A how-to guide
System policies in the Windows operating system (OS) environment (Windows NT, Windows 98, and Win95) perform the same function as policies in an employee manual. System policies prevent users from performing actions they would otherwise have had the choice to perform.
Administrators can use system policies to prevent unauthorized users from running a Registry editor. That way, administrators don't encounter the situation in which they try to resurrect crashed machines while employees stand by, vowing that they did nothing to cause the crash. In the Registry, adding one wrong value or deleting one good value can cause hours of work for administrators. (To find out why using system policies is better than locking the Registry, see the sidebar "Why Policies?" page 198.)
Much has been written about how to create and implement system policies for users who work within the confines of a company's buildings, so I will not tread on ground already covered. (For a list of articles and books written about this subject, see "System Policies Related Reading," page 199.) But what about creating and implementing system policies for remote users, such as salespeople and executives who use laptops on the road? You cannot force these users to connect to the server and read the policy on every boot. As a result, remote users typically have full access to all network resources, can edit their Registry, delete printer settings, and perform other actions that might reduce productivity and increase support time for administrators.
Because you cannot force remote users to connect to a server each time they boot, an alternative is to place the system policies on a local drive. Whether your mobile workforce uses NT Workstation or Win95, the steps are similar. First you create the local restrictions, and then you create the policy.
Creating Local Restrictions
Configuring the system for local policy placement requires a Registry modification. You can make this modification using regedit or System Policy Editor (SPE).
Regedit. To modify the Registry using regedit, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update. Create or modify two values: UpdateMode and NetworkPath.
The possible DWORD values for UpdateMode are 0, 1, and 2. A value of 0 means that you are not using system policies (i.e., you have not selected the Remote Update check box). A value of 1 means that you are placing the system policies on the server (i.e., automatic mode). A value of 2 means that you are placing the system policies on a location other than the server (i.e., manual mode). Set the DWORD value of UpdateMode to 00000002.
Because you specified that the system policies will be at a location other than the server, you need to specify where you are placing those policies and the name of the file containing them. The default filename is config.pol or ntconfig.pol. However, if you have remote users who like to tinker or read computer books, they might quickly figure out that config.pol or ntconfig.pol contains the system policies. They might search their system, find the file, and "accidentally" delete it so they aren't required to follow system policies. In such a case, you can give the file another name (no naming restrictions exist) such as wipedisk.abc and place it in an obscure directory. Renaming and hiding the file will not affect NT's operation; both SPE and the OS will be able to read it.
After you decide on the filename and location for the system policies, you must specify this information in NetPath. For example, if you decide to use the default filename of config.pol and want to place it on the C drive, you set the string value of NetworkPath to c:\config.pol.
SPE. To modify the Registry using SPE (poledit.exe), select Open Registry from the File menu. Select Local Computer, Network, and Update. Select the Remote Update check box, as Screen 1 shows. Select Manual (use specific path) from the Update Mode list, and type
c:\config.pol
as the path. Save your changes, and exit SPE.
Previous
Register
