Export (0) Print
Expand All

Windows NT Profiles

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
By Sandra Osborne

Chapter 13 from Windows NT Registry: A Settings Reference, published by New Riders Publishing

  • The Hardware Profiles tab of the System applet

    This part of the System applet is used to set boot options for Windows NT. Using this applet, you can create boot options that enable the use of hardware such as the notebook docking state, the monitor used, and other hardware.

  • The User Profiles tab of the System applet

    This tab is used to set a user profile to either local or roaming mode. You can also use this tab to copy and export user profiles so that they can be used on other computers.

  • System policies and the System Policy Editor, POLEDIT.EXE

    System policies are used by network administrators to configure and control individual users and their computers. Administrators use POLEDIT.EXE to set Windows NT profiles that are either network- or user-based. Using this application, you can create policies, which are either local or network-driven, that can affect Registry settings for both hardware and users.

On This Page

The Hardware Profiles Tab of the System Applet
The User Profiles Tab of the System Applet
System Policies and the System Policy Editor

The Hardware Profiles Tab of the System Applet

If you open the Control Panel and launch the System applet, you see several tabs. Select the Hardware Profiles tab and you see the screen shown in Figure 13.1.

On this tab, you see options, listed just under Available Hardware Profiles, for all profiles that are available for this computer. Each of these profiles is listed as a boot choice under the Hardware Configuration Boot menu that is displayed after NTDETECT for all computers that have more than one possible hardware profile.

The Registry entries made by this tab can be found under the Registry key [HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Hardware Profiles\####], where #### is the number that Windows NT assigns to the profiles, based upon the order listed in the previous tab. The hardware profile that is in use is listed under the key where #### is equal to Current. I will use 0001 for #### when discussing the following keys, but these settings also apply to the other numbered keys.

Cc750985.prof01(en-us,TechNet.10).gif

Figure 13.1: The Hardware Profiles tab of the System applet.

The Hardware Profiles Key

This key has several subkeys under it, which contain the hardware profile information for each of the profiles listed in the Hardware Profiles tab. These keys and their values are discussed in the following sections.

The Font Key

The values and settings under the [HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \_HardwareProfiles \0001 \Software \Fonts] key govern the way each profile desktop is displayed. These values are copied to the [HKEY_CURRENT_CONFIG \Software \Fonts] key when Windows NT boots. This is how the hardware profile governs the desktop display. (These values are discussed in the Fonts section of Chapter 2.)

The following four values are used by some applications to set menu and toolbar fonts:

FIXEDFON.FON

Font Filename String

REG_SZ

vgafix.fon

FONTS.FON

Font Filename String

REG_SZ

vgasys.fon

LogPixels

Hexadecimal Number – 0x78 or 0x60

REG_DWORD

 

OEMFONT.FON

Font Filename String

REG_SZ

vgaoem.fon

Enabling Network Cards for Profiles

The use of network cards with hardware profiles can be enabled or disabled from the Hardware Profiles tab of the System applet by selecting a profile and clicking the Properties button. When you do this, you see the Docked Properties dialog box shown in Figure 13.2.

The network tab of this dialog box has one check box on it, labeled Network-disabled hardware profile. This check box is set through the following value under the [HKEY_LOCALMACHINE \SYSTEM \CurrentControlSet \HardwareProfiles \Current \System \CurrentControlSet \Enum \ROOT \LEGACY_ELNK3 \0000] key:

CSConfigFlags 0 or 1

REG_DWORD

Setting this value to 1 enables network cards for the Current profile.

The VGA Save key

The values under the [HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \_Hardware Profiles\0001\System\CurrentControlSet\Services\VgaSave\Device0] key are used to set video options such as resolution, panning, refresh, and so on. These values, which are discussed in Chapter 2, "Configuring Display Settings," are copied to the [HKEY_CURRENT_CONFIG \System \CurrentControlSet \Services \VgaSave \Device0] key, where they are used to set the desktop display. The values found here are:

DefaultSettings.BitsPerPel

REG_DWORD

DefaultSettings.Flags

REG_DWORD

DefaultSettings.Vrefresh

REG_DWORD

Cc750985.prof02(en-us,TechNet.10).gif

Figure 13.2: Enabling network cards from the Docked Properties dialog box.

Cc750985.prof03(en-us,TechNet.10).gif

Figure 13.3: The \ROOT\ subkeys.
DefaultSettings.Xpanning
REG_DWORD
DefaultSettings.XResolution
REG_DWORD
DefaultSettings.Ypanning
REG_DWORD
DefaultSettings.Yresolution
REG_DWORD

Each hardware profile has these values.

The User Profiles Tab of the System Applet

Before we can talk about this tab we must first discuss the way that Windows NT 4.0 uses profile folders to create and store information for user profiles. These folders are the Default User folder and the ALLUSERS folder.

The Default User Folder

All user profiles are generated from the default user folder located at %SYSTEMROOT%\Profiles. This folder contains a separate folder for each profile available to the Windows NT computer. Not all computers have the same user profiles.

Tip The CSConfigFlags value is found under each hardware profile key, where Current is replaced with 0001, 0002, and so on. The value is also found under each network card that is found for the system. Each network card installed has a subkey under the [HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \HardwareProfiles \Current \System \CurrentControlSet \Enum \ROOT] key. Figure 13.3 shows two installed cards.

Furthermore, all folders under the Profiles folder that have users created for them using the User Manager contain a separate NTUSER.DAT file, discussed later in this chapter. These folders contain a link-list directory—a directory with pointers to other directories—that points to the profiled user's desktop components. Table 13.1 shows the folders and contents of the link-list directory, seen in Figure 13.4.

Table 13.1 User Profile Folders

User Profile Folder

Contents

Application Data

Application data. Items that this directory may contain are a customer dictionary and application configuration files. Items in this directory are usually placed there by application rules written into the application by the vendor.

Desktop

Shortcut and other items that appear on the desktop when Windows NT boots, except for the Network Neighborhood folder.

NetHood

Shortcuts that appear in the Network Neighborhood folder found on the desktop.

Personal

Shortcuts to program items.

PrintHood

Shortcuts to printer folder items.

Recent

Shortcuts to the most recently used items.

SendTo

Shortcuts to document items.

Start menu

Shortcuts to program items.

Templates

Shortcuts to template items.

Troubleshooting If you have installed Windows NT 4.0 by upgrading a previous Windows NT 3.51 installation and you are using an old Matrox video card, the VgaSave part of the key may be labeled mga instead: [HKEY_CURRENT_CONFIG \System \CurrentControlSet \Services \mga \Device0] key.

Warning: If you are using the NTFS file system, be sure that the user's profile directory has the correct read/write permissions for the specified user or you will see the Can't open user profile error message when the user tries to log in. This message can occur if you restrict the %SystemRoot% rights by using NTFS, but then do not exempt the user's profile directory because subdirectories inherit rights from the parent directory unless specified differently.

Cc750985.prof04(en-us,TechNet.10).gif

Figure 13.4: Default User profile folders, as seen with Explorer.

The ALLUSERS Folder

The ALLUSERS folder, shown in Figure 13.4, contains settings that are used when creating new user profiles. Stored under this folder are the Common Program Groups. These folders are available to all users that log onto the computer; and can only be created, modified, or deleted by users who are members of the Administrators group.

The NTUSER.DAT File

Windows NT 4.0 also uses the NTUSER.DAT file to manage user profiles. This file, which can be seen in Figure 13.4, is found under the root of each profile folder. This file contains the Registry keys, values, and settings that make up the Registry part of a user profile. This file is actually a copy of the HKEY_CURRENT_USER subkey that is cached on the computer's local hard drive. This subkey contains the settings used to control the logged-in user's Windows NT environment, including the items shown in Table 13.2.

Author Note The SendTo folder can be used to extend the Send To menu that pops up when using the right mouse button. Items that you may want to add here are SendTo CommandLine and SendTo Microsoft Word, Excel, and so on.

Table 13.2 NTUSER.DAT Registry Components

Registry Component

Contains

Windows NT Explorer settings

All of the Windows NT Explorer settings that are user-definable. This component also includes all of the persistent network connections that are set by the user within Explorer.

Taskbar

Personal program groups, including group properties; program items, including item properties; plus all user settings for the Taskbar.

Printer settings

Network printer settings, but not local printer settings.

Control Panel

All Control Panel settings that are allowed to be set by the user.

Accessories

Settings that affect the user in terms of the Windows NT _environment, including applications such as Calculator, Clock, Notepad, Paint, and HyperTerminal.

Help bookmarks

Bookmarks that the user placed in the Windows help files.

Registry Values Set from the User Profiles Tab

Certain values are set from the User Profiles tab of the System applet, as seen in Figure 13.5.

Open this applet and select the User Profiles tab. First, you see a dialog box that lists all of the users that are allowed to log on to this computer. Each of these users has a Registry key created under the [HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \_WindowsNT \CurrentVersion \ProfileList] key. This subkey has the following form, which is the SID (security ID) for the user:

S-1-5-21-877493074-1263893664-382417117-1000

The values under this key, their settings, and where they are set from are:

UserPreference 0,1 or 3

REG_DWORD

This value is set from the Change Type dialog box, which you can reach by clicking the Change Type button shown in Figure 13.5. This dialog box has one set of radial buttons on it. If you select the Local Profile button, this value will either not exist or be set to 0. If the second button, Roaming Profile, is selected, this value is set to 1. When the Roaming Profile button is selected, the check box for slow connections is enabled. If you check this box, this value is set to 3.

Author Note You may not see the NetHood, PrintHood, Recent, or Templates folders on your computer. To see them, click the Explorer's Options menu, select View, and click the Show All Files radial button. You may also want to deselect the Hide File Extensions check box so that all extensions are displayed. Repeat this process if the folders are hidden again.

Cc750985.prof05(en-us,TechNet.10).gif

Figure 13.5: The User Profiles tab of the System applet
ProfileImagePath        Profile Path String
REG_EXPAND_SZ

This value holds a string that shows the path and filename of the profile. If the profile is a local profile, this path is of the form %SYSTEMROOT\PROFILES\USER, where USER is the name of the user. If the profile is a roaming profile on a Windows NT network, the path points to the WINLOGON directory; and if you use a Novell network, the path points to the PUBLIC directory.

Sid

REG_BINARY

This is the SID that is assigned to each user by Windows NT 4.0.

CentralProfile Template Path and Filename

REG_SZ "c:\\poledit\\example.adm"

This value shows the name of the template that is used by the System Policy Editor to create user profiles. The System Policy Editor, POLEDIT.EXE, is discussed in the next section.

System Policies and the System Policy Editor

Administrators can use the System Policy Editor to create system policies, including both network and local policies. This application is found on the Windows NT 4.0 Server CD, in the CLIENTS\SRVTOOLS\WINNT\I386 directory for Intel machines. Copy the executable to your computer, find the COMMON.ADM and WINNT.ADM files from the CLIENTS\ directory, and copy them to your %SYSTEMROOT%\INF directory.

Now, launch POLEDIT.EXE and choose New Policy from the File menu. You should now see the screen in Figure 13.6.

Two icons of particular interest are the Default User and Default Computer parts of the policy file; they are discussed later in this section.

Double-click the Default Computer icon and click the + sign next to Windows

NT Printers, and you will see the screen in Figure 13.7 (note that all three boxes will be gray when you open the icon).

In Figure 13.7, there are three boxes, each with a different setting:

  • The first box with a check means that this feature is enabled.

  • The second box, grayed out, means that this feature may be enabled, depending on other constraints that are discussed in the following sections.

  • The third box is cleared, which means that this feature is not enabled.

Each policy feature can be set to any three of these values.

Before we can discuss the Registry values and settings that are set by this application, we must first have a brief discussion of policies and how they are implemented.

Policy Files

Windows NT 4.0 uses policies to define the Windows NT environment used by a user or a group of users. If POLEDIT.EXE is used to create the policy, it contains a collection of users and computers that is controlled by the policy. This control can be either from the network or the local PC. Group policies always take precedence over user profiles.

Warning: If you are using Novell 4.1 and your users are authenticated by the tree, you should replicate the policy file to the PUBLIC directory of all servers that can be used as an entry authentication point for the NDS tree.

Author Note You can find out which SID is associated with which user by using the SID value to see the user name, which can then be associated with the SID subkey.

Author Note The COMMON.ADM file contains the Registry settings that apply to both Windows NT 4.0 and Windows 95. The WINNT.ADM file contains the Registry settings that apply only to Windows NT 4.0. The Windows 95 file is WINDOWS.ADM and applies only to Windows 95.

Cc750985.prof06(en-us,TechNet.10).gif

Figure 13.6: POLEDIT.EXE, the System Policy Editor.

If you want the policy to be automatically downloaded from a Windows NT domain, you must name the file NTCONFIG.POL. If you want to change the path and/or name for this file, either use POLEDIT.EXE, discussed later, or change the following values under the [HKEY_LOCAL_MACHINE \System \CurrentControlSet \_Control \Update] key:

UpdateMode 0, 1, or 2

REG_DWORD

If this value is set to 0, then no policies are applied; if set to 1, policies are automatically downloaded from the validating domain controller's NETLOGON share if an NTCONFIG.POL file exists there. If this value is set to 2, manual policies are in effect, and the computer checks the setting of the following value to determine whether a policy is in effect:

NetworkPath Manual Policy Filename and Path

REG_SZ C:\POLICY\MyPolicy.pol

This value sets the path for manual updates.

Verbose 0 or 1

REG_DWORD

Cc750985.prof07(en-us,TechNet.10).gif

Figure 13.7: Settings for Default Computer.

When this value is set to 1, error messages associated with the location and loading of the policy file are displayed. A setting of 0 suppresses error messages from being displayed.

LoadBalance 0 or 1

REG_DWORD

When this value is set to 1 on Windows NT Server, the policy download uses network load balancing to help prevent network bottlenecks.

If you are using a Windows NT domain, and you want to use the automatic download feature of policy files, place this NTCONFIG.POL file in the NETLOGON share of the validating domain controller (DC). If you are using a Novell network, you have to place the NTCONFIG.POL file in the PUBLIC directory of every server that authenticates the user's login. After a Windows NT 4.0 workstation locates a policy, it is applied, as discussed in the following sections.

User Preference

If the policy file contains settings that affect the logged-in user (for example, _the Sandra icon shown in Figure 13.6), these settings are written to the

Author Note If the Network Path value is set to a local path such as C:\Policy\MyPolicy.pol, it affects only the local computer. Any change to the policy needs to be made on all computers that have this local policy.

Warning: When you create shortcuts on a Windows NT computer, a UNC (Universal Naming Convention) path is embedded in the .lnk file (for example, \\SandraPC\Admin$). These embedded UNC paths are a problem if the link files are copied to the server and then used as part of the server-based policy. If this shortcut file is downloaded to a different computer than the one that it is created for, the path will be resolved to the local PC and the user will be asked for the original computer's administrator password. This problem can be fixed by applying the Microsoft Windows NT 4.0 Service Pack 3 and then following these steps:

  1. Open REGEDIT.EXE and find the [HKEY_Current_User \Software \Microsoft \Windows \CurrentVersion \Policies \Explorer] Key.

  2. Add the following value and set it to 1:

LinkResolveIgnoreLinkInfo 1

REG_DWORD

Also, the Windows NT Server Resource Kit, Supplement 2 contains the executable SHORTCUT.EXE, which can also be used to correct this problem.

Applying the Default User

If Windows NT Workstation finds a policy file, but it does not contain settings for the logged-in user, then the Default User settings are applied to the HKEY_CURRENT_USER key, even if the user has logged on as administrator. However, if the user is a member of a group that has a policy defined for it, the group settings are applied to the HKEY_CURRENT_USER key instead of the default user settings.

If any policy setting has been grayed out for a group but enabled for the default user, the Default user settings are used. Default user settings take precedence over group settings only when the Group setting is not enabled.

User Group Membership

If Windows NT Workstation finds the policy file, but it does not have specific settings for the logged-in user and the user is a member of one or more groups with settings defined for it (for example, the NTGroup in Figure 13.6), the group settings are applied to the HKEY_CURRENT_USER key, beginning with the lowest priority group and ending with the highest priority group.

The Default Computer

All policy files contain computer information in addition to user information. And if the policy contains settings for a specific computer—for example, the SandraPC icon shown in Figure 13.6—these settings are applied to the HKEY_LOCAL_MACHINE key. If no settings are found for the specific computer, any settings enabled for the default computer are applied to the HKEY_LOCAL_MACHINE key.

Using POLEDIT.EXE to Control the Registry

You can use the System Policy Editor to control and modify the Registry. There are two ways to do this:

  • Open the application and use the Registry mode.

  • Create a new policy that will be downloaded when the user logs in.

Author Note The default user for policy files should not be confused with the Default User folder mentioned in the last section. This default user is located within the policy file.

Author Note Policy files do not use Novell groups. Only Windows NT groups can have policy settings enabled for them.

Using Registry Mode

You can use the System Policy Editor to modify the Registry. First, open POLEDIT.EXE; and then select File, Open Registry.

When you do this, you see the dialog box shown in Figure 13.8. This dialog box shows two icons: one for the local user and one for the local computer.

System Policy Templates

System Policy templates are the .ADM files that POLEDIT.EXE uses to determine which Registry entries can be changed. Two standard templates, COMMON.ADM and WINNT.ADM, are supplied with Windows NT Server. These are the files that you copied to the %SYSTEMROOT%\INF directory at the start of this chapter. This file can contain Registry locations, values, and default settings. You can select a template file by choosing Options, Policy Templates from the toolbar. This brings up the Policy Template Options dialog box shown in Figure 13.9.

Notice that there are no icons present in the dialog box. This is because all policies must be closed before new template files can be loaded. If the policies are not closed, the Add and Remove buttons are disabled.

Default User Settings

The following values are set by the options found when the System Policy Editor's Default User icon is launched using the default template.

Cc750985.prof08(en-us,TechNet.10).gif

Figure 13.8: Opening the Registry with POLEDIT.EXE.

Author Note System Policy Editor can only modify Registry settings that are available from the loaded template. This template can contain only User and Hardware information.

The Control Panel—Restrict Display Option

This setting, shown in Figure 13.10, removes or enables tabs in the Control Panel Display applet by setting the following values under the [HKEY_CURRENT_USER \_Software \Microsoft \Windows \CurrentVersion \Policies \System] key.

NoDispCPL 0 or 1

REG_DWORD

When this value is set to 1 or the Deny access to display icon box is checked (see Figure 13.10), the Display applet of the Control Panel does not display. If set to 0 or the box is cleared, the applet is displayed.

NoDispBackgroundPage 0 or 1

REG_DWORD

When this value is set to 1 or the Hide Background tab box is checked (see Figure 13.10), the Background tab on the Display applet does not display. If set to 0 or the box is cleared, the tab is displayed.

NoDispScrSavPage 0 or 1

REG_DWORD

When this value is set to 1 or the Hide Screen Saver tab box is checked (see Figure 13.10), the Screen Saver tab on the Display applet does not display. If set to 0 or the box is cleared, the tab is displayed.

NoDispAppearancePage 0 or 1

REG_DWORD

When this value is set to 1 or the Hide Appearance tab box is checked (see Figure 13.10), the Screen Saver tab on the Display applet does not display. If set to 0 or the box is cleared, the tab is displayed.

NoDispSettingsPage 0 or 1

REG_DWORD

When this value is set or the Hide Settings tab box is checked (see Figure 13.10), the Screen Saver tab on the Display applet does not display. If set to 0 or the box is cleared, the tab is displayed.

The Desktop Options

The Desktop option has two boxes under it: Wallpaper and Color scheme, as seen in Figure 13.11.

Figure 13.9: Loading a policy template.

Figure 13.9: Loading a policy template.

Cc750985.prof10(en-us,TechNet.10).gif

Figure 13.10: The Restrict Display option.

The Wallpaper box sets the following values under the [HKEY_CURRENT__USER\Control Panel\Desktop] key, which sets the wallpaper file path and denotes whether it should be tiled.

Wallpaper Wallpaper Filename and path

REG_SZ

If the Wallpaper check box is checked, this value exists and will be set to the path and filename shown in the Wallpaper text box in Figure 13.11. If the box is not checked, there is no wallpaper value under this key.

TileWallpaper 0 or 1

REG_SZ

If this value is set to 1 or the Tile Wallpaper box is checked, the wallpaper given by the value is tiled.

The Color scheme box sets the following values under the [HKEY_CURRENT_USER \Control Panel\Appearance] key.

Current Color Scheme Name

REG_SZ

If the Color scheme box is checked, this value exists and is set to the Color scheme name. If the box is cleared, this value does not exist.

The Shell Restrictions Options

These options, shown in Figure 13.12, restrict certain properties of the Windows NT desktop.

Cc750985.prof11(en-us,TechNet.10).gif

Figure 13.11: The Desktop options.

These options set values under more than one Registry key. The values set under the [HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \Explorer] key are:

NoRun 0 or 1

REG_DWORD

When this value is set to 1 or the Remove Run Command from Start menu box is checked, the Run command shown on the Start menu is removed.

NoSetFolders 0 or 1

REG_DWORD Off

Cc750985.prof12(en-us,TechNet.10).gif

Figure 13.12: The Shell Restrictions options.

When this value is set to 1 or the Remove folders from Settings on Start menu box is checked, the Control Panel and Printers folders, found under the Start menu's Settings option, are removed.

NoSetTaskbar 0 or 1

REG_DWORD

When this value is set to 1 or the Remove Taskbar from Settings on Start menu box is checked, the Taskbar folder, found under the Start menu's Settings option, is removed.

NoFind 0 or 1

REG_DWORD

When this value is set to 1 or the Remove Find command from Start menu box is checked, the Find command, found on the Start menu, is removed.

NoDrives 3fffffff

REG_DWORD

If this value exists or if the Hide drives in My Computer box is checked, no drives are displayed in the My Computer folder.

NoNetHood 0 or 1

REG_DWORD

When this value is set to 1 or the Hide Network Neighborhood box is checked, the Network Neighborhood icon is removed from the Windows NT desktop.

NoDesktop 0 or 1

REG_DWORD

When this value is set to 1 or the Hide all items on desktop box is checked, all icons are removed from the Windows NT desktop.

NoClose 0 or 1

REG_DWORD

When this value is set to 1 or the Disable Shut Down command box is checked, the Shut Down command is removed from the Start menu.

NoSaveSettings 0 or 1

REG_DWORD

Author Note Although removing the Run command does not allow the running of applications using this command prompt, users can still launch applications from Explorer, the DOS command, Internet browser, and so on. To lock down the running of applications further, see the Run only allowed Windows applications setting, discussed in a later section.

Author Note If both the NoSetFolders and NoSetTaskbar values are set to 1, the Settings option on the Start menu is removed entirely.

If this value is set to 1 or if the Don't save settings at exit box is checked, the user cannot save any changes made to the Windows NT system.

The following values are found under the [HKEY_CURRENT_USER \Software \_Microsoft \Windows \CurrentVersion \Policies \Network] key:

NoEntireNetwork 0 or 1

REG_DWORD

When this value is set to 1 or the No Entire Network in Network Neighborhood box is checked, the Network Neighborhood icon exists, but the Entire Network option is not displayed in the Network Neighborhood folder.

NoWorkgroupContents 0 or 1

REG_DWORD

When this value is set to 1 or the No workgroup contents in Network Neighborhood box is checked, the Network Neighborhood icon exists, but the Workgroup option is not displayed in the Network Neighborhood folder.

The System Restrictions Options

These options, shown in Figure 13.13, restrict access to the Windows NT Registry.

The values that are set by these options can be found under several different Registry keys. These keys and their values are:

  • [HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion Policies\System]

    DisableRegistryTools 0 or 1

    REG_DWORD

    When this value is set to 1 or the Disable Registry editing tools box is checked, the user cannot run either REGEDIT.EXE or REGEDT32.EXE because each of these programs check this value when they launch.

Tip You do not have to remove all of the drives in the My Computer folder. The NoDrives value can be used to selectively hide drives because the rightmost bit of this hexadecimal value represents the A: drive, and the leftmost bit represents the Z: drive. To hide a specific drive, turn on its bit. Use the following decimal numbers to hide the given drive:

A: 1, B: 2, C: 4, D: 8, E: 16, F: 32, G: 64, H: 128, I: 256, J: 512, K: 1024, L: 2048, M: 4096, N: 8192, O: 16384, P: 32768, Q: 65536, R: 131072, S: 262144, T: 524288, U: 1048576, V: 2097152, W: 4194304, X: 8388608, Y: 16777216, Z: 33554432, ALL: 67108863.

Author Note Removing the Shut Down command does not prevent the user from pressing Ctrl+Alt+Delete to restart the computer via the Task Manager. If you want to prevent this, remove the user's Shut Down the System right by using the User Manager.

  • [HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \_Explorer \RestrictRun]

    1 Application Name

    REG_SZ

    This value determines what applications can run if the Run only allowed Windows applications box is checked.

If more than one application was added to the dialog box produced when you click the Show button, there will be a numerical value listed under the previous key for each application. These values always start at 1.

The Windows NT Shell—Custom Folders Options

These options, shown in Figure 13.14, are used to customize the programs setting on the Start menu.

The values that are set by these options can be found under several different Registry keys. These keys and their values are:

Key: [HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \_Explorer \User Shell Folders]

Programs UNC Path to the New Programs Folder

REG_SZ

Cc750985.prof13(en-us,TechNet.10).gif

Figure 13.13: Restricting Registry access.

Tip If you restrict applications by using the RestrictRun values, be sure to add the SYSTRAY.EXE and SETUP.EXE programs found in the %SystemRoot%\System32 directory, or else the Start button will not appear and no programs will run.

When this value is set to a pathname, or the Custom Programs folder box is checked and a path is entered into the text box, the programs shown under the Programs setting of the Start menu are read from this new location. The default for this setting is %USERPROFILE%\Start Menu\Programs.

Desktop UNC path for the new Desktop folder

REG_SZ

When this value is set to 1 or the Custom desktop icons box is checked, the Desktop icons are read from this new location. The default for this setting is %USERPROFILE%\Desktop.

Startup UNC path to the new Start folder

REG_SZ

When this value is set to 1 or the Custom Startup folder box is checked, the Start folder, found under the Programs setting on the Start menu, is read from this new location. The default for this setting is %USERPROFILE%\Start Menu\Programs\Startup.

NetHood UNC Path to the new folder

REG_SZ

When this value is set to 1 or the Custom Network Neighborhood box is checked, the Network Neighborhood folder found is read from this new location. The default for this setting is %USERPROFILE%\NetHood

Start Menu UNC Path to the new folder

REG_SZ

When this value is set to 1 or the Custom Start menu box is checked, the Start menu folders are read from this new location. The default for this setting is _%USERPROFILE%\Start Menu.

Key: [HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \_Policies \Explorer]

NoStartMenuSubFolders 0 or 1

REG_DWORD

Cc750985.prof14(en-us,TechNet.10).gif

Figure 13.14: Restricting custom folders.

If this value is set to 1, or the Hide Start menu subfolders box is checked, and the Programs value is set to a path, the normal Start menu folders are hidden.

The Windows NT Shell—Restrictions Options

These options, shown in Figure 13.15, restrict program settings on the Start menu.

The values that are set by these options can be found under several different Registry keys. These keys and their values are:

Key: [HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \_Policies \Explorer]

EnforceShellExtensionSecurity 0 or 1

REG_DWORD

When this value is set to 1 or if the Only use approved shell extensions box is checked, only the extensions listed under the [HKEY_ROOT] key can be created.

NoFileMenu 0 or 1

REG_DWORD

When this value is set to 1 or if the Remove File menu from Explorer box is checked, the File menu option is removed from Microsoft Explorer. (This option was added with Windows NT Service Pack 2 and is not shown in Figure 13.15.)

NoCommonGroups 0 or 1

REG_DWORD

Cc750985.prof15(en-us,TechNet.10).gif

Figure 13.15: Restricting program settings.

Troubleshooting Always set the NoStartMenuSubFolders value to 1 when the Program value is in use.

When this value is set to 1 or if the Remove common program groups from Start menu box is checked, common groups found under the Programs setting on the Start menu do not display.

NoTrayContextMenu 0 or 1

REG_DWORD

When this value is set to 1 or if the Disable Context Menus for the Taskbar box is checked, then the content menus on the Taskbar will be removed. (This option was added with Windows NT Service Pack 2 and is not shown in Figure 13.15.)

NoViewContextMenu 0 or 1

REG_DWORD

When this value is set to 1 or if the Disable Explorer's default Context menu box is checked, the content menus that appear when the right mouse button is clicked are removed. (This option was added with Windows NT Service Pack 2 and is not shown in Figure 13.15.)

NoNetConnectDisconnect 0 or 1

REG_DWORD

When this value is set to 1 or if the Remove the Map Network Drive and Disconnect Network Drive options box is checked, the Map Network Drive and Disconnect Network Drive buttons, along with the Tools menu, are removed from Microsoft Explorer. The context menu for My Computer is also removed, which prevents the user from creating new network drive mappings. (This option was added with Windows NT Service Pack 2 and is not shown in Figure 13.15.)

LinkResolvedIgnoreLinkInfo

REG_DWORD

When this value is set to 1 or if the Disable Link File Tracking box is checked, link file tracking is disabled. This value is also set to 1 if sharing is not used. (This option was added with Windows NT Service Pack 2 and is not shown in Figure 13.15.)

The Windows NT System Options

These options, shown in Figure 13.16, are used to set Windows NT system options.

The values that are set by these options can be found under several different Registry keys. The following two values are found under the [HKEY_CURRENT_USER \Software \Microsoft \Windows NT\CurrentVersion\Winlogon] key.

ParseAutoexec 0 or 1

REG_SZ

Author Note When you right-click a shortcut and choose Properties, you see the path that the shortcut points to—the absolute path. When the LinkResolvedIgnoreLinkInfo value is set to 1, the absolute path is used. Use this setting when copying links to different computers.

When this value is set to 1 or if the Parse Autoexec.bat box is checked, environment variables that are declared in the computer's AUTOEXEC.BAT file are included in the user's Windows NT environment.

RunLogonScriptSync 0 or 1

REG_DWORD

When this value is set to 1 or if the Run Logon Scripts Synchronously box is checked, the logon script finishes processing before the items in the startup group can execute.

Key: [HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \System]

DisableTaskMgr 0 or 1

REG_DWORD

When this value is set to 1 or if the Disable Task Manager box is checked, the Task Manager execution is disabled. (This option was added with Windows NT Service Pack 2 and is not shown in Figure 13.16.)

Key: [HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Explorer \Tips]

Show 0 or 1

REG_DWORD

When this value is set to 1 or if the Show Welcome Tips at Logon box is checked, the welcome screen appears when the user logs in. (This option was added with Windows NT Service Pack 2 and is not shown in Figure 13.16.)

Default User Settings

The following values are set by the options found when the System Policy Editor's Default Computer icon is launched. The options that are available for the default computer are shown in Figure 13.17.

Cc750985.prof16(en-us,TechNet.10).gif

Figure 13.16: Windows NT System options.

Network—System Policies Update

The first of the Default Computer options, System Policies Update, was discussed at the start of this chapter. Listed here are the values discussed earlier, with the Default Computer options that set them.

UpdateMode 0, 1, or 2

REG_DWORD

Checking the Remote Update box shown in Figure 13.17, along with setting the Update Mode text box sets this value as follows:

  • 0 if the Remote Update box is cleared.

  • 1 if the Remote Update box is checked and the Update Mode text box is set to automatic.

  • 2 if the Remote Update box is checked and the Update Mode text box is set to manual.

NetworkPath Manual Policy Filename and Path

REG_SZ C:\\POLICY\\MyPolicy.pol

The setting for this value, which is read from the text shown in the Path for Manual Update text box, is only used when the UpdateMode value is set to 2.

Verbose 0 or 1

REG_DWORD

If the Display Error Messages check box is checked, this value is set to 1.

LoadBalance 0 or 1

REG_DWORD

If the Load Balancing check box is checked, this value is set to 1.

Cc750985.prof17(en-us,TechNet.10).gif

Figure 13.17: The Default Computer options.

System—SNMP Options

The next group of options, shown in Figure 13.18, set options for Windows NT Simple Network Mail Protocol (SNMP).

These options set values found under subkeys of the [HKEY_LOCAL_MACHINE \System \_CurrentControlSet \Services \SNMP \Parameters] key. These subkeys and their values are:

  • \ValidCommunities

    1 Text of Valid Community

    REG_SZ

    The values found under this key start with 1 and are incremented by 1; they are set by checking the Communities check box, clicking the Show button, and using the Show dialog box to add SNMP communities. There is one value here for each community listed in the Show dialog box. This value is similar to the value set by the Run Only Allowed Windows Applications check box in the Default User options.

  • \PermittedManagers

    1 Text of Permitted Manager

    REG_SZ

    The values under this key are created in the same manner as the previous value: by checking the Permitted Managers check box, clicking the Show button, and using the Show dialog box to add SNMP permitted managers. There is one value for each permitted manager listed in the Show dialog box.

  • \TrapConfiguration\Public

    1 Text for Public Communities Traps

    REG_SZ

    Cc750985.prof18(en-us,TechNet.10).gif

    Figure 13.18: Default Computer System options.

    The values under this key are created in the same manner as the previous values: by checking the Traps for Public community check box, clicking the Show button, and using the Show dialog box to add SNMP public communities traps. There is one value for each public community trap listed in the Show dialog box.

System—Run Options

The next option, also shown in Figure 13.18, sets options for SNMP. This option sets one value found under the [HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \_CurrentVersion \Run] key. This value is:

Application Text Name

REG_SZ

Checking the Run check box, clicking the Show button, and adding programs with the Show Contents dialog box sets this value. There is one value listed under this key for each application added. The value is set to the text entered into the Value text box of the Add dialog box. If the Run check box is cleared, then this value is removed from the Registry.

Windows NT Network—Sharing Options

The next group of options, shown in Figure 13.19, sets Sharing options for Windows NT shared drives.

These options set values under the [HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanManServer \Parameters] key. These values are:

AutoShareWks 0 or 1

REG_DWORD

This value is Windows NT Workstation-specific and, if set to 1 or the Create Hidden Drive Shares (Workstation) check box is checked, <Drive>$ and <Admin>$ shares are created automatically when Windows NT Workstation starts.

AutoShareServer 0 or 1

REG_DWORD

This value is Windows NT Workstation-specific and, if set to 1 or the Create Hidden Drive Shares (Server) check box is checked, <Drive>$ and <Admin>$ shares are created automatically when Windows NT Server starts.

Windows NT Printing Options

The next group of options, shown in Figure 13.20, sets Windows NT Printing options for Windows NT.

These options set values under the [HKEY_LOCAL_MACHINE \System \_CurrentControlSet \Control \Print] key. These values are:

DisableServerThread 0 or 1

REG_DWORD

Cc750985.prof19(en-us,TechNet.10).gif

Figure 13.19: Drive Sharing options.

If this value is set to 1 or the Disable browse thread on this computer check box is checked, the print spooler does not send print jobs to other print servers.

SchedulerThreadPriority 0, 1 or ffffffff

REG_DWORD

This value can be set by checking the Settings for Scheduler priority check box and then setting the Priority text box to either Above Normal or Below normal. This value is set as follows:

  • 0. The Settings for Scheduler Priority check box is cleared.

  • 1. The Settings for Scheduler Priority check box is checked and the Priority text box is set to Below Normal.

  • ffffffff. The Settings for Scheduler Priority check box is checked and the Priority text box is set to Above Normal.

Cc750985.prof20(en-us,TechNet.10).gif

Figure 13.20: Windows NT printing options.

BeepEnabled 0 or 1

REG_DWORD

If this value is set to 1 or the Beep for error enabled check box is checked, beeping will occur every 10 seconds when a remote print job error is produced on a print server.

Windows NT Remote Access

The next group of options, shown in Figure 13.21, sets Windows NT Remote Access.

These options set values under the [HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \RemoteAccess \Parameters] key. These values are:

AuthenticateRetries Hexadecimal Number (1 – 10)

REG_DWORD

Checking the Max number of unsuccessful authentication retries check box, and setting the Number of Retries text box to a number between 1 and 10 sets this value. This value sets the number of retries that are attempted to authenticate a user onto the Windows NT network. If the Max number of unsuccessful authentication retries check box is cleared, this value does not exist. The default value is 2.

AuthenticateTime Hexadecimal Number (20 – 600)

REG_DWORD

Checking the Max time limit for authentication check box and setting the Length in Seconds text box to a number between 20 and 600 sets this value. This value sets the maximum time, in seconds, to wait for Windows NT to authenticate the user on the network. If the Max time limit for authentication check box is cleared this value does not exist. The default value is 120.

CallbackTime Hexadecimal Number (2 – 12)

REG_DWORD

Cc750985.prof21(en-us,TechNet.10).gif

Figure 13.21: Windows NT Remote Access.

Checking the Wait interval for callback check box and setting the Length in Seconds text box to a number between 2 and 12 sets this value. This value sets the time, in seconds, that Windows NT waits before performing a callback from a RAS dial-in user. The default is 2.

AutoDisconnect Hexadecimal Number (0 – 20)

REG_DWORD

Checking the Auto Disconnect and setting the Disconnect After (Minutes) text box to a number between 0 and 20 sets this value. This value sets the time, in minutes, that Windows NT waits before disconnecting a RAS client. The default is 20.

Windows NT Shell—Custom Shared Folders Options

The group of options, shown in Figure 13.22, sets options for Windows NT Custom Shared Folders.

These options set values under the [HKEY_LOCAL_MACHINE \Software \Microsoft \_Windows \CurrentVersion \Explorer \User Shell Folders] key. These values are:

Common Programs Path to location of shared programs items

REG_EXPAND_SZ

Checking the Custom shared Programs folder check box and then setting the Path to Location of Shared Programs Items text box sets this value. The default is %SystemRoot%\Profiles\All Users\Start Menu\Programs.

Common Desktop UNC Folder Path

REG_EXPAND_SZ

Checking the Custom shared desktop icons check box and then setting the Path to Location of Shared Desktop Icons text box sets this value. The default is %SystemRoot%\Profiles\All Users\Desktop.

Common Start Menu UNC Folder Path

REG_EXPAND_SZ

Cc750985.prof22(en-us,TechNet.10).gif

Figure 13.22: Windows NT Custom Shared Folders options.

Checking the Custom shared Start menu check box and then setting the Path to Location of Shared Start Menu Items text box sets this value. The default is %SystemRoot%\Profiles\All Users\Start Menu.

Common Startup UNC Folder Path

REG_EXPAND_SZ

Checking the Custom shared Startup folder check box and then setting the Path to Location of Shared Startup Items text box sets this value. The default is %SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup.

Windows NT System—Logon Options

The next group of options, shown in Figure 13.23, sets Windows NT Logon options.

These options set values under the [HKEY_LOCAL_MACHINE \Software \Microsoft \_Windows NT\CurrentVersion\Winlogon] key. These values are:

LegalNoticeCaption Caption Text

REG_SZ

Checking the Logon banner check box and then entering text into the Caption text box sets this value to the entered text. If the Logon Banner check box is cleared, this value is removed.

LegalNoticeText Notice Text

REG_SZ

Checking the Logon banner check box and then entering text into the Text text box sets this value to the entered text. You can control the display of the Notice by adding a LF/CR (line feed/carriage return) character to your text. If the Logon Banner check box is cleared, this value is removed.

ShutdownWithoutLogon 0 or 1

REG_SZ

Cc750985.prof23(en-us,TechNet.10).gif

Figure 13.23: Windows NT Custom Logon options.

When this value is set to 1 or the Enable shutdown from Authentication dialog box check box is checked, the Shutdown button found on the Windows NT login screen is removed.

DontDisplayLastUserName 0 or 1

REG_SZ

When this value is set to 1 or the Do not display last logged on user name check box is checked, the name of the last user to be authenticated to the network does not display in the logon box when Ctrl+Alt+Delete is pressed.

RunLogonScriptSync 0 or 1

REG_SZ

When this value is set to 1 or the Run logon scripts synchronously check box is checked, the Windows NT shell, including the programs in the startup group, delays initializing until the login script finishes processing. This value takes precedence over the setting for this value in the Default User options.

Windows NT System—File System Options

The next group of options, shown in Figure 13.23, sets Windows NT File System Options. These options set values under the [HKEY_LOCAL_MACHINE \System \_CurrentControlSet \Control \FileSystem] key. These values are:

NtfsDisable8dot3NameCreation 0 or 1

REG_DWORD

When this value is set to 1 or the Do not create 8.3 filenames for long filenames check box is checked, the 8.3 filename is not created for long filenames.

NtfsAllowExtendedCharacterIn8dot3Name 0 or 1

REG_DWORD

When this value is set to 1 or the Allow extended characters in 8.3 filenames check box is checked, extended characters are allowed when creating 8.3 filenames.

NtfsDisableLastAccessUpdate 0 or 1

REG_DWORD

When this value is set to 1 or the Do not update last access time check box is checked, a user can read a file without updating the last access time property of the file. This increases the performance of file open utilities.

Windows NT User Profiles Options

The next group of options, shown in Figure 13.23, sets Windows User Profiles options.

These options set values under the [HKEY_LOCAL_MACHINE \Software \Microsoft \_Windows NT\CurrentVersion\Winlogon] key. These values are:

DeleteRoamingCache 0 or 1

REG_DWORD

When this value is set to 1 or the Delete cached copies of roaming profiles check box is checked, if a user logs onto an interactive session and uses a roaming profile, the roaming user profile (which is cached locally) is deleted when the user logs off.

SlowLinkDetectEnabled 0 or 1

REG_DWORD

When this value is set to 1 or the Automatically detect slow network connections check box is checked, then Windows NT detects the existence of slow networks. This value should be set to 1 when connecting with RAS.

SlowLinkTimeOut Hexadecimal Number (1 – 20000)

REG_DWORD

When this value is set to 1, or the Automatically detect slow network connections check box is checked and the Time in Milliseconds text box is set from 1–20000; Windows NT waits the given number of milliseconds when determining if a slow network exists. The default is 2000.

Show Hexadecimal Number (0 – 600)

REG_DWORD

Cc750985.prof24(en-us,TechNet.10).gif

Figure 13.24: Windows NT User Profiles options.

Warning: Setting the NtfsDisable8dot3NameCreation value to 1 can cause DOS programs and some Windows programs to not be able to find files with long filenames.

Warning: When the NtfsAllowExtendedCharacterIn8dot3Name value is set to 1, computers that do not have the same character code page installed may not be able to read 8.3 filenames that were created with extended characters from a different character code page.

When this value is set to 1, or the Timeout for dialog boxes check box is checked and the Time (Seconds) text box is set from 1–600, Windows NT waits the given number of seconds before closing the User Profile Request dialog box. After the dialog box is automatically closed, Windows NT uses the default user profile values. If this value is set to 0, the user profile defaults are accepted. The default is 30.

About The Author

Sandra Osborne is a senior technical developer for a large international organization in Washington, D.C., where she leads a team that uses Registry manipulation and answer files to create automated installations.

Copyright © 1998 by New Riders Publishing, Pearson PTR

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice. International rights = English only.

International rights = English only.

Link
Click to order


Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft