Policing NT System Policies

Perhaps the best thing about a graphical user interface is ease of use. Unfortunately,this ease of use can lead people to explore areas of the computer they shouldn't. Orchange desktop settings they are supposed to leave alone. When the command prompt was theonly way to enter commands, it was much more difficult for inexperienced users to changethings. Now clicking everything in sight can lead to a lot of mischief.

One way to prevent this is to use System Policies. A System Policy is a collection ofregistry settings that define what resources are available to what users. Using SystemPolicies, you can restrict changes to the desktop, control what applications can be run oreven change the appearance of the Start menu. The restrictions can be applied to specificcomputers, individual users or user groups.


Here's how it works. When a users logs onto NT, the user's profile is loaded. Theprofile contains information about the users environment, such as the arrangement of iconson the desktop, printer connections, window sizes, etc. These are the users preferences.At this point, the System Policy is applied. Any changes or restrictions in the policy arethen applied to the registry before the user gets control of the desktop. Thus, the systemadministrator gets to enforce what users see, access and change, despite the user'spreferences.

Digging into the details of the registry to make these kinds of changes would be anarduous task. Fortunately, NT provides a System Policy Editor to ease the work. The Editorcombines the ease of use of the Control Panel with the functionality of the RegistryEditor. While the Editor doesn't offer complete access to the Registry, it is much simplerto use. The editor works in two modes. Registry mode allows the user to make changes to alocal or remote registry file. These changes are made directly to the registry. Policyfile mode is used to create System Policies which will be applied to users or machines.Because the policy files can contain settings for all multiple users, only one policy fileneeds to be created for the domain. By default, the logon process will look for the SystemPolicy in a file named NTCONFIG.POL in the NETLOGON share of the validating domaincontroller. You can store policy files on individual machines, but network wide changeswould have to be applied at individual machines.

The System Policy Editor is found on the Administrative Tools (Common) menu. Launchingthe Editor brings up an empty window. From the File Menu you can select Open Registry togo into registry mode. To go into policy file mode, you can create a new policy file oropen an existing file. Policy settings for a default computer and default user areimmediately available and appear as icons in the window. Any changes to these policieswill be applied to everyone. Policies for individual users, groups or machines can beadded with the Edit option on the menu bar. To edit a policy, double click on theappropriate icon.

The policy settings are displayed in a tree structure grouped by category. Theindividual settings may be viewed by expanding the category with the plus sign next to thecategory label. When setting policy options, you have three choices. Checking anindividual box means the setting is implemented. Unchecked box means the setting is notimplemented. A grayed box means that he setting will not be changed and hatever option wasset at logon will be preserved. The wording of each setting is very important and can leadto mistakes in the policy. Some settings require checking to enable the setting and othersrequire checking to disable the setting. Remember, policy settings are applied at the timeof login. For a policy change to be applied to active users, they must log out and logback in.

Place Settings

While the best way to learn about the individual settings is to simply explore thevarious options, here are a few that are worth investigating.

Disable registry editing tools:

Run only allowed Windows applications: Users with this policy will only beallowed to run applications you specify. This setting only limits access to theapplications from the Windows interface. Users with access to CMD.EXE can still launch theapplications there.

Disable Shutdown command: This user setting removes the shutdowncommand from the Start menu. Even with this policy in place, users can still shut down thesystem using the Ctrl Alt Del keys. To disable the Ctrl Alt Del, you must remove theuser's "Shut down the system" right from the User Manager.

Allow extended characters in 8.3 file names: Computers without thesame code page may not be able to view extended characters in file names. This settinginsures that the file name will be viewable everywhere.

Logon banner: You can specify a dialog box that appears before theuser logs on. Most administrators will want to display some kind of "Unauthorized useis not prohibited" message to users.

Do not update last access time: This machine setting can improve theperformance of your system if you have large number of files being regularly updated.

Create hidden drive shares (server): If enabled, each drive will havean administrative share created automatically (such as C$). This was automatic under NT3.51, but can now be controlled with a policy.

As you can see, there are lots of possibilities. System Policies offer anadministrators a lot of control over their systems. If you are looking for ways to tightenup security and prevent errors throughout your network, spend some time investigating thisbuilt in feature of NT. You'll find System Policies can make your job easier.