Use SPE to help your Help desk
Many Help desk calls arise from users trying to configure their systems. To help prevent these calls, you can limit your users' ability to change the configuration of their systems. In placing limitations, you also will tighten your network's security. You might even experience significant productivity gains if your users can run only certain programs. These benefits are among the reasons to take a look at Windows NT's system policies and the tool used to create them, System Policy Editor (SPE). As a bonus, you can apply similar policies to your Windows 9x clients.
What Is a System Policy?
A system policy is a restriction you place on a user or a user's computer that limits the user's ability to access resources or configure the computer. A system policy might also impose corporate standard configurations. An example of a system policy is removing the Run command from the Start menu so that a user cannot run programs by typing the command name.
By integrating the policies with the Registry at system startup, you can configure and control the user's desktop. In some cases, the control you implement might be simple. For example, you might implement a rule that removes the name of the previous user from the logon dialog box for security reasons. In other cases, you might implement controls so strict that they limit a computer's color scheme and wallpaper or let the computer run only one application.
The System Policy Process
System policies start with the administrator, who defines the policies using the SPE tool. To find this tool, go to Start, Programs, Administrative Tools on the NT server. You can define policies for users, groups, and computers. If you do not define a set of policies, NT will apply a set of default policies to each user and computer.
The administrator uses SPE to specify the various restrictions that he or she wants to put in place. Then, the administrator saves the policy file, ntconfig.pol, in the \winntroot\ system32\repl\export\scripts directory (winntroot is the NT directory) on the PDC. You must configure replication to replicate this file in all the Netlogon shares, which are in the \winntroot\system32\repl\import\scripts directories on the PDC and the BDCs. (If you are not familiar with NT replication, see Getting Started with NT: "Replication in Windows NT," February 1999.) Neither the path nor the filename is the default save location in SPE.
When users log on, NT finds this policy file on the Netlogon share, downloads the file, and integrates the settings into the local Registry. However, NT does not apply the policies at this point. Only when the user logs on again does NT apply the policies. If you are testing SPE, remember to log off and log on twice to make sure that SPE is working.
Using SPE
When you first open SPE, you see only a blank window. To start defining and editing policies, click File, New Policy. The Default Computer and Default User icons will appear, as Screen 1, page 156, shows.
At this point, you might be wondering what happens if the computer policy conflicts with the user policy. The fact is that these policies cannot conflict with each other. The policies are integrated with the Registry so that the computer policies modify HKEY_LOCAL_MACHINE values and the user and group policies modify HKEY_CURRENT_USER values. This situation will become apparent as you look at the policies.
Computer policies apply to all users. Administrative drive-share creation is a good example of a computer policy. User policies apply to a specific user and regulate items such as wallpaper or color schemes. These user specific policies will constrain a user regardless of which machine he or she logs on to.
Let's take a closer look at computer policies. Double-click the Default Computer icon. The dialog box that Screen 2, page 156, shows will open. (In Screen 2, I have already expanded the Windows NT System policy. Usually, nothing is expanded when you open this dialog box.)
Some of the policies let you set limits. For example, the remote access policy lets you set the maximum number of unsuccessful authentication retries. This setting is obviously a computer setting, not a user setting, because the setting is active even when a user is not logged on.
Some settings are for security, such as the Windows NT System option that turns off the display of the last logged-on username. Other settings, such as the logon banner, require input when you select an option. (By the way, the logon banner should not say "Welcome to XYZ Corporation." The courts have ruled that this kind of salutation extends a welcome to everyone, including intruders. Use something such as "Only authorized employees of XYZ Corporation are permitted to use this computer." Companies can consider nonemployees trespassers if they continue to log on after seeing such a banner.)