.adm Files and the Headaches They Can Cause
See what happens when a company uses Systems Policy Editor and remote administrators make changes to the Windows NT config.pol file using different .adm files than the ones set up at the home office.
October 4, 1999
[Editor's Note: Do you have something to share with other Windows NT Magazine readers? We want to know about it. Write for Reader to Reader online, and you can tell others about your NT discoveries, comments, problems, solutions, and experiences. Email your contributions (700 words or less) to [email protected] along with your name and phone number. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.]
Within my company, we like to restrict users access. We rely on Windows NT's System Policy Editor to prevent employees from doing anything other than what they're supposed to be doing. You can find one of our favorite settings, Only run allowed Windows applications, under the system restrictions. Using this setting, we have created a list of 50 or so applications that users can run. This tool is great for preventing users from running games, screensavers, and other items that they're constantly smuggling in. If they try to run a program that we don’t condone, they get a message that reads "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."
Problems arose, however, when administrators at our company's other centers made changes to the NT config.pol file using different .adm files than the ones we set up for our location. As soon as they’d save their changes, all the items in the allowed Windows applications list would mysteriously disappear. Not too long afterwards, we would get a call from Operations Support that everyone logging on was getting the message "This operation has been cancelled due to restrictions in affect on this computer. Please contact your system administrator," regardless of which icon they clicked. The message would appear even before the users had the chance to select any icons because they were no longer permitted to launch the applications in their startup folders.
Determining why the list of allowed Windows applications was disappearing took a while, and we retyped this list enough times to commit it to memory before finally sending an urgent email to all our systems administrators to use only the specified .adm files on the NT config.pol file. Now we're all on the same page, and we only run into problems when a new administrator makes some nifty little change without notifying the rest of us. Fortunately, our IT members and users have seen that error message enough times to know immediately what it means. I wish we could just cut and paste the list back in; however, that's not an option and we’ve all had to improve our typing speed so as to get the list back in as perspicaciously as possible.
—Pat Bissell
[email protected]
About the Author
You May Also Like