Create computer, user, and group policies via the System Policy Editor and customize a policy template
Windows NT 4.0 has borrowed more from Windows 95 than just the user
interface. Win95's system policies and System Policy Editor (SPE) are also in
the latest release of NT. System policies are restrictions an administrator can
place on a computer, user, or global group. These restrictions control user- and
machine-specific settings on NT Server and Workstation. System policies are a
compilation of NT Registry keys and their values, and the system doles the
policies out at logon to whomever you specify.
You modify system policies via the SPE, an NT application that lets you
maintain existing policies and create new ones. The policy settings are in the
Registry of the affected machine. Template files (which come into
consideration when you create policies at the Server) are a plain-text list of
all possible policy settings and what each one does. This article demonstrates
how to use the SPE to create and edit user, computer, and group policies and
discusses how to customize the NT 4.0 policy template files to give you a feel
for creating your own policy templates.
Three Types of Policies
Each of the three types of system policies controls a different aspect of
the computing environment. Computer policies are restrictions specific to a
particular system; they control settings such as whether to create the
administrative drive shares, the ability to shut down the system from the
Authentication dialog box, and whether to create DOS 8.3 filenames for long
filenames. User policies apply to a particular username; examples of such
policies include removing common groups from the Start menu, selecting which
desktop wallpaper to use, and restricting application use by filename. Group
policies are simply user policies applied to a global group (i.e., a set of user
policies applies to all members of a group). You can set group priority so that
groups with the highest priority are processed last, their settings overwriting
those of groups with a lower priority. Group policies are probably the most
efficient way to administer policies on a medium-to-large-sized network: With
groups, you're managing the settings in one group policy instead of
hundreds or thousands of user policies (a moderately complex SPE policy can
contain about 100 settings).
NT 4.0 provides Default Computer and Default User policies, which NT
applies to computers or users that haven't already been assigned a policy (there
is no Default Group policy). You don't have to use the Default Computer/User policies, but later, I'll give you a good reason to.
Using the System Policy Editor
You access the SPE under Windows NT Server by clicking Start, then Programs,
and then Administrative Tools. (Anyone can access the SPE; no special permission
is required.) After the SPE starts, a blank SPE screen appears.
To create a new policy file, at the SPE screen click File and then New
Policy. As Screen 1 shows, this action creates an untitled policy file
containing Default User and Default Computer policies. You define the properties
of the new policy file: Double-click the Default User or Default Computer icon
to see a list of policy properties, as shown in Screens 2a and 2b, respectively.
To enable a setting, click the check-box next to the setting. The lower
portion of the window will probably contain either information summarizing the
option or an area where you must provide more information, such as the location
of the background .bmp file to use. Clicking OK saves the new policy file.
(You'll name the policy file later, after you change the settings you want.) To
change an existing policy's settings, select it from the SPE screen's policy
list, double-click it (or select the policy and click Edit and then Properties),
and modify the settings as described above.
To create a computer, user, or group policy, select the appropriate Add
option from the SPE screen's Edit menu. A dialog box prompts you for the name,
or you can choose to Browse through a list of names to locate it. Browsing is
usually faster than entering the name and is also a way to avoid mistakes such
as typos and accidentally leaving out the domain prefix and the slash character
if the computer, user, or group is in a different domain. To customize a policy
for a computer, user, or system, double-click the policy of your choice and fill
in the appropriate check boxes and blanks.
Note that check boxes have three states. All represent different actions an
NT system will take when it downloads the policies from the NT Server system at
logon. Originally, the boxes are gray. A click changes a box to checked, which
enables the option (i.e., copies or overwrites the appropriate Registry entry);
another click changes the box to empty (i.e., removes that option from the
user's system and deletes the appropriate data contained in a Registry key); and
one more click returns the box to gray, signaling NT will neither enable nor
delete that option. If you don't want to implement a policy, leave its box gray
so NT will ignore it while processing the policy file, thus accelerating
processing (don't delete the setting from the template file; you can keep it
available to use in another user's or computer's policy).
The SPE lets you assign priority to group policies through the Group
Priority function, which can simplify administering policies in a domain that
has multiple group policies and includes some users in more than one group. For
example, say your domain includes a Domain Users group policy that all users are
part of and a Development group policy, which includes only a few users. The
Development users all want the same background wallpaper, yet all your
non-Development Domain Users require the company logo as their wallpaper. To
solve this problem, at the SPE main screen, select Options and then Group
Priority. Next, simply move the Development group above the Domain Users group
to give Development's policies a higher priority. Click OK. When policies are
downloaded at logon, the Development group's policy will be downloaded after the
Domain Users policy and the Development settings will overwrite those of all
lower priorities, including Domain Users.
Once you finish configuring your policies, click File, then Save As. You
must save the file as ntconfig.pol (the file that contains the policies
for all computers, users, and groups you've specified in the system's SPE)
or NT will not process system policies. Also, make sure to save ntconfig.pol
wherever the NETLOGON share of the Primary Domain Controller points--most likely
in your %windowsroot%\system32\repl\import\scripts directory (you must
manually save ntconfig.pol to the correct directory; NT doesn't automatically
save it for you). New policies will take effect on users' systems the next time
they log on (when the policies are downloaded).
As an NT administrator, you'll probably want to define your computer and
user policies rather than use the defaults. However, a user can inadvertently,
or perhaps purposely, avoid machine policies by roving from one machine to
another. If this situation is a problem at your site, you probably need a
Default Computer policy in place to prevent users from evading policies.