Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

7.6.1. The System Policy Editor

You can use the System Policy Editor to manage the local registry of a computer or to create a file of registry settings that will be implemented across the domain. The most common methodology is to create files that will be read by the Windows NT and Windows 95 clients at start time in order to ensure that the proper settings have been merged into the local registries of the systems.

Creating a Domain Policy

Using the System Policy Editor, it is possible to create a single file (NTCONFIG.POL) of settings that will be read by all NT clients in the domain. Windows 95 clients support policies also, but they require a file named CONFIG.POL that is created via the Windows 95 policy editor.

When an NT client is logging on to the network, it will request a copy of NTCONFIG.POL from the NETLOGON share of the validating controller. The settings in the file will be applied to the local registry based upon what the computer name is and which user is logging on. If the network has multiple controllers, it is important to configure the directory replicator service to ensure that the policy files are available throughout the domain.

If the administrator wants to implement the same policies for all NT computers and users in the domain, she can create a single NTCONFIG.POL file that contains settings for the default computer and default user, as shown in Figure 7.17.

By modifying the settings for the default computer, the administrator can control the HKEY_LOCAL_MACHINE settings for all NT computers collectively. Modifying the default user will affect the HKEY_CURRENT_USER setting on all NT computers.

Selectively Overriding the Domain Policy

It would be a utopian network wherein the same policies should be implemented for all users and computers identically. However, certain settings will need to be modified on an individual basis. The System Policy Editor accounts for this need by allowing overrides based upon username, group membership, and computer name.

Figure 7.17.  The default user and default computer settings can be applied to all NT computers in the domain.

Overriding Default Computer Settings

An administrator can override the default settings on a particular computer to make them more or less restrictive than the default settings. For example, Figure 7.18 shows how the logon banner could be modified for the computer UpFront.

Figure 7.18.  The settings for UpFront in the NTCONFIG.POL file will override the default computer settings on that computer.

The individual settings will only affect the computer named UpFront.

Overriding Default User Settings on an Individual Basis

A different set of policies might need to be implemented when a certain user logs on the network. An administrator might want to restrict a user named Consultant from seeing the entire network. This could be accomplished by adding an entry in the NTCONFIG.POL file for the user as shown in Figure 7.19.

Figure 7.19.  The user Consultant is restricted from seeing the Entire Network in Network Neighborhood.

Regardless of which NT machine the user logs on to, the policies can be applied.

Overriding Default User Settings on the Basis of Group Membership

Another situation might be in a bank. Here the administrator might want to restrict a group of individuals, such as the tellers, to only certain applications. The ability to perform this function also exists in the System Policy Editor, as shown in Figure 7.20.

Figure 7.20.  Members of the Tellers group are restricted to only necessary applications.

Because it is possible for a user to be a member of many groups, there is a chance that conflicting settings may be assigned in the policy file. In order to accommodate this situation, a group priority can be established as shown in figure 7.21.

Figure 7.21.  A group priority can be established to resolve conflicting policy settings.

In the example shown in figure 7.21, the settings in the Bankers group receive precedence over those in the Tellers group. The administrator will have to determine the proper group order in order to ensure that the policies are neither too lenient nor restrictive when a user is a member of multiple groups.

7.7. Implementing Profiles

NT 4.0 supports profiles in order to ensure that the proper user environment exists based upon user name. As changes are made to the user’s preferences, such as colors, wallpaper, and so on, the changes are stored in the profile and will be available the next time the user logs on.

7.7.1. Implementing Local Profiles

A local profile is created automatically when a user logs on for the first time at an NT computer and is subsequently updated as changes to user preferences are made. By default the local profiles are stored in the \%systemroot%\profiles\%username% directory. Local profiles provide the most benefit when multiple users share a single computer.