Many Help desk calls arise from users trying to configure their systems. To help prevent these calls, you can limit your users' ability to change the configuration of their systems. In placing limitations, you also will tighten your network's security. You might even experience significant productivity gains if your users can run only certain programs. These benefits are among the reasons to take a look at Windows NT's system policies and the tool used to create them, System Policy Editor (SPE). As a bonus, you can apply similar policies to your Windows 9x clients.
What Is a System Policy?
A system policy is a restriction you place on a user or a user's computer that limits the user's ability to access resources or configure the computer. A system policy might also impose corporate standard configurations. An example of a system policy is removing the Run command from the Start menu so that a user cannot run programs by typing the command name.
By integrating the policies with the Registry at system startup, you can configure and control the user's desktop. In some cases, the control you implement might be simple. For example, you might implement a rule that removes the name of the previous user from the logon dialog box for security reasons. In other cases, you might implement controls so strict that they limit a computer's color scheme and wallpaper or let the computer run only one application.
The System Policy Process
System policies start with the administrator, who defines the policies using the SPE tool. To find this tool, go to Start, Programs, Administrative Tools on the NT server. You can define policies for users, groups, and computers. If you do not define a set of policies, NT will apply a set of default policies to each user and computer.
The administrator uses SPE to specify the various restrictions that he or she wants to put in place. Then, the administrator saves the policy file, ntconfig.pol, in the \winntroot\ system32\repl\export\scripts directory (winntroot is the NT directory) on the PDC. You must configure replication to replicate this file in all the Netlogon shares, which are in the \winntroot\system32\repl\import\scripts directories on the PDC and the BDCs. (If you are not familiar with NT replication, see Getting Started with NT: "Replication in Windows NT," February 1999.) Neither the path nor the filename is the default save location in SPE.
When users log on, NT finds this policy file on the Netlogon share, downloads the file, and integrates the settings into the local Registry. However, NT does not apply the policies at this point. Only when the user logs on again does NT apply the policies. If you are testing SPE, remember to log off and log on twice to make sure that SPE is working.
When you first open SPE, you see only a blank window. To start defining and editing policies, click File, New Policy. The Default Computer and Default User icons will appear, as Screen 1, page 156, shows.
At this point, you might be wondering what happens if the computer policy conflicts with the user policy. The fact is that these policies cannot conflict with each other. The policies are integrated with the Registry so that the computer policies modify HKEY_LOCAL_MACHINE values and the user and group policies modify HKEY_CURRENT_USER values. This situation will become apparent as you look at the policies.
Computer policies apply to all users. Administrative drive-share creation is a good example of a computer policy. User policies apply to a specific user and regulate items such as wallpaper or color schemes. These user specific policies will constrain a user regardless of which machine he or she logs on to.
Let's take a closer look at computer policies. Double-click the Default Computer icon. The dialog box that Screen 2, page 156, shows will open. (In Screen 2, I have already expanded the Windows NT System policy. Usually, nothing is expanded when you open this dialog box.)
Some of the policies let you set limits. For example, the remote access policy lets you set the maximum number of unsuccessful authentication retries. This setting is obviously a computer setting, not a user setting, because the setting is active even when a user is not logged on.
Some settings are for security, such as the Windows NT System option that turns off the display of the last logged-on username. Other settings, such as the logon banner, require input when you select an option. (By the way, the logon banner should not say "Welcome to XYZ Corporation." The courts have ruled that this kind of salutation extends a welcome to everyone, including intruders. Use something such as "Only authorized employees of XYZ Corporation are permitted to use this computer." Companies can consider nonemployees trespassers if they continue to log on after seeing such a banner.)
When you expand the settings, you will see that most of the check boxes are grayed out. If you click a check box, the box will change to contain a check mark. Click again, and the box will clear. Click once more, and the box will cycle back to gray. The check mark means the option is turned on. A clear box indicates that the option is turned off. A gray box means you have specified no policy.
Setting Specific Computer Policies
You can consider the default computer policies to be a lowest-common-denominator set of policies. But what if you have some computers, such as your servers, that need tighter policies? Or, what if you have a set of machines reserved for visitors, which needs tighter policies? In these cases, you can create policies that differ from the default policies.
To add a new policy definition for a specific computer, go to SPE's main menu and click Edit, Add Computer. Use the Browse button to find the name of the computer, or type the computer name in the dialog box that appears. The Browse button is usually the best choice because it shows you a list of computers in an NT Explorer-like interface. You can pick a computer name from the list and avoid the possibility of misspelling the name. Unfortunately, NT provides no grouping mechanism for computers. You must set up each exception to the default computer policy individually.
User and Group Policies
User policies work in a similar fashion to computer policies, with three possible states for each check box—on, off, and no policy. Screen 3 shows the Default User policy dialog box with the Control Panel option expanded. The Desktop option is also expanded, showing that the administrator can set the wallpaper and color scheme to a corporate standard. (The most common pitfall in this area is that the .bmp file you specify for wallpaper might not be available on the user's computer.) I usually let users pick their wallpaper, screen savers, and color schemes, but I restrict them on more crucial issues. Screen 4 shows how much control the administrator has over what the user can do. The administrator can limit the user to only one or two applications, if necessary—no browsing the 'hood, no drive icons. For a more restrictive interface, try setting the Windows NT Shell policy to use a Custom User Interface with a Custom shell, and specify a program. The program you specify is all the user can run.
If you want to be less restrictive, you can provide a list of the programs a user can run under Programs, System, Restrictions. You can make this list as short as necessary. You might want to restrict the Guest user account in this way. Screen 5 shows the results of severely limiting a user's options—even the File menu is gone from the NT Explorer window.
You set individual user policies the same way you set specific computer policies. Go to Edit on SPE's main menu. Select Add User for a list of users (this window looks just like the User Manager window). Again, you cannot select policies for multiple users at the same time. However, you can add a group or groups to the SPE window. Each group gets its own set of policies. You must use NT global groups to define policies.
Screen 6 shows that I have added two groups, SQLAdmins and SQLUsers, and a user—Michael—with administrator privileges. Notice the Group Priority dialog box, which you open from the Options menu in the SPE window. You must designate the order of precedence for the groups in case a user belongs to several groups that have different settings for the same policy.
The subject of group priorities brings up a very important point about policy implementation. NT applies policies in a specific order.
If a user has an individual user policy, that policy will constrain the user, and NT ignores the default user policy and applies no group policies. If the user has no individual policy, NT applies the default user policy (if one exists). Then, if the user belongs to any groups with defined policies, NT applies a combination of these groups' policies. If any of these groups' policies conflict, the highest-priority group's policy will prevail.
If one group sets an option and other applicable groups have no policy, the set option governs what a user can do. If multiple groups have policies for one option, the highest-priority group wins. Note that unlike NT security, policies apply to either a user or a group—never a combination of the two. The default user policy is effectively a group policy because it applies to everyone that individual user policies do not govern.
The same method applies to computer policies. The applied policy is either the policy for a computer or the default policy, but they are never combined.
To apply system policies to your Win9x clients, you must use Win95's SPE. Win9x saves the policy file as config.pol in the same directory as the ntconfig.pol file on the domain controllers, so the policies are established as the users log on.
A Matter of Policy
System policies can be tricky to set up, especially when applied to groups. However, system policies provide an important level of control over the changes users can make to their computers. If you use them judiciously and with moderation, you can alleviate Help desk calls without being too intrusive. For more information about SPE and system policies, see "Related Articles in Windows NT Magazine."