How to Edit NT 4.0-System Policies

Create computer, user, and group policies via the System Policy Editor and customize a policy template

Windows NT 4.0 has borrowed more from Windows 95 than just the userinterface. Win95's system policies and System Policy Editor (SPE) are also inthe latest release of NT. System policies are restrictions an administrator canplace on a computer, user, or global group. These restrictions control user- andmachine-specific settings on NT Server and Workstation. System policies are acompilation of NT Registry keys and their values, and the system doles thepolicies out at logon to whomever you specify.

You modify system policies via the SPE, an NT application that lets youmaintain existing policies and create new ones. The policy settings are in theRegistry of the affected machine. Template files (which come intoconsideration when you create policies at the Server) are a plain-text list ofall possible policy settings and what each one does. This article demonstrateshow to use the SPE to create and edit user, computer, and group policies anddiscusses how to customize the NT 4.0 policy template files to give you a feelfor creating your own policy templates.

Three Types of Policies
Each of the three types of system policies controls a different aspect ofthe computing environment. Computer policies are restrictions specific to aparticular system; they control settings such as whether to create theadministrative drive shares, the ability to shut down the system from theAuthentication dialog box, and whether to create DOS 8.3 filenames for longfilenames. User policies apply to a particular username; examples of suchpolicies include removing common groups from the Start menu, selecting whichdesktop wallpaper to use, and restricting application use by filename. Grouppolicies are simply user policies applied to a global group (i.e., a set of userpolicies applies to all members of a group). You can set group priority so thatgroups with the highest priority are processed last, their settings overwritingthose of groups with a lower priority. Group policies are probably the mostefficient way to administer policies on a medium-to-large-sized network: Withgroups, you're managing the settings in one group policy instead ofhundreds or thousands of user policies (a moderately complex SPE policy cancontain about 100 settings).

NT 4.0 provides Default Computer and Default User policies, which NTapplies to computers or users that haven't already been assigned a policy (thereis no Default Group policy). You don't have to use the Default Computer/User policies, but later, I'll give you a good reason to.

Using the System Policy Editor
You access the SPE under Windows NT Server by clicking Start, then Programs,and then Administrative Tools. (Anyone can access the SPE; no special permissionis required.) After the SPE starts, a blank SPE screen appears.

To create a new policy file, at the SPE screen click File and then NewPolicy. As Screen 1 shows, this action creates an untitled policy filecontaining Default User and Default Computer policies. You define the propertiesof the new policy file: Double-click the Default User or Default Computer iconto see a list of policy properties, as shown in Screens 2a and 2b, respectively.

To enable a setting, click the check-box next to the setting. The lowerportion of the window will probably contain either information summarizing theoption or an area where you must provide more information, such as the locationof the background .bmp file to use. Clicking OK saves the new policy file.(You'll name the policy file later, after you change the settings you want.) Tochange an existing policy's settings, select it from the SPE screen's policylist, double-click it (or select the policy and click Edit and then Properties),and modify the settings as described above.

To create a computer, user, or group policy, select the appropriate Addoption from the SPE screen's Edit menu. A dialog box prompts you for the name,or you can choose to Browse through a list of names to locate it. Browsing isusually faster than entering the name and is also a way to avoid mistakes suchas typos and accidentally leaving out the domain prefix and the slash characterif the computer, user, or group is in a different domain. To customize a policyfor a computer, user, or system, double-click the policy of your choice and fillin the appropriate check boxes and blanks.

Note that check boxes have three states. All represent different actions anNT system will take when it downloads the policies from the NT Server system atlogon. Originally, the boxes are gray. A click changes a box to checked, whichenables the option (i.e., copies or overwrites the appropriate Registry entry);another click changes the box to empty (i.e., removes that option from theuser's system and deletes the appropriate data contained in a Registry key); andone more click returns the box to gray, signaling NT will neither enable nordelete that option. If you don't want to implement a policy, leave its box grayso NT will ignore it while processing the policy file, thus acceleratingprocessing (don't delete the setting from the template file; you can keep itavailable to use in another user's or computer's policy).

The SPE lets you assign priority to group policies through the GroupPriority function, which can simplify administering policies in a domain thathas multiple group policies and includes some users in more than one group. Forexample, say your domain includes a Domain Users group policy that all users arepart of and a Development group policy, which includes only a few users. TheDevelopment users all want the same background wallpaper, yet all yournon-Development Domain Users require the company logo as their wallpaper. Tosolve this problem, at the SPE main screen, select Options and then GroupPriority. Next, simply move the Development group above the Domain Users groupto give Development's policies a higher priority. Click OK. When policies aredownloaded at logon, the Development group's policy will be downloaded after theDomain Users policy and the Development settings will overwrite those of alllower priorities, including Domain Users.

Once you finish configuring your policies, click File, then Save As. Youmust save the file as ntconfig.pol (the file that contains the policiesfor all computers, users, and groups you've specified in the system's SPE)or NT will not process system policies. Also, make sure to save ntconfig.polwherever the NETLOGON share of the Primary Domain Controller points--most likelyin your %windowsroot%system32replimportscripts directory (you mustmanually save ntconfig.pol to the correct directory; NT doesn't automaticallysave it for you). New policies will take effect on users' systems the next timethey log on (when the policies are downloaded).

As an NT administrator, you'll probably want to define your computer anduser policies rather than use the defaults. However, a user can inadvertently,or perhaps purposely, avoid machine policies by roving from one machine toanother. If this situation is a problem at your site, you probably need aDefault Computer policy in place to prevent users from evading policies.