Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


April 1997

Further Explorations of the NT System Policy Editor


From the April 1997 Edition
of Windows IT Pro
Sean Daily
Feature
InstantDoc #90
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More System Policies Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Installation and Configuration Tips and Some New Tricks

In his February article, "How to Edit NT 4.0 System Policies," Robert Slifka introduced the Windows NT 4.0 System Policy Editor (SPE) application and some of the ways you can use it to secure an NT network. He included information about the use and customization of policy template files (.adm files). This month, I expand on this topic, and present some other features and potential applications of this handy utility.

If you've ever administered a group of NT workstations on a network, you know the difficulty of maintaining a uniform configuration for all your computers. This problem is especially nasty in organizations that have corporate or MIS policies that mandate certain aspects of the user's environment, such as what programs users can access, what control they have over their machine, and the appearance of their desktop. Ever tried to make a custom Registry change or set the background wallpaper on 500 (or even 50) NT workstations? If so, you'll appreciate the problem and solution I describe here.

A Quick Review
NT stores all its configuration settings in the NT Registry database. You can view and modify these settings with one of the NT Registry editors (regedt32.exe or regedit.exe). When you examine the Registry, you see machine-related information in a branch of the Registry called the HKEY_LOCAL_MACHINE subtree. In addition, you see information related to the currently logged-in user. This information appears in the HKEY_CURRENT_USER subtree (for information about the NT Registry subtrees and tips on editing the Registry, see Christa Anderson, "Care and Feeding of the Registry," December 1996).

The HKEY_CURRENT_USER subtree also goes by another name: the current user's user profile. A user profile contains a variety of information about the user's desktop environment, such as Control Panel applet settings, network printer connections, Win32 application settings, and environment variables. ntuser.dat, the file that contains the user profile (the file from which the HKEY_CURRENT_USER Registry subtree is generated), is typically in the user's subdirectory under the user profiles directory on the local machine (e.g., c:\winnt\profiles\sean). The system can store the user profile on a network server if the administrator configured the user's account to use a server-based (e.g., mandatory, or roaming) profile. The HKEY_LOCAL_MACHINE subtree, in contrast, contains settings related to user logon, network access, and other system-related settings.

That information is fine, but what does this review have to do with SPE? Well, imagine creating a template, or mask, that the system automatically applies to an NT workstation's Registry each time a user logs on, so that all the restrictions that apply to both the machine and that particular user automatically take effect when the user logs in. Furthermore, imagine that this template is user- and group-specific, so that the restrictions taking effect depend on the user's logon name and group memberships. Well, SPE does just that.

How SPE Works
You probably know that SPE manages two distinct types of policies: the system policy for users and the system policy for computers. Together, these two entries restrict a user's access to the computer.

When users sitting at NT 4.0 computers log on to their domain with their domain user account, NT automatically merges the system policy for users portion of the file (the required name for an NT system policy file) with the user's profile (ntuser.dat), replacing any settings in ntuser.dat that don't match those found in ntconfig.pol. In addition, NT adds any machine-related settings defined in the system policy for computers to the HKEY_LOCAL_MACHINE portion of the Registry. The net effect? You get customized Registry settings for every NT computer and user in the domain, with all the appropriate restrictions in place.

First Things First: Installing SPE
The February article demonstrated how to start the SPE application, but this capability assumes that SPE is already installed on your system. In case it isn't (which is likely because NT doesn't install it by default), here's how to get SPE on your system. The utility ships only with the NT Server 4.0 CD-ROM and not with the NT Workstation version (presumably because SPE is an administrative-level tool). However, from the NT Server CD-ROM, you can install SPE on either an NT Server or NT Workstation 4.0 system.

To install SPE (which is part of a group of NT Server client-based administration tools), run the setup.bat file in the NT Server CD-ROM's \clients\svrtools\winnt directory. This batch file automatically detects your computer's processor type and installs the files SPE requires and several other NT Server administration tools. After installation, you must manually create shortcuts to the application poledit.exe, now in the \winnt\system32 subdirectory on your hard disk (neither the 3.51 nor 4.0 version automatically creates a program group and icons for these utilities; is this capability really too much to ask, Microsoft?).

Tips for Creating Your Organization's System Policy
Once you have SPE running and have created a system policy file, the next question is usually what SPE settings to be concerned with. The entries available in the system policy for computers and system policy for users include a variety of Registry entries that serve different purposes. For example, some Registry values are useful for enhancing security, and others help maintain a more consistent desktop look and feel. Still others relate to areas such as performance and task automation.

Although you can manipulate different settings with the default common.adm and winnt.adm templates, several settings are particularly worthy of mention. Tables 1 and 2 summarize some of the more useful computer and user-related system policy entries, where they're located, and what area the entry corresponds to (e.g., security, performance, uniform desktop). Table 1 lists computer-related entries, and Table 2 lists user/group-related policy entries.

To change a policy for a particular Registry change, navigate the policy tree by double-clicking the branch you want to expand (or click the + symbol at left to expand the branch's contents one level down). Once you've expanded a branch and located a value you want to change, you'll see a check box that will be in one of three states: grayed, white, or checked.

A grayed checkbox means that no change is stipulated for this entry. A grayed box tells SPE to keep the setting that is already in effect for this item from other policies or the system default. A white box tells SPE to disable the item, and a checked box tells SPE to enable the item.

When you enable certain entries, SPE sometimes requests additional information related to the item at the bottom of the dialog box. For example, if you check the box next to the NT System\Logon\Logon Banner entry to enable it, you must also enter a window caption and banner text for the custom logon banner in the boxes below. Screens 1 and 2 show samples of editing the system policy for computers and users, respectively.

Policy Precedence
What happens when more than one policy applies to a given user? That is to say, what if a user logs on to the domain, and the system policy file contains multiple user or group entries that apply to that user (for either computer or user policies)? In this situation, NT uses a policy evaluation process to determine the correct policies for that user.

The pecking order goes as follows: When an individual policy exists for a user, this policy is always used in preference to any group policies defined for groups that the user belongs to. If the user belongs to multiple groups and two or more of these groups have policies defined, to determine which group policy takes precedence, NT uses the group priority order that the administrator defines.

In much the same way individual policies beat out group policies, group policies take precedence over a default policy if one is defined. A default policy is used when no other policy definitions exist for a particular user. If you have only a default computer or user policy defined, SPE will apply this policy to everyone, including the administrator. Therefore, if you don't want to limit the administrator's access to the machine, at least be sure to define a group policy that creates no restrictions for the Domain Admins global group.

   Previous  [1]  2  Next 


Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Related Events WinConnections and Microsoft® Exchange Connections

Deep Dive into Windows Server 2008 R2 presented by John Savill

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement