Windows NT System Policies
System policies are new with NT Server version 4.0. These policies can be made using the "System Policy Editor" and they apply to the whole domain:
- Banners and other logon security features
- Programs run at startup
- File system features
- Local user restrictions
- Hidden share creation
- Print settings and priorities
- RAS settings
- Restricting ability to edit the registry
Policy settings may be applied to any computer or user on the domain from the System Policy Editor.
- Computer - HKEY_LOCAL_MACHINE registry portion is modified. Policies apply to a specific computer.
- Default computer - HKEY_LOCAL_MACHINE registry portion is modified. Settings are changed for all domain computers are changed.
- User - HKEY_CURRENT_USER registry portion is modified. Settings for one user are changed.
- Group - Policies applied to groups. One group may have a higher profile priority than another, for the case when a user belongs to multiple groups. This is set using the "Options" menu with "Group Priority".
- Default user - HKEY_CURRENT_USER registry portion is modified. Settings for any domain user that logs on from any computer are changed.
Policy settings are determined by precidence as listed above. For example, user settings override all other group, and default user policies. Group policies override Default user policies. A System (computer) policies override user and group policies. Specific computer policy overrides default system policy. Group policy priority may be specified from the System Policy Editor when a user is a member of multiple groups. User and group policy options:
- Control Panel - Display settings are specified.
- Desktop - Wallpaper and color schemes.
- Shell - Configures restrictions including hiding items and "don't Save Settings on Exit".
- System - Can disable applications and registry editing tools.
- Windows NT Shell - Specify a custom folder and shell restrictions.
- Windows NT System - How to run login scripts and whether to parse AUTOEXEC.BAT.
System policy options:
- Network - Whether remote updates can be received manually or automatically.
- System - Sets up SNMP configuration and specifies startup programs to run.
- Windows NT Network - Whether hidden drive shares may be made on NT workstation or server.
- Windows NT Printer - Scheduler priorities, disable print browsing, or beep for errors.
- Windows NT Remote Access - RAS option configuration.
- Windows NT Shell - Configuration of custom shared program folders, startup folder, start menu, and desktop icons.
- Windows NT System - Sets filesystem policies, logon banners and whether last user is displayed at the logon screen.
- Windows NT User Profiles - Specify automatic detection of slow connections and set up dialon box timeouts.
Policy changes may be made to a policy file rather than the registry. The following policy files are used for the following systems:
- NTCONFIG.POL - For NT
- CONFIG.POL - Windows 95
The policy must be saved in the \WINNT_ROOT\NETLOGON directory of the authenticating domain controller in order to take effect. The \WINNT_ROOT\NETLOGON\ directory points to \WINNT_ROOT\SYSTEM32\REPL\IMPORT\SCRIPTS by default. These profile settings will override settings made in user manager. The following policy template files exist:
- COMMON.ADM - For Windows 95 and Windows NT
- WINNT.ADM - For Windows NT.
- WINDOWS.ADM - For Windows 95.
Policies are stored in the registry, so deleting the system policy file does not remove the policy. Any undesired policies must be removed the same as they were set. When setting policies, the options in the boxes apply:
- Blank - Policy is set to its default value.
- Checked - A policy is enforced.
- Grey - Whatever is currently in the registry applies. No policy is enforced.