Windows: System Policy Editor Notes

What is the purpose of System Policies?

Purpose: establish uniform set of rules to maintain computer and user environments across a domain.

What are the three different types of system policies and what is the pecking order?

1. Machine, Machine policies can over write the User/Group settings.
2. User, User policies completely bypass Group policies (no precedence, just replacement)
3. Group..
*All of these can override Profile settings.

What abilities does a System Policy give you:

-Restrict Control Panel Options
-Customize part of the desktop such as corporate wallpaper
-Control network logon and access.

What are the two major functions of System Policy Editor?

1. Modify Default settings for a computer and user policy for the domain
2. Create custom settings that apply to users, groups, and computers

What are the commands in System Policy Editor and what are the command functions?

1. When you select "File" > "create new policy"  Default Computer and Default User appear.

a. Default Computer: to configure logon and network settings. Apply to all users that logon to the domain and effect all users that logon to that computer.
b. Default User: configure user's desktop. Can set for all users that logon to the domain.

2. When you select "Edit" >
a. Add User: Browse will list the names/ "people"  found in User Manager
b. Add Computer: Brings up the computers shown on Network Neighborhood (Example: Workstation1)
c. Add Group: Brings up the Groups that names / "people"  in User Manager belong to.

3. Once a User or Computer is opened :
Enabled - when control is checked
Disabled - when control is not checked
Neutral - when control is grayed, availability of function is not determined by this policy. This setting exists so different policies can be merged.

How do I Implement a System Policy in a domain?

1. Open System Policy Editor and create new policy file. Set appropriate policies for defaults.

2. Have to set a specific, choose Edit and choose User, Group, or Machine.

(Where are System Policies stored by default?)
3. ******By default, Windows NT searches for NtConfig.pol policy file stored on the PDC is the Netlogon share: systemroot\ System32\ Repl\ Import\ Scripts. NT installation automatically shares this folder with the name "Netlogon."******

4. Enable Replication on all domain controllers so that NTCONFIG.POL file is replicated to the same folder on all backup domain controllers.

(Can I create the same policy for Windows 95 machine as for an NT machine?)

No. NT policies are incompatible with 95. So if you are using both types of workstations, you will have to create two sets of policies. Windows 95 policy is called "Config.pol," and must be created on a Windows 95 machine.

(How do I enable load balancing to prevent network slowdown?)
Use the 95 System Policy Editor to open Config.pol the drill down on Default Computer icon. Open Network \ Update \ Remote Update Policy and check "Load-balanced" to prevent network slowdown.

Are Group Policies installed by default on Windows NT and 95?
Group policies are installed by default in NT -- not in 95.

How do I change the default policy location on a 95or NT machine?
Note: change "Remote update" setting from automatic to manual in computer policy portion to implement a different policy file location.

How is a User Policy is Implemented when a User logs on?

1. Logon and NT searches for NTCONFIG.POL from PDC
2. If User policy exists, it is merged with Registry
3. Next Group Policy (group with highest priority takes precedence if member of two groups)
4. If no user or group policy defined, default user policy is merged in.

How is a computer policy implemented when a User logs on?

1. Specific computer policy, great, it is merged.
2. No? Default computer policy is merged.

How can System Policy Editor be used to make changes to the Registry?
1. Registry Mode = File > Open Registry or "Connect > Computer Name" This is a direct registry change.
2. Policy Mode = as discussed above

What are System Policy Templates?

Winnt.adm and Common.adm create the policy in System Policy Editor on Windows NT. Template (*.ADM) files -- ASCII files that are filled in and modified ; looked at like source code which can be changed and added to. Can be edited with notepad Together *.adm and *.pol can be looked at as compiled code (which is loaded and executed on the computer). When policies are read and applied, they edit the registry to enforce one or more restrictions.

What happens to a system policy if a computer name changes in 95?
Entries for the computer are based on the computer name, and thus will not work if the computer name changes.

Windows 95 Policy Notes

Two types of files used in creating system policies:

1. Template (*.ADM) files -- ASCII files that are filled in and modified ; looked at like source code which can be changed and added to. Can be edited with notepad
2. Policy (.POL) files -- files that template files are saved as which are read by Windows 95.

Together they can be looked at as compiled code (which is loaded and executed on the computer). When policies are read and applied by 95, they edit the registry to enforce one or more restrictions. Cannot be edited with notepad.

Note: Default User and Default Computer are part of a default template called ADMIN.ADM.

How do I create policies for a Windows 95 machine?
*Enable User profiles (must be enabled before system policies can be used)

Note: Enabling OS/2 Namespace (LFN Error Message) To store full user profile files, Windows 95 uses Long File Names. If it tries to copy Long File Name files to the SYS: volume and the SYS: volume has not been enabled with the OS/2 namespace, it returns an error message. To prevent this, enable the OS/2 namespace on the SYS volume before enabling user profiles.

*Install System Policy Editor and (install support for group policies)
\Windows95 CD \ Admin\ Apptools\ POLEDIT.EXE
ADD / REMOVE>Windows Setup>Have disk> <<grouppol.inf>>
-System Policy Editor (poledit.exe)
-Group Policy Editor (Grouppl.dll)
To run System Policy editor = poledit

Note: GROUPPOL.DLL (required to enable group profiles) must be installed on each  computer in the workgroup ; Windows 95 Setup places GROUPPOL.DLL in the Windows SYSTEM directory on the client computer and makes the required Registry changes

*Load or create appropriate template
Windows\ Inf\ ADMIN.ADM

*Create policies for groups (if you decided to take this approach)
Enabled - when control is checked
Disabled - when control is not checked
Neutral - when control is grayed, availability of function is not determined by this policy. This setting exists so different policies can be merged.
*Configure order which groups will take effect
*Create default settings for users via Default User
*Create default settings for computers via Default Computer
*Create exceptions for users via unique user settings
*Create exceptions for users via unique computer settings
*Save the policy as CONFIG.POL where 95 will find it
1.Share level Security or a Computer not on a Network: \Windows folder.
2. \\PDC\ NETLOGON share
3. NetWare Server:Sys\Public Directory
\\preferred server\ sys\ public\ (where policies are stored on a NetWare Server)

Note: NT uses by default: NTCONFIG.POL ; NT policies are incompatible with 95. So if you are using both types of workstations, you will have to create two sets of policies.

Note: *If Microsoft Remote Registry Service installed -- System Policy Editor can also make changes to remote registries.

95 Q&A

Q: Users didn't receive changes to their new system policy, what is a common cause of this?
A: \Netlogon directory was not replicated to the BDC 
A: Users have individual system policies that have conflicting options
 
Q: What is required to install group policies?
A: System Policy Editor
A: GROUPPOL.DLL (required to enable group profiles) must be installed on each computer in the workgroup ; Windows 95 Setup places GROUPPOL.DLL in the Windows SYSTEM directory on the client computer and makes the required Registry changes.
Q: When must you use manual downloading of user policies?
A: When using real mode network clients such as Novell NETX or VLMs.
----
Q: Where is profile information stored in the registry?(what key)
A: Hkey_Current_User.
---
Q: Your network consists of 15 Windows 95 computers that are part of a Windows NT Server domain. You want ensure that users of the Windows 95 computers will not have dial-up access when they are logged on to the NT Server Domain. How can you do this? Choose 3.
A: Create a policy file with the appropriate settings and save it as Config.pol in the NETLOGON directory on the Windows NT Server computer
A: Modify the user profile stored in each user's home directory (sure)
A: Use the Registry Editor to modify the registries of all 95 computers remotely
---
Q: As a network administrator, you want to exclude certain screen savers from the default user profile created in each new policy file. Which course of action must you take.
A: Modify the current template file to specify the screen savers you want, and then use this template file to create the policy files
-----
Q: Set up computer policies. By establishing system policies, Windows 95 administrators can set, change, and maintain Registry entries on a per _____ basis
A: machine
A: user
A: group