Create computer, user, and group policies via the System Policy Editor and customize a policy template

Windows NT 4.0 has borrowed more from Windows 95 than just the user interface. Win95's system policies and System Policy Editor (SPE) are also in the latest release of NT. System policies are restrictions an administrator can place on a computer, user, or global group. These restrictions control user- and machine-specific settings on NT Server and Workstation. System policies are a compilation of NT Registry keys and their values, and the system doles the policies out at logon to whomever you specify.

You modify system policies via the SPE, an NT application that lets you maintain existing policies and create new ones. The policy settings are in the Registry of the affected machine. Template files (which come into consideration when you create policies at the Server) are a plain-text list of all possible policy settings and what each one does. This article demonstrates how to use the SPE to create and edit user, computer, and group policies and discusses how to customize the NT 4.0 policy template files to give you a feel for creating your own policy templates.

Three Types of Policies
Each of the three types of system policies controls a different aspect of the computing environment. Computer policies are restrictions specific to a particular system; they control settings such as whether to create the administrative drive shares, the ability to shut down the system from the Authentication dialog box, and whether to create DOS 8.3 filenames for long filenames. User policies apply to a particular username; examples of such policies include removing common groups from the Start menu, selecting which desktop wallpaper to use, and restricting application use by filename. Group policies are simply user policies applied to a global group (i.e., a set of user policies applies to all members of a group). You can set group priority so that groups with the highest priority are processed last, their settings overwriting those of groups with a lower priority. Group policies are probably the most efficient way to administer policies on a medium-to-large-sized network: With groups, you're managing the settings in one group policy instead of hundreds or thousands of user policies (a moderately complex SPE policy can contain about 100 settings).

NT 4.0 provides Default Computer and Default User policies, which NT applies to computers or users that haven't already been assigned a policy (there is no Default Group policy). You don't have to use the Default Computer/User policies, but later, I'll give you a good reason to.

Using the System Policy Editor
You access the SPE under Windows NT Server by clicking Start, then Programs, and then Administrative Tools. (Anyone can access the SPE; no special permission is required.) After the SPE starts, a blank SPE screen appears.

To create a new policy file, at the SPE screen click File and then New Policy. As Screen 1 shows, this action creates an untitled policy file containing Default User and Default Computer policies. You define the properties of the new policy file: Double-click the Default User or Default Computer icon to see a list of policy properties, as shown in Screens 2a and 2b, respectively.

To enable a setting, click the check-box next to the setting. The lower portion of the window will probably contain either information summarizing the option or an area where you must provide more information, such as the location of the background .bmp file to use. Clicking OK saves the new policy file. (You'll name the policy file later, after you change the settings you want.) To change an existing policy's settings, select it from the SPE screen's policy list, double-click it (or select the policy and click Edit and then Properties), and modify the settings as described above.

To create a computer, user, or group policy, select the appropriate Add option from the SPE screen's Edit menu. A dialog box prompts you for the name, or you can choose to Browse through a list of names to locate it. Browsing is usually faster than entering the name and is also a way to avoid mistakes such as typos and accidentally leaving out the domain prefix and the slash character if the computer, user, or group is in a different domain. To customize a policy for a computer, user, or system, double-click the policy of your choice and fill in the appropriate check boxes and blanks.

Note that check boxes have three states. All represent different actions an NT system will take when it downloads the policies from the NT Server system at logon. Originally, the boxes are gray. A click changes a box to checked, which enables the option (i.e., copies or overwrites the appropriate Registry entry); another click changes the box to empty (i.e., removes that option from the user's system and deletes the appropriate data contained in a Registry key); and one more click returns the box to gray, signaling NT will neither enable nor delete that option. If you don't want to implement a policy, leave its box gray so NT will ignore it while processing the policy file, thus accelerating processing (don't delete the setting from the template file; you can keep it available to use in another user's or computer's policy).

The SPE lets you assign priority to group policies through the Group Priority function, which can simplify administering policies in a domain that has multiple group policies and includes some users in more than one group. For example, say your domain includes a Domain Users group policy that all users are part of and a Development group policy, which includes only a few users. The Development users all want the same background wallpaper, yet all your non-Development Domain Users require the company logo as their wallpaper. To solve this problem, at the SPE main screen, select Options and then Group Priority. Next, simply move the Development group above the Domain Users group to give Development's policies a higher priority. Click OK. When policies are downloaded at logon, the Development group's policy will be downloaded after the Domain Users policy and the Development settings will overwrite those of all lower priorities, including Domain Users.

Once you finish configuring your policies, click File, then Save As. You must save the file as ntconfig.pol (the file that contains the policies for all computers, users, and groups you've specified in the system's SPE) or NT will not process system policies. Also, make sure to save ntconfig.pol wherever the NETLOGON share of the Primary Domain Controller points--most likely in your %windowsroot%\system32\repl\import\scripts directory (you must manually save ntconfig.pol to the correct directory; NT doesn't automatically save it for you). New policies will take effect on users' systems the next time they log on (when the policies are downloaded).

As an NT administrator, you'll probably want to define your computer and user policies rather than use the defaults. However, a user can inadvertently, or perhaps purposely, avoid machine policies by roving from one machine to another. If this situation is a problem at your site, you probably need a Default Computer policy in place to prevent users from evading policies.