Previous Page | Next Page

  1. Introduction
  2. Installation
  3. Hardware Issues
  4. Filesystems
  5. Networking
  6. Security
  7. Servers
  8. Services
  9. Utilities
  10. Control Panel
  11. Printing
  12. Performance Monitor
  13. Network Monitor
  14. Event Viewer
  15. Other Issues
  16. User Accounts
  17. Groups
  18. Policies
  19. User Rights
  20. Auditing
  21. System Policies
  22. Sharing
  23. Profiles
  24. Roaming Profiles
  25. Domains
  26. Server Management
  27. Directory Replication
  28. License Management
  29. Client Administrator
  30. Netware Tools
  31. Macintosh Support
  32. RAS Server
  33. SNMP
  34. DHCP
  35. DNS
  36. WINS
  37. Mail Service
  38. Internet
  39. Internet Information Server
  40. Routing and Firewalls
  41. Items to Remember
  42. Terms
  43. Credits

Windows NT Policies

Four types of policies are:

  • Account
  • User Right
  • Auditing
  • System

Policies are selected using the "Policies" button in "User Manager for Domains". Policy changes modify information in the registry subtrees HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE.

Account Policies

These policies are set using the "User Manager for Domains". Only a local administrator within the domain can set policies. NT Server adds one type of account policy to the User Manager beyond NTWS which is:

  • Enforcement of Logon hours - Allows a checkbox called "Forcibly disconnect remote users from server when logon hours expire".

Account policies are domain wide. Therefore when one domain trusts another the other, items such as password length must work for both domains.

User Rights

These rights are set using the "User Manager". Two types of user rights are "basic" and "advanced". Additional NT server user rights beyond NTWS:

  • Add workstations to domain - Administrators, Account Operators
  • Force shutdown from a remote system. - Administrators, server operators
  • Manage security log and auditing - Administrators

To see advanced user rights, check the "Show Advanced User Rights" checkbutton.

Audit Policy

These policies are set using the "User Manager". Success or failure of the following events may be logged:

  • Logon and logoff
  • File and object access
  • Use of user rights
  • User and group management
  • Security policy changes
  • System shutdown and restart
  • Process Tracking

System Policies

System policies are new with NT Server version 4.0. These policies can be made using the "System Policy Editor" and they apply to the whole domain:

  • Banners and other logon security features
  • Programs run at startup
  • File system features
  • Local user restrictions
  • Hidden share creation
  • Print settings and priorities
  • RAS settings
  • Restricting ability to edit the registry

Policy settings may be applied to any computer, user, or global group on the domain from the System Policy Editor.

  • Computer - HKEY_LOCAL_MACHINE registry portion is modified. Policies apply to a specific computer.
  • Default computer - HKEY_LOCAL_MACHINE registry portion is modified. Settings are changed for all domain computers are changed.
  • User - HKEY_CURRENT_USER registry portion is modified. Settings for one user are changed.
  • Group - Policies applied to groups. One group may have a higher profile priority than another, for the case when a user belongs to multiple groups. This is set using the "Options" menu with "Group Priority".
  • Default user - HKEY_CURRENT_USER registry portion is modified. Settings for any domain user that logs on from any computer are changed.

Policy settings are determined by precidence as listed above. For example, user settings override all other group, and default user policies. Group policies override Default user policies. A System (computer) policies override user and group policies. Specific computer policy overrides default system policy. Group policy priority (when a user is in multiple groups) is specified in the system policy editor. Policy changes may be made to a policy file rather than the registry. The following policy files are used for the following systems:

  • NTCONFIG.POL - For NT
  • CONFIG.POL - Windows 95

The policy must be saved in the \WINNT_ROOT\NETLOGON directory of the authenticating domain controller in order to take effect. The \WINNT_ROOT\NETLOGON\ directory points to \WINNT_ROOT\SYSTEM32\REPL\IMPORT\SCRIPTS by default. These profile settings will override settings made in user manager. The following policy template files exist:

  • COMMON.ADM - For Windows 95 and Windows NT
  • WINNT.ADM - For Windows NT.
  • WINDOWS.ADM - For Windows 95.

Policy Storage

Policies are stored in the registry, so deleting the system policy file does not remove the policy. Any undesired policies must be removed the same as they were set. When setting policies, the options in the boxes apply:

  • Blank - Policy is set to its default value.
  • Checked - A policy is enforced.
  • Grey - Whatever is currently in the registry applies. No policy is enforced.