel settings
- Preventing the user from changing file or printer sharing settings
- Removing commands and options from the Start menu
- Turning off potential trouble-spots, such as the command prompt or REGEDIT
Be careful when you implement policy settings. Read each option carefully before enabling or disabling the commands. The options aren't worded clearly, and sometimes you may do something you don't intend. For example, if you want to block the Entire Network option from the Network Neighborhood, you must enable an option that says "No."
Also, don't enable settings unless doing so is absolutely necessary. Leaving the options disabled speeds processing time when the workstation logs on and processes the policy.
If you click the Default Computer policy icon and choose Properties from the Edit menu, you'll see the computer-specific policies you can set, as show in Figure D. Like the user and group policies, the SPE groups the categories into an easy-to-navigate tree.
Figure D You can also view computer-specific policies.
For computer policies, you only have Network and System groups. However, there are more subcategories than are available for user policies. Computer policies you can implement include:As you scroll through the options, you may notice that settings you can place for the options appear in the box at the bottom of the window. Not only can you enable or disable certain properties, you can also force values for some properties. For example, if you enable the Log On To Windows NT policy in the Microsoft Client For Windows Networks group, you can force the logon domain by setting a value in the Domain Name field. For this property, you can also set multiple items at the same time, such as disabling password caching.
- Forcing a computer to log on to a specific NT Domain
- Disabling password caching
- Turning file and print sharing off and on
- Disabling remote dial-in
- Enabling user profiles
To add customized policies for individual users, groups, or computers, select Add User, Add Group, or Add Computer from the Edit menu. SPE will then prompt you for a policy name. You can't select names at random—names you use in SPE must correspond with actual users and groups you've set up in your domain. If a user is configured in your domain with the log-on ID JOHNS and you want to create a user-specific policy for that user, the user policy must also have the name JOHNS. Computer names correspond to NETBIOS names that you define on the workstation.
When you define group policies, you must take one additional step: assigning priorities. If a user belongs to multiple groups, the workstation must know what order to use for the group policies in case some policies conflict. When registry changes made by policies conflict, group policies with higher priorities take precedence.
To set group policy priorities, choose Group Priority from the Options menu to open the Group Priority dialog box shown in Figure E. To change the priority of a group, select the group and click either Move Up or Move Down. Clicking Move Up increases the group policy's priority; clicking Move Down decreases the policy's priority.
Figure E You must assign priorities to your group policies.
When the workstation loads multiple group policies, it begins with the lowest-priority group and overlays higher group policies on it. Any conflicting registry changes are overwritten by the latest—higher priority—changes.
Unfortunately, you can't create different group priorities for different users. You can only set the priorities one time: Those priorities apply to all users.
Also, don't worry about assigning group policies to users with the SPE. Because group policy names match actual group names that users belong to in your domain, the workstation finds the appropriate groups at logon time.
You should create a Domain Admins group policy that undoes all the changes you make with the other group policies. Be sure you set the Domain Admins group policy to the highest priority. If you don't create a Domain Admins group policy with the highest priority, you may find yourself locked out of important areas of a workstation. This policy restores all of the settings that you don't want your users to have and allows you to perform necessary tasks on the workstation.
After you've created all your Windows 9x policies, save the file as CONFIG.POL. Keep track of any changes you make to the policies before you change them—doing so will help you track down any problems that occur. You're now ready to copy CONFIG.POL to your server.Making system policies work on Windows 9x workstations
Creating policies for Windows NT workstations
Before system policies will work properly on Windows 9x workstations, you must make a few changes on your workstations. You'll need to add support for group policies and double-check some registry settings.
You might have noticed that when we installed the SPE on the Windows 95 workstation we used to create polices, we also installed support for group policies. You must install support for group policies on all your Windows 9x workstations to ensure that they can locate and use group policies.
To begin, place the CD-ROM in your workstation and click the Windows Setup tab. Next, click Have Disk. When the Install From Disk dialog box appears, type your CD-ROM's drive letter followed by
:\ ADMIN\ APPTOOLS\ POLEDIT\
and press [Enter]. On workstations that are only going to use policies (not create them), select Group Policies and click Install. The Add/Remove Programs utility will then copy the group-policy support files to your workstation.
Next, you must make manual changes to your workstation's registry to force the workstation to look for system polices from your server. To do so, first open the workstation's Control Panel. Double-click Passwords and click the User Profiles tab. Click Users Can Customize and click OK.
Next, launch REGEDIT from the Start menu's Run dialog box. Work your way through the registry keys until you get to the
HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Control\ Update
key. Double-check to be sure the value for the Update key is set to 01.
A value of 01 tells the workstation to check the server for a system policy when the workstation logs on to the network. The workstation automatically looks in the NETLOGON share of the validating server for the CONFIG.POL file. If the Update value is set to 0, the workstation can't use policies. If the value is 02, then the workstation can use policies, but you can set a path other than the NETLOGON share for the workstation to find the CONFIG.POL file.
Creating system policies for clients running Windows NT Workstation 4.0 is very similar to creating them for Windows 9x workstations. You create the same types of policies using the same basic procedures and commands. However, you should be aware of a few differences.
First, you can't create Windows NT system policies using the SPE that comes with Windows 9x. Nor does Microsoft ship a SPE with Windows NT Workstation. Instead, you must use the one that comes with Windows NT Server.
To install the SPE on your NT workstation, insert the Windows NT Server CD-ROM. Run SETUP.BAT from the \ CLIENTS\SVRTOOLS\ WINNT folder on the CD-ROM—Setup will automatically copy POLEDIT.EXE and the ADM files to your workstation.
Unlike the installation program for the Windows 9x version of SPE, the NT version doesn't create the icons or program groups you need to access SPE from the Start menu. You must create the icons and shortcuts manually.
The NT SPE works the same way as the Windows 9x SPE; you create policies the same way, as well. You'll notice that the options for users, groups, and computer policies differ from those in Windows 9x.
You'll also notice that you can load more templates with the NT SPE than you can with the Windows 9x version, which lets you load only one ADM template file at a time. To load multiple templates simultaneously in the Windows NT version, choose Policy Template from the Options menu. Template files you can use include:You can also create and load your own template files. You can create template files using any text editor; however, you probably won't need to do so, because most of the registry values you're interested in are covered by the default templates.
- ADMIN.ADM—Registry values specific to Windows 9x; only comes with the Windows 9x SPE
- COMMON.ADM—Registry values common to Windows 9x and Windows NT
- WINDOWS.ADM—Registry values specific to Windows 9x
- WINNT.ADM—Registry values specific to Windows NT
Conclusion
System policies consist of many different registry settings on your workstations. If you had to make all these registry-setting changes manually, you'd quickly become confused and cause yourself more headaches than you'd solve. Fortunately, you can use the SPE to create system policies for your Windows 9x and Windows NT Workstation clients. In this article, we showed you how to use the SPE.Source: www.techrepublic.com
Last Update:
February 28, 2005
Yannis Grammatis
