Windows NT Policies
Four types of policies are:
- User Right
Policies are selected using the "Policies" button in "User Manager for Domains". Policy changes modify information in the registry subtrees HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE.
These policies are set using the "User Manager for Domains". Only a local administrator within the domain can set policies. NT Server adds one type of account policy to the User Manager beyond NTWS which is:
- Enforcement of Logon hours - Allows a checkbox called "Forcibly disconnect remote users from server when logon hours expire".
Account policies are domain wide. Therefore when one domain trusts another the other, items such as password length must work for both domains.
These rights are set using the "User Manager". Two types of user rights are "basic" and "advanced". Additional NT server user rights beyond NTWS:
- Add workstations to domain - Administrators, Account Operators
- Force shutdown from a remote system. - Administrators, server operators
- Manage security log and auditing - Administrators
To see advanced user rights, check the "Show Advanced User Rights" checkbutton.
These policies are set using the "User Manager". Success or failure of the following events may be logged:
- Logon and logoff
- File and object access
- Use of user rights
- User and group management
- Security policy changes
- System shutdown and restart
- Process Tracking
System policies are new with NT Server version 4.0. These policies can be made using the "System Policy Editor" and they apply to the whole domain:
- Banners and other logon security features
- Programs run at startup
- File system features
- Local user restrictions
- Hidden share creation
- Print settings and priorities
- RAS settings
- Restricting ability to edit the registry
Policy settings may be applied to any computer, user, or global group on the domain from the System Policy Editor.
- Computer - HKEY_LOCAL_MACHINE registry portion is modified. Policies apply to a specific computer.
- Default computer - HKEY_LOCAL_MACHINE registry portion is modified. Settings are changed for all domain computers are changed.
- User - HKEY_CURRENT_USER registry portion is modified. Settings for one user are changed.
- Group - Policies applied to groups. One group may have a higher profile priority than another, for the case when a user belongs to multiple groups. This is set using the "Options" menu with "Group Priority".
- Default user - HKEY_CURRENT_USER registry portion is modified. Settings for any domain user that logs on from any computer are changed.
Policy settings are determined by precidence as listed above. For example, user settings override all other group, and default user policies. Group policies override Default user policies. A System (computer) policies override user and group policies. Specific computer policy overrides default system policy. Group policy priority (when a user is in multiple groups) is specified in the system policy editor.
Policy changes may be made to a policy file rather than the registry. The following policy files are used for the following systems:
- NTCONFIG.POL - For NT
- CONFIG.POL - Windows 95
The policy must be saved in the \WINNT_ROOT\NETLOGON directory of the authenticating domain controller in order to take effect. The \WINNT_ROOT\NETLOGON\ directory points to \WINNT_ROOT\SYSTEM32\REPL\IMPORT\SCRIPTS by default. These profile settings will override settings made in user manager. The following policy template files exist:
- COMMON.ADM - For Windows 95 and Windows NT
- WINNT.ADM - For Windows NT.
- WINDOWS.ADM - For Windows 95.
Policies are stored in the registry, so deleting the system policy file does not remove the policy. Any undesired policies must be removed the same as they were set. When setting policies, the options in the boxes apply:
- Blank - Policy is set to its default value.
- Checked - A policy is enforced.
- Grey - Whatever is currently in the registry applies. No policy is enforced.