Microsoft Windows NT 4.0 manual System Policy AN Introduction, System Policy Files

SYSTEM POLICY – AN INTRODUCTION

A System Policy is a set of registry settings that defines the computer re- sources available to an individual or to a group of users. Policies define the various facets of the desktop environment that a system administrator needs to control, such as which applications are available, which applications appear on the user’s desktop, which applications and options appear in the Start menu, who can change their desktops and who cannot, and so forth. System policies can be implemented for specific users, groups, computers, or for all users. You create system policies with the System Policy Editor.

The System Policy Editor is a graphical tool provided with Windows NT Server 4.0 that allows you to easily update the registry settings to generate the correct environment for a particular user or group of users. The System Policy Editor creates a file that contains registry settings which are then written to the user or local machine portion of the registry database. User Profile settings that are specific to a user who logs on to a given workstation or server, are written to the registry under HKEY_CURRENT_USER. Likewise, machine- specific settings are written under HKEY_LOCAL_MACHINE.

When you apply a System Policy, the new policy overwrites the existing registry settings, thus giving you, as system administrator, the ability to set restrictions for the client machine and user. When a user logs on to a Windows NT 4.0 computer, the user’s profile is loaded first and then the Sys- tem Policy is downloaded. Any registry settings that you have reconfigured, whether these are machine-specific changes or are specific to the user logging on, are changed before the user receives control of the desktop. Note that System Policy changes are not dynamic; if you make a change to the policy, affected users must log off and log back on so that the new policy can be downloaded and applied.

With a properly implemented policy, you can customize the user’s environ- ment to your specifications, despite the user’s preferences and regardless of where he or she logs on. The settings available in the System Policy Editor provide a variety of options for managing the user environment. For a detailed list of these options, see the section “Registry Keys Modified by the System Policy Editor Default Templates.”

System Policy Files

Policies can define a specific user’s settings or the settings for a group of us- ers. The resulting policy file contains the registry settings for all users, groups, and computers that will be using the policy file. Separate policy files for each user, group, or computer are not necessary.

If you create a policy that will be automatically downloaded from validating domain controllers, you should name the file NTconfig.pol. As system admin- istrator, you have the option of renaming the policy file and, by modifying the Windows NT-based workstation, directing the computer to update the policy from a manual path. You can do this by either manually changing the registry or by using System Policy. This path can even be a local path such that each machine has its own policy file, but if a change is necessary to all machines,