How can I implement locally based system policies?

John Savill

March 4, 1999

2 Min Read
ITPro Today logo in a gray background | ITPro Today

A. Normally system policies are implemented on domain controllers tobe used on an entire domain however Microsoft do provide support for localsystem based policies.

There are two approaches possible:

Automatic Update Method

  1. Share the %systemroot%System32ReplImportScripts folder (e.g.d:winntsystem32replimportscripts) as Netlogon.

  2. Grant the group Everyone "Read" Permissions and the groupAdministrators "Full Control" to this share.

  3. Start System Policy Editor (Poledit.exe).

  4. On the File menu, click New Policy and make the changes for your policy.

  5. On the File menu, click Save As, and then save the policy file in theNetlogon shared folder as Ntconfig.pol.

  6. On the File menu, click Open Registry.

  7. Double-click Local Computer, double-click Network, double-click SystemPolicies Update, and then click the Remote Update check box to select it.

  8. In the Update Mode box, click Automatic (Use Default Path), and then clickOK. This has the effect of looking for policy updates from the Netlogon shareof the authenticating controller/machine automatically.

  9. Save your policy to the location listed above as Ntconfig.pol, and thenquit Policy Editor.

  10. Restart Windows NT for the changes in the policy to take effect.

This configuration allows you to use both a local and a domain-wide systempolicy, depending on which user account database the user logs on to. This isthe normal method domains use as when you logon to a domain the computer looksfor policies in the Netlogon share of the domain controller validating thelogon.

Remote Update Method

  1. Start System Policy Editor (Poledit.exe) and make the changes for yourpolicy.

  2. On the File menu, click Save As, and then save the policy file on your harddisk. For example, save the file as: c:tconfig.pol

  3. On the File menu, click Open Registry.

  4. Double-click Local Computer, double-click Network, double-click SystemPolicies Update, and then click the Remote Update check box to select it.

  5. In the Update Mode box, click Manual (Use Specific Path), type a path namein the Path for Manual Update dialog box (for example,d:winntsystem32replimportscriptsNtconfig.pol), and then click OK. Notethat to display error messages if the policy file is not found when Windows NTstarts, you can click the Display Error Message check box to select it.

  6. Save your policy to the location listed above as Ntconfig.pol, and thenquit Policy Editor. Note that while using the Manual Update, you may name thepolicy file anything you would like; just be sure to enter it into the path instep 5 above.

  7. Restart Windows NT for the changes in the policy to take effect.

With this method the location of the policy file is given and so does notrequire the Netlogon share. I would recommend the first method 9 times out of10.

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like