SUMMARYThis article discusses how to implement system policies for Microsoft Windows XP-based, Microsoft Windows 2000-based, and Microsoft Windows Server 2003-based client computers in non-Active Directory directory service environments.
INTRODUCTIONBefore the implementation of Group Policy settings and Active Directory in Windows 2000, computer and user policy settings were implemented as Microsoft Windows NT "System Policies."
Windows NT System Policies had the following limitations that Active Directory Group Policy settings do not have:
|•||The policies persist in a user's profile until the specified policy is reversed or until you change the applicable registry setting. This behavior is frequently referred to as "tattooing" the registry.|
|•||The policies are not secure.|
|•||The policies cannot be refreshed without a restart.|
Group Policy includes the functionality of Windows NT 4.0 System Policies. Group Policy also provides additional policy settings for scripts, software installation and maintenance, security settings, Microsoft Internet Explorer maintenance, and folder redirection. The following table compares Group Policy and Windows NT 4.0 System Policy.
|Comparison||Group Policy||Windows NT 4.0 System Policy|
|Tool used||Microsoft Management Console (MMC) Group Policy snap-in||System Policy Editor (Poledit.exe) |
|Number of settings||More than 150 security-related settings and more than 620 registry-based settings||72 settings |
|Applied to||Users or computers in a specified Active Directory container (site, domain, or OU) or local computers and users||Domains or local computers and users |
|Security||Secure||Not secure |
|Extensible by||MMC or .adm files||.adm files |
|Persistence||Does not leave settings in the user profiles when the effective policy is changed||Persistent in user profiles until the specified policy is reversed or until you change the registry |
|Defined by||User or computer membership in security groups||User membership in security groups |
|Primary uses||Implement registry-based settings to control the desktop and user. Configure many types of security settings. Apply logon, logoff, startup, and shutdown scripts. Implement IntelliMirror software installation and maintenance. Implement IntelliMirror data and settings management. Optimize and maintain Internet Explorer.||Implement registry-based settings that govern the behavior of applications and operating system components, such as the Start menu.|