Subscribe to Windows IT Pro
April 01, 1997 12:00 AM

Further Explorations of the NT System Policy Editor

Sean Daily
Windows IT Pro
InstantDoc ID #90
Rating: (0)
Installation and Configuration Tips and Some New Tricks

In his February article, "How to Edit NT 4.0 System Policies," Robert Slifka introduced the Windows NT 4.0 System Policy Editor (SPE) application and some of the ways you can use it to secure an NT network. He included information about the use and customization of policy template files (.adm files). This month, I expand on this topic, and present some other features and potential applications of this handy utility.

If you've ever administered a group of NT workstations on a network, you know the difficulty of maintaining a uniform configuration for all your computers. This problem is especially nasty in organizations that have corporate or MIS policies that mandate certain aspects of the user's environment, such as what programs users can access, what control they have over their machine, and the appearance of their desktop. Ever tried to make a custom Registry change or set the background wallpaper on 500 (or even 50) NT workstations? If so, you'll appreciate the problem and solution I describe here.

A Quick Review
NT stores all its configuration settings in the NT Registry database. You can view and modify these settings with one of the NT Registry editors (regedt32.exe or regedit.exe). When you examine the Registry, you see machine-related information in a branch of the Registry called the HKEY_LOCAL_MACHINE subtree. In addition, you see information related to the currently logged-in user. This information appears in the HKEY_CURRENT_USER subtree (for information about the NT Registry subtrees and tips on editing the Registry, see Christa Anderson, "Care and Feeding of the Registry," December 1996).

The HKEY_CURRENT_USER subtree also goes by another name: the current user's user profile. A user profile contains a variety of information about the user's desktop environment, such as Control Panel applet settings, network printer connections, Win32 application settings, and environment variables. ntuser.dat, the file that contains the user profile (the file from which the HKEY_CURRENT_USER Registry subtree is generated), is typically in the user's subdirectory under the user profiles directory on the local machine (e.g., c:\winnt\profiles\sean). The system can store the user profile on a network server if the administrator configured the user's account to use a server-based (e.g., mandatory, or roaming) profile. The HKEY_LOCAL_MACHINE subtree, in contrast, contains settings related to user logon, network access, and other system-related settings.

That information is fine, but what does this review have to do with SPE? Well, imagine creating a template, or mask, that the system automatically applies to an NT workstation's Registry each time a user logs on, so that all the restrictions that apply to both the machine and that particular user automatically take effect when the user logs in. Furthermore, imagine that this template is user- and group-specific, so that the restrictions taking effect depend on the user's logon name and group memberships. Well, SPE does just that.

How SPE Works
You probably know that SPE manages two distinct types of policies: the system policy for users and the system policy for computers. Together, these two entries restrict a user's access to the computer.

When users sitting at NT 4.0 computers log on to their domain with their domain user account, NT automatically merges the system policy for users portion of the file (the required name for an NT system policy file) with the user's profile (ntuser.dat), replacing any settings in ntuser.dat that don't match those found in ntconfig.pol. In addition, NT adds any machine-related settings defined in the system policy for computers to the HKEY_LOCAL_MACHINE portion of the Registry. The net effect? You get customized Registry settings for every NT computer and user in the domain, with all the appropriate restrictions in place.

First Things First: Installing SPE
The February article demonstrated how to start the SPE application, but this capability assumes that SPE is already installed on your system. In case it isn't (which is likely because NT doesn't install it by default), here's how to get SPE on your system. The utility ships only with the NT Server 4.0 CD-ROM and not with the NT Workstation version (presumably because SPE is an administrative-level tool). However, from the NT Server CD-ROM, you can install SPE on either an NT Server or NT Workstation 4.0 system.

To install SPE (which is part of a group of NT Server client-based administration tools), run the setup.bat file in the NT Server CD-ROM's \clients\svrtools\winnt directory. This batch file automatically detects your computer's processor type and installs the files SPE requires and several other NT Server administration tools. After installation, you must manually create shortcuts to the application poledit.exe, now in the \winnt\system32 subdirectory on your hard disk (neither the 3.51 nor 4.0 version automatically creates a program group and icons for these utilities; is this capability really too much to ask, Microsoft?).

Tips for Creating Your Organization's System Policy
Once you have SPE running and have created a system policy file, the next question is usually what SPE settings to be concerned with. The entries available in the system policy for computers and system policy for users include a variety of Registry entries that serve different purposes. For example, some Registry values are useful for enhancing security, and others help maintain a more consistent desktop look and feel. Still others relate to areas such as performance and task automation.

Although you can manipulate different settings with the default common.adm and winnt.adm templates, several settings are particularly worthy of mention. Tables 1 and 2 summarize some of the more useful computer and user-related system policy entries, where they're located, and what area the entry corresponds to (e.g., security, performance, uniform desktop). Table 1 lists computer-related entries, and Table 2 lists user/group-related policy entries.

To change a policy for a particular Registry change, navigate the policy tree by double-clicking the branch you want to expand (or click the + symbol at left to expand the branch's contents one level down). Once you've expanded a branch and located a value you want to change, you'll see a check box that will be in one of three states: grayed, white, or checked.

A grayed checkbox means that no change is stipulated for this entry. A grayed box tells SPE to keep the setting that is already in effect for this item from other policies or the system default. A white box tells SPE to disable the item, and a checked box tells SPE to enable the item.

When you enable certain entries, SPE sometimes requests additional information related to the item at the bottom of the dialog box. For example, if you check the box next to the NT System\Logon\Logon Banner entry to enable it, you must also enter a window caption and banner text for the custom logon banner in the boxes below. Screens 1 and 2 show samples of editing the system policy for computers and users, respectively.

Policy Precedence
What happens when more than one policy applies to a given user? That is to say, what if a user logs on to the domain, and the system policy file contains multiple user or group entries that apply to that user (for either computer or user policies)? In this situation, NT uses a policy evaluation process to determine the correct policies for that user.

The pecking order goes as follows: When an individual policy exists for a user, this policy is always used in preference to any group policies defined for groups that the user belongs to. If the user belongs to multiple groups and two or more of these groups have policies defined, to determine which group policy takes precedence, NT uses the group priority order that the administrator defines.

In much the same way individual policies beat out group policies, group policies take precedence over a default policy if one is defined. A default policy is used when no other policy definitions exist for a particular user. If you have only a default computer or user policy defined, SPE will apply this policy to everyone, including the administrator. Therefore, if you don't want to limit the administrator's access to the machine, at least be sure to define a group policy that creates no restrictions for the Domain Admins global group.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Brent K. Ouellette
    13 years ago
    Aug 12, 1999

    Thanks for Sean Daily’s April article, “Further Explorations of the NT System Policy Editor.” I need clarification on one point: I have all Windows NT workstations and one Windows 95 workstation, but from your article, I’m not clear about how to create a policy for the Win95 machine. I understand using the NT 4.0 System Policy Editor (SPE) from the Win95 machine to create the policy, but what do I name that policy and do I keep it in the NETLOGON share of my Primary Domain Controller (PDC) with my NT config.pol for the NT machines? How can I get both to work?

    --Brent K. Ouellette



    You must name your Win95 system policy file config.pol (in contrast to the NT system policy file) and put it in the NETLOGON folder (i.e., %SYSTEMROOT%\\SYSTEM32REPL\\IMPORT\\SCRIPTS, etc.). You can use either the NT or 95 policy editor to create the file. For further information about Win95 system policy files, I highly recommend the Microsoft Windows 95 Resource Kit’s comprehensive section on the topic.

    --Sean Daily

  • William Randlett
    13 years ago
    Aug 12, 1999

    Sean Daily’s April article, “Further Explorations of the NT System Policy Editor,” gave great detailed information on this important administration tool. Microsoft slid in new system policy features in SP2. You can now do things such as prevent the user from getting to the Task Manager or from running Explorer, with a right-click on the Start button. It’s handy for setting up a kiosk system. The new features for user policies are:



    Shell\\Restrictions\\Remove File menu from Explorer

    Shell\\Restrictions\\Remove common program groups from Start menu

    Shell\\Restrictions\\Disable context menus for the taskbar

    Shell\\Restrictions\\Disable Explorer’s default context menu

    Shell\\Restrictions\\Remove the “Map Network Drive” and “Disconnect Network

    Drive” options

    Shell\\Restrictions\\Disable link file tracking

    System\\Disable Task Manager

    System\\Show welcome tips at logon



    You must have the SP2 version of Explorer for these settings to take effect. The service pack updated the winnt.adm file, so you must use the new template to get to the new settings.

    --William Randlett

  • Larry
    13 years ago
    Aug 06, 1999

    I found Sean Daily’s “Further Explorations of the NT System Policy Editor” (April 1997) in the Windows NT Magazine archives during my search for a way to use the System Policy Editor (SPE) to install and manage a custom logon banner consisting of 250 characters. I know I can enter the banner text manually into the Registry, but because of my large number of users and multiple-server environment, I need a way to automate this task.
    The SPE would be ideal; however,
    it can’t recognize such a large number of characters, even when I use a modified .adm file. Do you have any suggestions about how I can make this solution work?
    --Larry Smith



    The most likely cause of your problem is the version of poledit.exe that you’re using. Versions of poledit.exe before 12/22/97 contain a little-known bug that limits the number of characters in a logon banner to 255 characters. See the Microsoft articles “Access Violation in PolEdit When Defining Allowed WindowsApps”(http://support.microsoft.com/support/kb/articles/q179/5/53.asp) and “System Policy Editor Will Not Allow More Than 255 Characters” (http://support .microsoft.com/support/kb/articles/q173/3/85.asp) for more information about this problem. Although you stated that your banner was only 250 characters, obtaining the latest version of poledit.exe from Microsoft Product Support is probably still worth your time.
    Another factor to keep in mind is that although the default maximum value for this Registry entry is 255 (defined as MAXLEN 255 inside the .adm file), you can expand this maximum with a MAXLEN value that specifies a different length (such as 1024). Be sure to set the value to at least the size of your current logon banner. (You might as well set it to 1024 to accommodate potential growth.)
    Your question also provides a good opportunity to remind readers about another little-known bug that relates to poledit.exe and Service Pack 3 (SP3). Early versions of SP3 didn’t properly update the poledit.exe file because of a bug in the SP3 installation script file. As a result, you may need to manually copy the updated SP3 version of poledit
    .exe from the SP3 distribution directory after installing the update.
    However, be aware that the SP3 version of poledit.exe doesn’t circumvent the greater-than-255-characters problem I described previously (SP3 file dates are 5/1/97). Knowing about the SP3 problem with poledit.exe is useful because most SP3 NT installations are still using the original NT 4.0 poledit.exe file.

    --Sean Daily

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.