User Profiles and System Policies: The Basics

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

This chapter describes how user profiles can help users maintain their own preferences, network settings, and application settings when logging on to a workstation. This chapter also describes how you can use system policies to control what users can and cannot do on the desktop and on the network. These features can help decrease the cost of managing numerous computers by allowing you to manage configurations remotely.

A user profile consists of user-specific information contained in the file USER.DAT, which is one of the two files in the Windows 95 Registry. Optionally, a user profile can also contain special Windows 95 directories. The benefits of using user profiles are summarized in this section.

Multiple users on a computer can retain their personal settings.

"Roving" users can log on to the network from any computer and work with the same desktop settings as long as the computer is running a Windows 95 32-bit, protected-mode network client.

Windows 95 automatically maintains each user's profile.

Whether profiles are stored locally or on the network, you need to enable user profiles only for the computers where they will be used.

Mandatory profiles can be used to enforce consistent desktops.

This is useful for novice users who cannot manage their own desktop settings. Mandatory profiles increase user productivity and ease the burden of training and support for system managers.

System policies allow you to override local Registry values for user or computer settings. Policies are defined in a policy (.POL) file, usually called CONFIG.POL. When a user logs on, system policy settings overwrite default settings in the Registry. You can also set system policies to contain additional custom settings specific to the network.

Unlike SYSTEM.DAT and USER.DAT (the two files that make up the Registry), CONFIG.POL is not a required component of Windows 95 Setup and, when implemented, is stored on the logon server, not the local computer. The following list summarizes the benefits of system policies.

System policies can be used to enforce system configuration.

You can restrict what users are allowed to do from the desktop and what they are allowed to configure using Control Panel. Also, you can use system policies to centrally configure network settings, such as the network client configuration options and the ability to install or configure File and Printer Sharing services. Finally, policies can be used to customize certain parts of the desktop, such as Network Neighborhood or the Programs folder.

Registry settings can be changed by using System Policy Editor.

You can use System Policy Editor to change many common Registry settings, either for an individual local or remote computer. You can use these settings in a system policy file to change Registry values on multiple computers.

System policies can be applied individually or per group.

You can use group policies to define a set of policies to be applied on the basis of membership in the groups already defined on a NetWare or Windows NT network. Group policies make computer management on the corporate network easier by leveraging the current administrative organization of users.

Windows 95 provides a set of policies that you can use to specify settings for users. You can also add new Registry settings to this set of policies or you can modify policy templates to create new custom policies for any applications that use the Windows 95 Registry.

User Profiles and System Policies: The Issues
User Profiles Overview
Enabling User Profiles
System Policies Overview
System Policy Editor
System Policies Overview
Creating System Policies
System Policy Examples
System Policy Settings Summary
System Policy Templates
Troubleshooting with System Policy Editor

User Profiles and System Policies: The Issues

You can use system policies or mandatory user profiles to enforce user settings. You should choose to use one method or the other, but not both. The two features differ in the following ways:

System policies let you mandate user-specific and computer-specific settings. Mandatory user profiles let you mandate only user-specific settings.
System policies let you selectively determine a subset of user settings to control, and each user controls the remaining settings. Mandatory user profiles always control every user-specific setting.

Before implementing user profiles, you should consider the following issues:

Do you want to use system policies for user settings? If so, you must enable user profiles on the computer.
What do you want to include in user profiles? For example, you might choose to include the desktop, Start menu, or Network Neighborhood in the user profile.
Do you want user profiles to work across the network so that they are available to roving users? If so, the computers must be running a 32-bit, protected-mode network client. Also, you must make sure that each user has a home directory on the network.
Should mandatory user profiles be used? If so, you must copy the necessary files to each user's home directory.

If you want to make user profiles available on the network (rather than on individual computers), you must perform the following preliminary steps:

Install and run a 32-bit, protected mode networking client (such as Client for NetWare Networks or Client for Microsoft Networks) on the computers.
Ensure that the server supports long filenames for full user profile functionality. If the server doesn't support long filenames, only USER.DAT will follow a user around the network. Users will not be able to download other folders (such as those that support the Start menu and Network Neighborhood configuration).
For Microsoft networks, ensure that a network home directory exists for each user because this is where user profiles are placed. (On Novell® NetWare® networks, profiles are placed in the MAIL/user_ID directory, which always exists.)
For each computer, use the same names for the directory and the hard disk drive in which Windows 95 is installed. If Windows 95 is installed in C:\WINDOWS on one computer and in C:\WIN95 on another computer, some components of the user profile will not be transferred between the two computers. This is also true if Windows 95 is installed on different hard disks on different computers (for example, C:\WINDOWS on one computer, and D:\WINDOWS on another).

Before implementing system policies, you should consider the following issues:

What types of restrictions and settings would you like to define and manage centrally? For example, do you want to limit access to the MS-DOS prompt and other applications or to Control Panel options, or do you want to implement a standard desktop for all users?
Do you want to use one set of standard settings for all users and computers, or do you want to customize settings by groups of users? Also, do you want to maintain individual settings for users and computers? Typically, you customize settings by groups, where the majority of users are in groups such as Accounting, Marketing, and so on, and a small group of individuals (such as administrators) have special privileges. If so, you must install special files to support group policies.
Will you be using user system policies (as opposed to defining only computer policies)? If so, user profiles must be enabled on the computers running Windows 95, which in turn requires that the computers use 32-bit, protected-mode network clients.
Do system policies in Windows 95 meet your system administration needs, or do you need a more sophisticated system? If you need a high level of administrative control, you might want to consider using a more sophisticated management software tool, such as Microsoft Systems Management Server, rather than System Policy Editor. For information, see Appendix E, "Microsoft Systems Management Server."

If you want to use system policies, you must perform the following preliminary steps:

On the administrator's computer, install System Policy Editor from the ADMIN\APPTOOLS\POLEDIT directory on the Windows 95 compact disc. Decide which users can install and have access to this tool for modifying policies. For most client computers, you probably will not install System Policy Editor.
On the client computers, enable user profiles to ensure full support for system policies. If user profiles are not enabled, only the computer settings in any system policy will be written to the Registry.
Install support for group policies on the client computers if your site will use these. For information, see "System Policy Editor" later in this chapter.

Tip You can enable user profiles and related settings automatically when installing Windows 95 by using custom setup scripts. For information, see Appendix D, "MSBATCH.INF Parameters."

User Profiles Overview

In Windows 95, user profiles contain configuration preferences and options for each user. They are particularly useful when users are encouraged to customize their computing environment, yet are forced to share computers with others who are also customizing their environments. User profiles are also beneficial to network administrators or help desk personnel who typically roam around, accessing the network from a variety of locations. Such users can work anywhere as if they were sitting at their own desks.

User profile settings include everything in the Hkey_Current_User section of the Windows 95 Registry, such as the following:

Control Panel settings and preferences for the Windows 95 user interface, including settings for desktop layout, background, font selection, colors, shortcuts on the desktop, the Start menu, and so on.
Settings for persistent network connections, plus information for recently used resources, including documents, Find Computer results, installation locations for setup, and printer ports.
Application settings (for applications that can write directly to the Windows 95 Registry), including settings for the accessories and applications installed with Windows 95, menu and toolbar configurations, fonts, and so on.

Each user profile includes several parts: a USER.DAT file, a backup USER.DA0 file, a Desktop folder, a Recent folder, and a Start Menu folder, plus the Programs folder under Start Menu. These folders are in the directories for each user, which are in the Windows Profiles directory, as shown in the following illustration.

rk15_03

When user profiles are enabled, users get their own configuration when they log on to a computer. Users can define their own preferences by customizing their desktops. Alternatively, you can define a standard user profile for use across the network or for a set of specific users.

Each user's preferences are saved to a user profile that Windows 95 uses to configure the desktop each time that user logs on. When a second user logs on to the same computer with a different user name, Windows 95 creates a separate user profile for that user. A roving user's profile is stored on a network server and downloaded to any computer on the network to which the user logs on. This occurs automatically on a NetWare and a Windows NT network. However, although Windows 95 offers the ability for roving users to move from one computer running Windows 95 to another, it does not offer the ability to move between a computer running Windows NT and one running Windows 95.

Important: Although a user profile is based on the USER.DAT file that makes up part of the Windows 95 Registry, this file cannot be edited with a text editor. To define and manage user profiles, you must use the Windows 95 tools such as Control Panel for setting configuration options, and perform the procedures described in the following sections.

In the PROFILES subdirectory of the Windows directory, a folder is created for each user who has a profile on that computer. Each of these folders contains the following:

A USER.DAT file that contains the user portion of the Registry
A USER.DA0 file that contains the backup for USER.DAT
A Desktop folder that contains the contents of Desktop
A Recent folder that contains the contents of the Documents option on the Start menu
A Start Menu folder that contains the contents of the Start menu, and includes the Programs folder

How Do User Profiles Work?

Each time the user logs on to a computer, Windows 95 searches the Registry under the following key to determine whether the user has a local profile:

Hkey_Local_Machine \Software \Microsoft \Windows \Current Version\Profile List

Windows 95 also checks for the user profile in the user's home directory on the server. If the user profile on the server is the most current, Windows 95 copies it to the local computer for use during the current session, and then it loads the settings in this local copy into the Registry. If no local user profile exists, Windows 95 copies the server version to the local computer. If no profile is found, Windows 95 creates a new user profile on the local computer using default settings. If the user doesn't log on, then Windows 95 automatically uses the default user profile.

Both the local and network copies of the user profile are automatically updated with current settings when the user logs off.

If the user is logged on at more than one computer at the same time, any changes made to the profile on the computer where the user first logs off will be overwritten when the user logs off the other computer. In other words, the last logoff is saved, and no merging of changes occurs.

Enabling User Profiles

You can enable user profiles after Windows 95 is installed, either locally on a single computer or for multiple computers. You can avoid having to go to each computer to enable user profiles by creating a system policy that can be downloaded automatically when the initial Windows 95 installation is complete. For information about enabling user profiles centrally on multiple computers, see "System Policies Overview" later in this chapter.

To enable user profiles on a local computer after setup

In the Passwords option in Control Panel, click the User Profiles tab.
Click to select the option named Users Can Customize Their Preferences And Desktop Settings.
Click the options you want under User Profile Settings. These options describe what should be included as part of the user profile.
Shut down and restart the computer.

Tip If you include desktop icons in your user profile, only the shortcuts (icons that represent links) will be available when you log on to the network from another computer. Actual files on your desktop are part of your local user profile only.

To disable user profiles on a local computer

In the Passwords option in Control Panel, click the User Profiles tab. Make sure the option All Users Of This PC Use The Same Preferences And Desktop Settings is selected.

Note: If an application is installed after user profiles are enabled with the option to include the Start menu and Programs in the profile, only the user who was logged on when the application was installed will have an entry for that application on the Programs menu. Other users will have to create shortcuts to the application on their Programs menus.

Setting Up User Profiles on a Windows NT Network

You can use user profiles with Windows 95 on a Windows NT network if the computer is configured to use Client for Microsoft Networks.

Note: Windows 95 does not use the PROFILES directory on a Windows NT server; that directory is used only for Windows NT profiles.

To set up user profiles on a Windows NT network

For each computer, make sure that user profiles are enabled, as described in "Enabling User Profiles" earlier in this chapter.
In the Network option in Control Panel, make sure Client for Microsoft Networks is selected as the Primary Network Logon client.
On the Windows NT server, ensure each user is properly set up and has an assigned home directory on a Windows NT network server. (You can use the Windows NT User Manager tool to create this directory.)

When the user logs off, Windows 95 automatically places an updated copy of the user profile in the user's assigned home directory on the Windows NT network, in the following path.

\\logon_server\user's home directory

For information about User Manager and home directories, see Microsoft Windows NT Server 3.5 User Guide.

Setting Up User Profiles on a NetWare Network

You can use user profiles with Windows 95 on a NetWare network if the computer is configured to use Microsoft Client for NetWare Networks.

When a user account is created on a NetWare server, a subdirectory of the MAIL directory is automatically created for that user. Windows 95 uses this directory to store user profiles.

To set up user profiles for a Novell NetWare network

For each computer, make sure that user profiles are enabled, as described in "Enabling User Profiles" earlier in this chapter.
In the Network option in Control Panel, make sure Client for NetWare Networks is selected as the Primary Network Logon client.
Make sure each user has an established MAIL directory.

When the user logs off, Windows 95 automatically places an updated copy of the user profile in the user's assigned MAIL directory on the NetWare network, as indicated in the following. (The user's 8-digit ID can be determined by using the NetWare SYSCON utility.)

\\preferred_server\sys\mail\user_id

Disabling Standard Roving Profiles

You might want to have user profiles enabled on a computer, but not allow the profiles to move between that computer and others. For example, if a user simultaneously uses a main computer running File and Printer Sharing services and other auxiliary computers, the roving profile for the auxiliary computers might include persistent connections to shared directories on the user's main computer. This profile would not work well on the main computer itself, since a computer cannot connect to itself.

To disable roving profiles on a particular computer

In Registry Editor, expand the Hkey_Local_Machine \Network key, and select the Logon subkey.
On the Edit menu, point to New, and then click DWORD Value.
Type UseHomeDirectory, and then press ENTER.

Maintaining Roving User Profiles on Other Networks

Windows 95 has limited support for user profiles if the network does not have support for a 32-bit, protected-mode client or centralized network logon. This includes networks that provide only 16-bit network clients and peer networks such as Windows for Workgroups or Windows 95 without a Windows NT domain.

To enable roving user profiles on such a network, you must first establish a network directory that can be accessed by all users. For security reasons, you should ensure that this directory has read-only permissions so that users cannot modify it. You must create a text file in that directory that lists the home directories for all users who can use roving user profiles. For example, such a file might be named PROFILES.INI on \\BIGSEVER\PROFILES, and have the following contents:

[Profiles]
Mary=\\bigserver\homedirs\mary
John=\\bigserver\homedirs\john
Pat=\\bigserver\homedirs\pat

After you have created this file, you must configure each computer running Windows 95 to use it. First, disable roving profiles. For more information about disabling roving profiles, see "Enabling User Profiles" earlier in this chapter. Then do the following:

To configure a computer for roving user profiles on other networks

In Registry Editor, select the Hkey_Local_Machine \Network \Logon subkey.
On the Edit menu, point to New, and then click String Value.
Type SharedProfileList, and then press ENTER. Then press ENTER again.
In the Edit String dialog box, type the UNC path and filename for the home directory list (for example, \\BIGSERVER\PROFILES\PROFILES.INI). Click OK.

Thereafter, when a user logs on at this computer, Windows 95 will look in the specified text file to determine the user's home directory. The user's profile will be loaded from that home directory as it is from other networks. If the user is not listed in the text file, the user profile will be local only.

Defining Mandatory User Profiles

In Windows 95, you can create mandatory user profiles for use on Windows NT or NetWare networks. You can use this feature to create a standard user profile for each computer and ensure it is implemented at every logon. To do this, create a USER.DAT file with the settings you want, save it as USER.MAN, and place it in the network directory for each user you want to use that profile. The network directory is either the user's home directory (on a Windows NT network) or MAIL directory (on a NetWare network).

If USER.MAN is present when the user logs on, Windows 95 uses this mandatory copy to load settings into the Registry rather than any previous local user profile. If the user manually makes changes to the desktop configuration during the work session, these changes are not saved to the master copy in the user's network directory when the user logs off.

To create a mandatory user profile

Enable user profiles. For information about enabling user profiles, see "Enabling User Profiles" earlier in this chapter.
On any computer running Windows 95, customize the desktop as you want it to be for the mandatory user profile.
Copy the required files for the user profile to the home directory for Windows NT networks or to the MAIL directory for NetWare networks, as described in "Setting Up User Profiles on a NetWare Network" earlier in this chapter.

Note: Windows 95 copies these files automatically for normal user profiles, but not for mandatory user profiles.
Rename USER.DAT to USER.MAN in the user's home directory.

System Policies Overview

System policies offer you a powerful mechanism for increasing control and manageability of computers across the network. You do not need to use a 32-bit, protected-mode client to use system policies. (If you want to define user settings, however, you must enable user profiles.) With system policies, you can do the following:

Restrict access to Control Panel options
Restrict what users can do from the desktop
Customize parts of the desktop
Configure network settings

For example, you can preset a user's environment so that the MS-DOS prompt or unapproved applications are not available. You can choose from the set of system policies offered by Windows 95 or create custom system policies.

Note: You should make some decisions about the default set of system policies before installing Windows 95. For information, see Part 1, "Deployment Planning Guide."

The system policy entries you set through System Policy Editor are reflected in the policy file (CONFIG.POL), which overwrites default USER.DAT and SYSTEM.DAT settings in the Registry when the user logs on. Policy entries change Registry settings in the following way:

Desktop settings modify the Hkey_Current_User key in the Registry, which defines the contents of USER.DAT. All policy settings affecting USER.DAT are defined for a specific user or for the default user.
Logon and network access settings modify the Hkey_Local_Machine key in the Registry, which defines the contents of SYSTEM.DAT. All policy settings affecting SYSTEM.DAT are defined for a specific computer or for the default computer.

The following figure shows how these settings are interrelated.

To use System Policy Editor, you must install the following files from ADMIN\APPTOOLS\POLEDIT: ADMIN.ADM, POLEDIT.EXE, and POLEDIT.INF. ADMIN.ADM is placed in the INF subdirectory of the Windows directory, and it provides the template to use with System Policy Editor for creating a CONFIG.POL file. CONFIG.POL must be placed in a secure network location. Any custom templates that you create will use the .ADM filename extension.

If you want to use group policies, GROUPPOL.DLL must be placed in the SYSTEM subdirectory of the Windows directory on each client computer. In addition, you must make some changes to the Registry on each computer to use GROUPPOL.DLL. For more information, see "System Policy Editor" later in this chapter.

Important: System policies are based on the content of the Registry and cannot be edited with a text editor. To define and manage system policies, you must use System Policy Editor and other supporting tools.

You can, however, use a text editor to edit the template files used by System Policy Editor, as described in "System Policy Templates" later in this chapter.

How Do System Policies Work?

When the user logs on, Windows 95 checks the user's configuration information for the location of the policy file. Windows 95 then downloads the policies and copies the information into the Registry by using the following process:

If user profiles are enabled, Windows 95 checks for a user policy file that matches the user name. If it finds one, Windows 95 applies the user-specific policy. If Windows 95 does not find a user policy file, it applies the Default User policy file.

If support for group policies is installed on the computer, then Windows 95 checks whether the user is registered as a member of any groups. If so, group policies are downloaded starting with the lowest priority group and ending with the highest priority group. Group policies are processed for all groups the user belongs to. The group with the highest priority is processed last so that the settings in that group's policy file supersede those in lower priority groups. Group policies are not applied if there is a policy file for a specific user.Then, all settings are copied into the USER.DAT portion of the Registry.
Windows 95 checks for a computer policy file to match the computer name. If one exists, Windows 95 applies the computer-specific policies to the user's desktop environment. If a policy file for that computer name doesn't exist, Windows 95 applies the default computer policies. This data is then copied into the SYSTEM.DAT portion of the Registry.

By default, Windows 95 automatically attempts to download computer and user policies from the NETLOGON directory on a Windows NT server or the PUBLIC directory on a NetWare server. This default location can be overridden in a policy file setting. If no server is present, Windows 95 uses the settings currently on the computer.

Overview of System Policies for Users

You can manage user settings in system policies only if user profiles are enabled on the target computer. System Policy Editor uses the properties for Default User to define the default policies in the following areas:

Control Panel.

Set policies to prevent the user from accessing Control Panel features, such as network, password, or system settings.

Desktop.

Set policies to use standard wallpaper and color schemes.

Network.

Set policies to restrict file and printer sharing or to specify networking components and settings.

Shell.

Set policies to customize folders on the desktop and to restrict changes to the user interface.

System.

Set policies to restrict the use of Registry editing tools, applications, and MS-DOS – based applications.

You can apply these policies to the default user, to specific named users, or to groups of users. For more information about the settings for each of these categories, see "System Policy Settings Summary" later in this chapter.

Overview of System Policies for Computers

You can use System Policy Editor to define settings for a default computer or for specific named computers. The default computer settings are used when a new user logs on to a computer that does not have individual policies assigned.

Computer settings in system policies prevent users from modifying the hardware and environment settings for the operating system, ensuring that Windows 95 starts up in a predictable way. You can set options to restrict access to computer-specific system and network features, as described in "System Policy Settings Summary" later in this chapter.

System Policy Editor

You can use System Policy Editor to create system policies. More specifically, you can do the following with System Policy Editor:

Set entries for the default computer and user policy entries. This creates a default policy file for all users and computers, which is downloaded when the user logs on.
Create entries for individual users, individual computers, or groups of users. By default, these include the policy entries you defined for Default User and default computer.
Specify whether and in what manner you want policies downloaded from a centralized server or specify whether you want to have policies downloaded from other specific locations for all or some users.

Caution: System Policy Editor is a powerful tool; you should restrict its use to network administrators only. To avoid unauthorized use, do not install this tool on users' computers, and restrict access to the source files so that users cannot install it themselves.

Installing System Policy Editor

You can install and use System Policy Editor from the ADMIN directory on the Windows 95 compact disc.

To install System Policy Editor

In the Add/Remove Programs option in Control Panel, click the Windows Setup tab, and then click Have Disk.
In the Install From Disk dialog box, click Browse and specify the ADMIN\APPTOOLS\POLEDIT directory on the Windows 95 compact disc. Click OK, and then click OK again.
In the Have Disk dialog box, make sure System Policy Editor is checked, and then click the Install button.

To run System Policy Editor

On the Start menu, click Run. Type poledit and then click OK.

If you want to use group policies, you must install that capability on each computer running Windows 95, either when you install Windows 95 using a custom setup script, or by using the Add/Remove Programs option in Control Panel.

To set up capabilities for group policies using Add/Remove Programs

In the Add/Remove Programs option in Control Panel, click the Windows Setup tab, and then click Have Disk button.
In the Install From Disk dialog box, click Browse and specify the ADMIN\APPTOOLS\POLEDIT directory on the Windows 95 compact disc. Click OK, and then click OK again.
In the Have Disk dialog box, make sure Group Policies is checked, and then click the Install button.

Windows 95 Setup places GROUPPOL.DLL in the Windows SYSTEM directory on the client computer and makes the required Registry changes.

For information about adding the ability to use group policies when installing Windows 95 using custom setup scripts, see Chapter 5, "Custom, Automated, and Push Installations."

Using System Policy Editor

You can use System Policy Editor in two different modes: Registry mode and Policy File mode:

In Registry mode, you can directly edit the Registry of the local or remote computer, and changes are reflected immediately. For more information about editing the Registry for a remote computer, see Chapter 16, "Remote Administration."
In Policy File mode, you can create and modify system policy files (.POL) for use on other computers. In this mode, the Registry is edited indirectly. Changes are reflected only after the policy is downloaded when the user logs on.

To use System Policy Editor in Registry mode

In System Policy Editor, click the File menu, and then click Open Registry. Then, double-click the appropriate User or Computer icon, depending on what part of the Registry you want to edit. After you make changes, you must shut down and restart the computer for the changes to take effect.

System Policy Editor in Registry mode

Notice that the title bar shows "Local Registry"

Important: Use Registry mode only when you want to make direct changes to the Registry. You should typically change system settings by using the Control Panel options and other tools provided with Windows 95.

To use System Policy Editor in Policy File mode

In System Policy Editor, click the File menu, and then click New or Open to open a policy file.

System Policy Editor in Policy File mode

The title bar shows "Untitled" if you haven't yet saved a new policy file; otherwise it displays the policy filename

When you edit settings in Policy File mode, clicking a Registry option sets one of three possible states: checked, cleared, or grayed. Each time you click an option, the display cycles to show the next possible state. This is different from clicking a standard check box, which only sets an option to on or off. The following summarizes the three possible states for options in a policy file.

Option state	Meaning
	Checked — this policy will be implemented, changing the state of the user's computer to conform to the policy when the user logs on. If the option was previously checked the last time the user logged on, Windows 95 makes no changes.
	Cleared — the policy will not be implemented. If it was implemented previously (either through a policy setting or the user's configuration settings), the previously specified settings are removed from the Registry.
	Grayed — the setting is unchanged from the last time the user logged on, and Windows 95 will make no related modifications to the system configuration. The grayed state ensures that Windows 95 provides quick processing at system startup because it does not need to process each entry each time a user logs on.

Caution: When you define policy options, make sure you have set the proper state for the option. If you set an option by checking it, and then change your mind and clear the option, you can inadvertently destroy the user's previous configuration. If you decide not to set a particular policy option, make sure that option is grayed, so that the user's previous configuration for that setting will be used.

For example, you might check the option to specify Microsoft Client for NetWare Networks, and then click again to clear that option. When the user logs on and the policy is downloaded, this setting would wipe out the user's current configuration that specifies Client for NetWare Networks.

If a setting requires additional information, then an edit control appears at the bottom of the properties dialog box. For example, if Wallpaper is checked in the Desktop settings, the following dialog box appears.

Usually, if a policy has been checked, and you no longer want to enforce it, you should clear the box to cancel the policy. However, in the following cases, a few policies might behave differently from how you might expect if the check box is cleared:

The policy setting contains an edit box that must be completed (as opposed to a simple check box)
The policy setting can also be set by users by using Control Panel

In these cases, you should consider making sure the check box is grayed when you no longer want to enforce the policies.

The following list describes the results of different settings for such policies and how they behave.

Policy	Behavior
Settings for Wallpaper	• Checking it forces the specified wallpaper to be used. • Clearing it removes the wallpaper (the user will not have any wallpaper). • Leaving it grayed means that the user can choose wallpaper in the Display option in Control Panel.
Client for NetWare Networks: Preferred Server	• Checking it sets the preferred server. • Clearing it deletes the preferred server from the computer's Registry. • Leaving it grayed means that the user can specify the preferred server in the Network option in Control Panel.
Microsoft Client for Windows Networks: Domain	• Checking it sets the Windows NT Logon domain. • Clearing it deletes the domain setting from the computer's Registry. • Leaving it grayed means that the user can specify the domain in the Network option in Control Panel.
Microsoft Client for Windows Networks: Workgroup	• Checking it sets the workgroup for that computer. • Clearing it deletes the workgroup setting from the computer's Registry. • Leaving it grayed means that the user can specify the workgroup in the Network option in Control Panel.

System Policies Overview

You can copy system policies from the network either manually or automatically. If you want to copy system policies automatically, Windows 95 locates the system policy file (CONFIG.POL) in the proper directory on the network and downloads its policy settings into the Registry of the local computer when the user logs on. If you want to copy system policies manually, Windows 95 copies the system policy file from a location you specify. Automatic downloading works only if the filename for the system policy file is CONFIG.POL.

Note: Windows 95 supports automatic downloading for Windows NT and NetWare networks. The 32-bit, protected-mode network clients subsequently made available for other networks might also provide support for automatic downloading.

Setting Up for Automatic Downloading of System Policies

By default, Windows 95 downloads system policies automatically. However, if you switch to manual downloading, the following procedures describe how to return to automatic downloading.

If you created a .POL file, Windows 95 automatically downloads this file from the NETLOGON directory on a Windows NT network or from the PUBLIC directory on a NetWare network.

To set up for automatic downloading on Windows NT networks

In the Network option in Control Panel, make sure that Client for Microsoft Networks is specified as the Primary Network Logon client, and that the domain is defined. For more information, see Chapter 11, "Logon, Browsing, and Resource Sharing."
Create the policy file to be downloaded and save it in the following location:

\primary domain controller\netlogon\config.pol

To set up for automatic downloading on NetWare networks

In the Network option in Control Panel, make sure that Microsoft Client for NetWare Networks is specified as the Primary Network Logon client, and that a preferred server is specified in properties for the network client. For more information, see Chapter 9, "Windows 95 on NetWare Networks."
Create the policy file to be downloaded and save it in the following location:

\preferred server\sys\public\config.pol

For NetWare networks, the client computers must be running Microsoft Client for NetWare Networks. If the client computers are using NETX or VLM, then policies must be downloaded manually.

Important: Make sure you place system policy files on the user's preferred server. Policy files are not available if they are stored on other NetWare servers or on computers running File and Printer Sharing for NetWare Networks.

Setting Up for Manual Downloading of System Policies

If you use the Remote Update policy, you can configure Windows 95 to manually download policy files (even when they are stored locally) by indicating a separate network or local computer location. Manual downloading overrides automatic downloading and allows you to choose where a user's policies should be stored.

It's possible to set up each computer for manual downloading individually, but this can be time-consuming. If possible (that is, when the client computers use 32-bit, protected-mode network clients), you should set up each computer for automatic downloading, and then use the Remote Update policy to point specific computers to other servers as appropriate for your environment and users.

However, for real-mode network clients such as Novell NETX or VLM, you must enable manual downloading on each computer. After you configure the client computer, the system policy file will be downloaded the next time the user logs on.

To configure a computer for manual downloading of system policies

In System Policy Editor, click the File menu, and then click Open Registry. Click Local Computer.

– Or –

In the File menu, click Connect. Type the name of the computer you want to configure remotely, and then click OK. Double-click the icon for that computer.

Note: The remote computer must be running the Microsoft Remote Registry service, Remote Administration must be enabled, and user-level security must be enabled.
Double-click Network, double-click Update, and click Remote Update so that this policy is checked.

Note: If the client computer uses NETX or VLM, the policy file must be placed on a mapped drive.

Be sure to type the UNC path and the filename in the Path For Manual Update box.

On Windows NT or NetWare networks where you are using automatic downloading of policies, you can set a system policy to allow manual downloading. This option works only after system policies have been downloaded automatically the first time after Windows 95 is installed. The first automatic downloading includes information in the system policies that defines the location to be used subsequently for manual downloading.

To define the location of policies for manual downloading

In System Policy Editor, open CONFIG.POL, and then double-click the Default Computer icon.
Double-click Network, then double-click Update, and then click Remote Update so that this policy is checked.
In the Update Mode box, click Manual. In the Path For Manual Update box, type the UNC path and filename for the system policy file you want to download. Make sure this file exists in the location you specify. (Otherwise, an error will result.)

On large networks, when thousands of users log on at the same time, all accessing the same policy file, you might experience slow network performance. To avoid a bottleneck, Windows 95 offers load balancing on Windows NT networks. With load balancing enabled, policies are taken from the logon server (which can be a domain controller or a backup domain controller) rather than the primary domain controller. This spreads the load over a number of servers, but it does require that you replicate the policy file on each server.

To enable load balancing

Perform the previous procedure, "To define the location of policies for manual downloading."
In the Settings For Remote Update box, make sure Load-Balance is checked.

If you want to use load balancing, make sure it is enabled on each client computer. Also, make sure you have a current policy file on each server that will participate in load balancing, including all Windows NT domain controllers and servers. One convenient way to implement load balancing is to set this policy in the CONFIG.POL file that is on the primary domain controller. As each client computer downloads this policy, it will then subsequently look for CONFIG.POL on the logon server.

Creating System Policies

This section describes procedures for creating system policies.

To take advantage of automatic downloading discussed earlier, you should create a policy file that contains user, computer, and group entries to reside in the NETLOGON directory of a Windows NT server or the PUBLIC directory of a NetWare server. Based on the client selected, Windows 95 automatically looks in one of these locations to download your newly created system policy.

To view or edit default system policies

In System Policy Editor, click the File menu, and then click New File.
Double-click the Default User icon to define the default settings for user-specific policies.

– Or –

Double-click the Default Computer icon to define the settings for computer-specific policies.
Click the policies you want to put in place.

Creating Policies for Individual Users or Computers

This section describes how to create a system policy for a user or computer.

Tip To reduce the management load, minimize the number of user and computer entries in system policy files. Consider first creating one standard system policy for all users by editing default settings, and then create settings for individuals on an exception basis. For more information, see the STANDARD.POL example in "System Policy Examples" later in this chapter.

To create system policies for a new user or computer

In System Policy Editor, click the Edit menu, and then click Add User or Add Computer.
Type the name of the user or computer you want to add.

System Policy Editor adds an icon for each user or computer that you add.

To edit existing system policies

In System Policy Editor, double-click the icon for the user or computer policies you want to edit.
Check or clear policies by clicking the policy name.

Creating Policies for Groups

Group policies are supported for both Windows NT and NetWare networks. Creating policies for groups is similar to the process for creating policies for users or computers.

You must first ensure that GROUPPOL.DLL, which supports group policies, has been successfully installed on each client computer. For more information, see "System Policy Editor" earlier in this chapter.

You cannot create new groups by using System Policy Editor; you can use only existing groups on the NetWare or Windows NT network. To create a new group, use the tools provided with your network administrative software.

To create system policies for groups

In System Policy Editor, click the Edit menu, and then click Add Group.
Type the name of the group you want to add, and click OK.

– Or –

If user-level security is enabled, click Browse and find the name of the group. Then click OK.
Click or clear policies by clicking the policy name.

Group policies are downloaded starting with the lowest priority group and ending with the highest priority group. All groups are processed. The group with the highest priority is processed last so that any the settings in that group's policy file supersede those in lower priority groups. You can use one policy file for each group, even if some of the client computers in the group don't have support installed for group policies. Client computers that aren't configured for using group policies will ignore group policy files.

Important: If a policy exists for a specific named user, then group policies are not applied for that user.

To set priority levels for groups

In System Policy Editor, click the File Menu, and then click Open File.
Locate the CONFIG.POL file, and then click Open.
Click the Options menu, and then click Group Priority.
In the Group Priority dialog box, click a group, and then use the Move Up and Move Down buttons to move it into its relative priority.

Managing Custom Folders for Use with System Policies

The administrator can define five system policies to create a custom desktop. These policies use custom folders, created by the administrator, which contain the specific settings for the customized desktop. The following list summarizes the policies used to create a custom desktop.

Policy	Description
Custom Programs Folder	Shortcuts that appear in the Programs group on the Start menu
Custom Network Neighborhood	Shortcuts to resources that appear in Network Neighborhood, including shortcuts to shared printers and files and to Dial-Up Networking connections
Custom Desktop Icons	Shortcuts that appear on the desktop
Custom Start Menu	Shortcuts and other options that appear on the Start menu, as defined by using the Taskbar Properties dialog box
Custom Startup Folder	Programs or batch files that appear in the Startup group on the Start menu

Before you create a custom desktop by using system policies, you must define custom folders.

To define custom folders for use with policy files

Create and place the custom folders in a central location where users have access. You can use any valid folder names for the folders you create. Windows 95 uses the path defined for the related policy to find the folder.

Note: To prevent accidental removal or unauthorized changes, you should place custom folders in directories where users are restricted to read-only access.

Place the custom set of files and shortcuts you want in each folder.
- You can place any kind of files in the custom folders.
- For shortcuts, make sure that the path specified in the Target box in Shortcut properties is a UNC name, rather than a mapped directory. Otherwise, the users who will access resources using these shortcuts will have to have the same drives mapped in their login scripts.

Caution: Do not place folders in the custom Network Neighborhood. Windows 95 does not support this feature, and unpredictable results can occur.

To create a custom desktop by using system policies

In System Policy Editor, open the system policy file.
In the system policy file, set the related policies.
In the Path To Get Program Items From box, type the path to the folder's location.
If you checked the Custom Programs Folder policy, also check the Hide Start Menu Subfolders policy to enable it.

Otherwise, multiple Programs entries will appear on the user's Start menu — one for the location of the Custom Program Folder and one for the default location.

If the custom folders will not be stored in the directories where Windows 95 automatically looks for them, then you must specify another location when you specify the Custom Folder policies. For example, you might want to create these folders where the system policy files are located on the server.

The following list shows the default locations for custom folders.

Custom Program folders:

c:\windows\profiles\username\start menu\programs

Custom desktop icons:

c:\windows\profiles\username\desktop

Custom Startup folder:

c:\windows\profiles\username\start menu\programs\startup

Custom Network Neighborhood:

c:\windows\profiles\username\nethood

Custom Start menu:

c:\windows\profiles\username\start menu

System Policy Examples

The Windows 95 Resource Kit utilities provide you with two examples of system policies. STANDARD.POL is a policy file for defining a standard desktop. MAXIMUM.POL is a policy file for maximum security and control. These example policy files are ready for you to use after minor changes such as specifying paths and file locations for custom folders at your site.

Recommended Standard Desktop Configuration

The STANDARD.POL system policy file is an example of settings that allow you to implement a level of control over users' desktop functionality while allowing specific corporate customization. STANDARD.POL includes the following additions.

Category	Policy setting
Computer settings:
Network Logon	Logon Banner (modify banner text as needed) Require Validation by Network for Windows Access
Network Passwords	Hide Share Passwords with Asterisks Minimum Windows Password Length (6)
System	Enable User Profiles
User settings:
Control Panel	Disable Deletion of Printer (printer restrictions)
System	Disable Registry Editing Tools1 Disable MS-DOS Prompt
Custom Folders2	Custom Desktop Icons Custom Programs Folder Custom Startup Folder Custom Network Neighborhood Custom Start Menu Hide Start menu Subfolders (custom folders are defined)

1 This setting disables only Registry Editor, not System Policy Editor.

2 These options provide an opportunity for corporate customization, such as defining a program group containing corporate applications, applications that run at system startup, a custom Network Neighborhood, or a custom Start menu with standard choices.

To implement the custom settings specified in the STANDARD.POL policy file, make sure you define the UNC path names for the custom settings. Also be sure to place the customized folders for Programs, Startup, Network Neighborhood, and Start Menu in a secure network location, as described in "Managing Custom Folders for Use with System Policies" earlier in this chapter.

Recommended Maximum Control Desktop Configuration

The system policy defined in MAXIMUM.POL is useful if you need to have as much control as possible over the users' computing environments. The following sample policy file will assist you in establishing the highest possible level of control.

MAXIMUM.POL is based on the STANDARD.POL file, as described in the previous section, with the following additional restrictions.

Category	Policy setting
Computer settings:
Network Dial-Up	Disable Dial-In
User settings:
Control Panel	Disable Display Control Panel (display restrictions)
Restrict System Control Panel	Hide Device Manager Page Hide Hardware Profiles Page Hide File System Button Hide Virtual Memory Button
Network Sharing	Disable File Sharing Controls Disable Print Sharing Controls
Shell Restricitons	Remove Run Command Remove Folders from Settings on Start Menu Remove Taskbar from Settings on Start Menu No Entire Netowrk in Network Neighborhood No Workgroup Contents in Network Neighborhood Don't Save Settings at Exit

System Policy Settings Summary

This section summarizes the policy options that you can set by default in Windows 95. These options are determined by a template (ADMIN.ADM), which can be modified as discussed in "System Policy Templates" later in this chapter. You might find it helpful to run System Policy Editor while you study these options.

These policies are described in the order that they appear in System Policy Editor. For each category, you must click the option that appears in bold type to display the related policies that you can define for that category.

Restricting Access to User-Specific Settings

When you double-click the Default User icon in System Policy Editor, a list of Control Panel, desktop, network, shell (user interface), and system settings appears so that you can predefine or restrict access to settings that will apply when the user logs on to the system. These system policy settings are stored in USER.DAT.

Restricting Access to Control Panels

The following table describes the system policies you can apply to restrict access to settings in the Display, Network, Printers, System, and Passwords options of Control Panel.

Option	Description
Restrict Display Control Panel
Disable Display Control Panel	Prevents access to the Display option in Control Panel.
Hide Background Page	Hides the Background properties of the Display option in Control Panel.
Hide Screen Saver Page	Hides the Screen Saver properties of the Display option in Control Panel.
Hide Appearance Page	Hides the Appearance properties of the Display option in Control Panel.
Hide Settings Page	Hides the Settings properties of the Display option in Control Panel.
Restrict Network Control Panel
Disable Network Control Panel	Prevents access to the Network option in Control Panel.
Hide Identification Page	Hides the Identification properties of the Network option in Control Panel.
Hide Access Control Page	Hides the Access Control (user level vs. share level) properties of the Network option in Control Panel.
Restrict Passwords Control Panel
Disable Passwords Control Panel	Prevents access to the Passwords option in Control Panel.
Hide Change Passwords Page	Hides the Change Passwords properties of the Passwords option in Control Panel.
Hide Remote Administration Page	Hides the Remote Administration properties of the Passwords option in Control Panel.
Hide User Profiles Page	Hides the Profiles properties of the Passwords option in Control Panel.
Restrict Printers Settings
Hide General And Details Pages	Hides the General and Details properties for the Printer option in Control Panel.
Disable Deletion Of Printers	Prevents the deletion of installed printers.
Disable Addition Of Printers	Prevents the installation of printers.
Restrict System Control Panel
Hide Device Manager Page	Hides the Device Manager properties from the System option in Control Panel.
Hide Hardware Profiles Page	Hides the Hardware Profiles properties from the System option in Control Panel.
Hide File System Button	Hides the File System button from the Performance properties in the System option in Control Panel.
Hide Virtual Memory Button	Hides the Virtual Memory button from the Performance properties in the System option in Control Panel.

Defining User Policies for Desktop Settings

Within this category of options, you can predefine settings or restrict users from defining wallpaper and color scheme settings, as listed in the following table.

Option	Description
Wallpaper Name	When checked, the specified bitmap will be used as the wallpaper.
Tile Wallpaper	When checked, the wallpaper file will be tiled in the background of the desktop.
Color Scheme	When checked, the user will automatically see the specified color scheme.

Restricting Access to Network Settings

Within this category of options, you can restrict the user's ability to share files and printers. Typically, you might want to set these policies to apply when File and Printer Sharing services are installed, but when you do not want users to change which resources are shared on their computers.

Option	Description
Sharing
Disable File Sharing Controls	Removes the Sharing properties from directories in Windows Explorer.
Disable Print Sharing Controls	Removes the Sharing properties from the Printer directory.

Restricting Access to Shell Settings

The following table describes the system policies you can apply to directories and user interface options.

Option	Description
Custom Folders
Custom Programs Folder	Customizes the contents of the Programs directory. You must also type a path for the directory containing complete files or .LNK files that define the Programs directory items.
Custom Desktop Icons	Customizes desktop icons. You must also type a path for the directory containing complete files or .LNK files that define the desktop shortcuts.
Hide Start Menu Subfolders	Check this when you use a custom Programs folder. Otherwise, two Programs entries will appear on the user's Start menu.
Custom Startup Folder	Customizes the contents of the Startup directory. You must also type a path for the directory containing complete files or .LNK files that define the Startup directory items.
Custom Network Neighborhood	Customizes the contents of Network Neighborhood. You must also type a path for the directory containing complete files or .LNK files that define the Network Neighborhood items.
Custom Start Menu	Customizes what is listed on the Start menu. You must also type a path for the directory containing complete files or .LNK files that define the Start menu items.
Restrictions
Remove Run command	Prevents access to the Run command on the Start menu.
Remove Folders From Settings On Start Menu	Prevents access to any item listed under Settings on the Start menu.
Remove Taskbar From Settings On Start Menu	Prevents access to the Taskbar item listed under Settings on the Start menu.
Remove Find Command	Prevents access to any of the items listed under Find on the Start menu.
Hide Drives In My Computer	Prevents access to My Computer.
Hide Network Neighborhood	Prevents access to Network Neighborhood.
No Entire Network In Network Neighborhood	Prevents access to the Entire Network icon in Network Neighborhood.
No Workgroup Contents In Network Neighborhood	Prevents workgroup contents from being displayed in Network Neighborhood.
Hide All Items On Desktop	Prevents access to all items on the desktop.
Disable Shut Down Command	Prevents access to the Shut Down command on the Start menu; displays explanation in a dialog box.
Don't Save Settings At Exit	Prevents settings from being written to the file system.

Restricting Access to System Settings

The system policies in this category restrict the use of Registry editing tools, applications, and MS-DOS – based applications. The following table describes the policies you can set within this category.

Option	Description
Restrictions
Disable Registry Editing Tools	Prevents access to Registry Editor. It does not prevent access to the Registry mode in System Policy Editor.
Only Run Allowed Windows Applications	Prevents users from running any Windows-based applications except those that are listed. Click Show to define the allowed applications.
Disable MS-DOS Prompt	Prevents access to the MS-DOS prompt.
Disable Single-Mode MS-DOS Applications	Prevents users from running MS-DOS – based applications in MS-DOS Mode.

Restricting Access to Computer-Specific Settings

When you double-click the Default Computer icon in System Policy Editor, a list of system policy options for settings that apply to the computer appears. This section describes these options.

Restricting Access to Computer-Specific Network Settings

This category of options includes system policy settings for the following:

Enabling user-level security
Logon dialog box settings
Client for Microsoft Networks settings
Microsoft Client for NetWare Networks settings
Password settings
Dial-Up Networking settings
Sharing settings
Simple Network Management Protocol (SNMP) settings
Update settings for policy downloading

These system policies are applied for the computer and are stored in SYSTEM.DAT. The following table describes the system policies you can set within this category.

Option	Description
Access Control
User-Level Access Control	When checked, enables user-level security on the local computer using pass-through logon validation by a Windows NT or a NetWare server. You must specify the server and the type of authenticator for validation.
Logon
Logon Banner	When checked, allows you to specify text for a caption and other text to be displayed in a logon banner.
Require Validation By Network For Windows Access	When you check this option, each logon must be validated by a server before access to Windows is allowed. This policy has no effect on a portable computer after it is undocked.
Microsoft Client for NetWare Networks
Preferred Server	When checked, allows you to specify the name of the NetWare network server used by this computer as the first server logged on to.
Support Long Filenames	When checked, allows support for long filenames. The values are 0 (no support for long filenames on NetWare servers), 1 (support on NetWare servers version 3.12 and greater), and 2 (support if the NetWare server supports long filenames).
Search Mode	Sets NetWare search mode (the value is 0 – 7).
Disable Automatic NetWare Login	Specifies that Windows 95 should not first silently use the user's name and password to attempt to connect to a NetWare server, which is the default behavior.
Microsoft Client for Windows Networks
Log On To Windows NT	When checked, specifies that this computer can participate in a Windows NT domain. Type the name of the domain. If this option is checked, the next two options are also available.
Display Domain Logon Validation	When checked, displays a message when the domain controller has validated user logon.
Disable Caching Of Domain Password	When checked, specifies that no caching is used for the network password.
Workgroup	When checked, specifies that this computer can participate in a workgroup. Type the name of the workgroup.
Alternative Workgroup	Specifies that an alternate workgroup must be defined to see Microsoft peer servers in other workgroups if your workgroup does not have any computers running File and Printer Sharing for Microsoft Networks (that is, they all run File and Printer Sharing for NetWare), but the computer runs a Microsoft network client. The workgroup specified should include at least one computer running File and Printer Sharing for Microsoft Networks.
Passwords
Hide Share Passwords With Asterisks	Replaces characters with asterisks when users type passwords to access a shared resource. Applies to share-level security only; this setting is on by default.
Disable Password Caching	Prevents saving passwords. (Notice that the user cannot successfully use the Quick Logon feature for Microsoft networks if password caching is disabled.)
Require Alphanumeric Windows Password	Requires that the Windows password contain a combination of letters and numbers.
Minimum Windows Password Length	Requires that the Windows logon password has at least the specified number of characters.
Dial-Up Networking
Disable Dial-In	Prevents dial-in connections to the computer.
Sharing
Disable File Sharing	Prevents file sharing over a network.
Disable Print Sharing	Prevents printer sharing over a network.
SNMP
Communities	Specifies one or more groups of hosts to which this computer belongs for purposes of SNMP administration. These are the communities that are allowed to query the SNMP agent.
Permitted Managers	Specifies IP or IPX addresses allowed to obtain information from an SNMP agent. If this policy is not checked, any SNMP console can query the agent.
Traps For Public Community	Specifies trap destinations, or IP or IPX addresses of hosts in the public community to which you want the SNMP service to send traps. For information about sending traps to other communities, see Chapter 16, "Remote Administration."
Internet MIB (RFC 1156)	Allows you to specify the contact name and location if you are using Internet MIB.
Update
Remote Update	Defines how system policies will be updated. When checked, the following options appear.
Update Mode	Determines whether system policies are downloaded automatically (the default) or manually.
Path For Manual Update	Specifies the UNC path and filename for manual downloading of system policies.
Display Error Message	When a user logs on, if the system policy file is not available, displays an error message.
Load-Balance	For Windows NT networks, allows Windows 95 to look for policy files on that server.

Restricting Access to Computer-Specific System Settings

This category of options includes system policy settings for the network path for setup and user profiles. The following table describes the system policies you can set within this category.

Option	Description
Enable User Profiles	When checked, this setting enables user profiles.
Network Path For Windows Setup	Defines the network location of the Windows 95 Setup program and files. You must also type a UNC path for the setup directory.
Run	Defines applications and utilities to run when the user logs on. Click Show to specify items to run.
Run Once1	Defines applications and utilities to run once when the user logs on. Click Show to specify items to run.
Run Services	Defines services to run at system startup. Click Show to specify items to run.

1 Run Once is a Registry key that allows any executable file to be run just once after a user logs on to the computer. After the related program is started, its name is removed automatically from the Registry so that it does not run again. You can set the Run Once system policy to set values in the Run Once Registry key. However, if you leave this option checked in the policy file, then each time the user logs on, that executable name will be placed in the Run Once Registry key to be run again. To ensure that the executable runs only once, the policy must be checked only long enough to be downloaded once into the user's Registry. Then the policy must be cleared or changed so that the same Run Once entry will not run the next time the user logs on.

System Policy Templates

When you run System Policy Editor, Windows 95 opens the default policy template, which contains existing policies that you can enable or modify. A template is a listing of the possible policies that you can use. By default, this template file is named ADMIN.ADM and is stored in the Windows INF directory.

This section describes how you can create custom system policy templates (.ADM files) and switch between multiple templates in System Policy Editor.

For example, it might be helpful to have system policy settings for corporate-specific applications, such as an in-house database, custom front end, or electronic mail package. After a template has been customized, you can then load the template and use it to set values in the Registry.

Note: If you want to define system policies for applications, the applications must be able to read the Windows 95 Registry.

Creating your own template is helpful when you want to define a specific set of Registry settings in your system policies, including settings not definable by default through System Policy Editor. As shown in the following illustration, the template defines the policies you can set through System Policy Editor. Changes you make there are reflected in the policy file (shown in the example as CONFIG.POL), which in turn updates the Registry when the user logs on.

To use a template other than the default template

In System Policy Editor, make sure all policy files are closed.
On the Options menu, click Template.
Click Open Template, and select an .ADM file to be your template to begin setting system policies. Click Open.
Click Close to return to System Policy Editor.

You can create your own templates that can be read by System Policy Editor. Users can then load the template and use it to set values in the Registry. To create a template, use a text editor such as WordPad to edit or write an .ADM file. You can open the default template named ADMIN.ADM in the Windows INF directory to use as an example.

A template uses several key words, syntaxes, and symbols, as summarized in the following list.

Class:

CLASS category_type

Category:

CATEGORY name [KEYNAME key_name] [... policy definition statements ...] END CATEGORY

Policy:

POLICY name [KEYNAME key_name] [... part definition statements ...] END POLICY

Part:

PART name part_type type-dependent data [KEYNAME key_name ] VALUENAME value_name END PART

The following table describes the keywords in system policy templates. Following this table are lists of the controls and values that can be defined in templates.

Template key word	Description
CLASS	Defines the Registry key that can be edited; the value must be USER or MACHINE, corresponding to Hkey_Current_User or Hkey_Local_Machine, respectively.
CATEGORY name	Defines a category in System Policy Editor. If a name contains spaces, it must be enclosed in quotes. A category statement can appear only once for each category name.
END CATEGORY	Defines the end of a category and all of its policies.
POLICY name	Defines a policy within a category. Policy names that contain spaces must be enclosed in quotes.
END POLICY	Defines the end of a policy and all its parts.
PART name	Defines one or more controls that can be used to set the values of a policy. Part names that contain spaces must be enclosed in quotes. Policy part types and type-dependent data are described in the following tables.
END PART	Defines the end of the control list.
VALUEON	Specifies the setting to assign to the value when the policy is checked.
VALUEOFF	Specifies the setting to assign to the value when it is not checked.
KEYNAME	Specifies the full path of the Registry key. This is an optional Registry key name to use for the category or policy. If there is a key name specified, it is used by all child categories, policies, and parts, unless they define a key name of their own.
VALUENAME	Defines the Registry value entry name.
VALUE	Specifies the Registry value to set to a VALUENAME.
!!	Indicates a string value.
[strings]	Defines a section containing string values.

A system policy template uses the following part control indicators.

Part Control Indicator	Description
CHECKBOX	Displays a check box. The value is nonzero if checked by the user, and its value entry is deleted if it is unchecked.
NUMERIC	Displays an edit field with an optional spin control that accepts a numeric value.
EDITTEXT	Displays an edit field that accepts alphanumeric text.
COMBOBOX	Displays a combo box, which is an edit field plus a drop-down list for suggested values.
TEXT	Displays a line of static (label) text. There is no Registry value associated with this part type.
DROPDOWNLIST	Displays a drop-down list. The user can choose from only one of the entries supplied. The main advantage of a drop-down list is that, based on the user's selection, a number of extra Registry edits can be performed.
LISTBOX	Displays a list box with Add and Remove buttons. This is the only part type that can be used to manage multiple values under one key.

A system policy template uses the following type-specific information.

Type-specific modifier	Description
CHECKBOX:
DEFCHECKED	Causes the check box initially to be checked.
VALUEON	If specified, overrides the default "on" behavior of the check box. For example: VALUEON "On" writes "On" to the Registry.
VALUEOFF	If specified, overrides the default "off" behavior of the check box. For example: VALUEOFF "Off" writes "Off" to the Registry.
ACTIONLISTON	Specifies optional action list to be taken if check box is "on."
ACTIONLISTOFF	Specifies optional action list to be taken if check box is "off."
NUMERIC:
DEFAULT value	Specifies initial numeric value for the edit field. If this statement is not specified, the edit field is initially empty.
MIN value	Specifies minimum value for number. Default value is 0.
MAX value	Specifies maximum value for number. Default value is 9999.
SPIN value	Specifies increments to use for a spin control. Specifying SPIN 0 removes the spin control; SPIN 1 is the default.
REQUIRED	If specified, System Policy Editor will not allow a policy containing this part to be enabled unless a value has been entered.
TXTCONVERT	Writes values as strings rather than binary values.
EDITTEXT:
DEFAULT value	Specifies the initial string to place in the edit field. If this is not specified, the field is empty initially.
MAXLEN value	Specifies the maximum length of the string in the edit field.
REQUIRED	If specified, System Policy Editor will not allow a policy containing this part to be enabled unless a value has been entered.
COMBOBOX:
	Accepts all the key words that EDITTEXT does, plus SUGGESTIONS.
SUGGESTIONS	Begins a list of suggestions to be placed in the drop-down list. Suggestions are separated with spaces and can be enclosed by quotes. The list is terminated with END SUGGESTIONS. For example: SUGGESTIONS Alaska Alabama Mississippi "New York" END SUGGESTIONS
TEXT:	Contains no type-specific data.
DROPDOWNLIST:
REQUIRED	If specified, System Policy Editor will not allow a policy containing this part to be enabled unless a value has been entered.
ITEMLIST	Begins a list of the items in the drop-down list. The end of the list must be terminated by END ITEMLIST. Each item in the list is specified as follows: NAME name VALUE value [ACTIONLIST actionlist] ... name is the text to be displayed in the related drop-down list. value is the value to be written for the part's value if this item is selected. Values are assumed to be strings, unless they are preceded by the key word NUMERIC. For example: VALUE "Some value" VALUE NUMERIC 1 If the VALUE key word is followed by the DELETE key word (that is, VALUE DELETE), then this Registry name/value pair will be deleted. actionlist is an optional list to be used if this value is selected.
LISTBOX:
VALUENAME	Cannot be used with the list box type, because there is no single value name associated with this type. By default, only one column appears in the list box, and for each entry a value is created with an identical value name and value data. For instance, the List Entry value in the list box would create a value named "List Entry" containing "List Entry" as data.
VALUEPREFIX prefix	Defines the prefix to be used in determining value names. If a prefix is specified, then this prefix plus "1," "2," and so on will be used instead of the default value naming scheme listed earlier in this table. The prefix can be empty (" "), which will cause the value names to be "1," "2," and so on. A prefix of SomeName will generate value names "SomeName1," "SomeName2," and so on.
EXPLICITVALUE	Causes the user to specify the value data and the value name. The list box shows two columns for each item, one for the name and one for the data. This key word cannot be used with the VALUEPREFIX key word.
ADDITIVE	If specified, values set in the list box are added to whatever values exist in the target Registry. Existing values are not deleted; by default, the content of list boxes will "override" whatever values are set in the target Registry. Specifically, a control value is inserted in the policy file which causes existing values to be deleted before the values set in the policy file are merged.
Strings:
!!	Indicates a string value. For example: !!StrConst
[strings]	Defines a section of string values; the values are defined in the following format: var_name=string value For example: StrConst="Control Name"
Comments	Can be added by preceding the line with a semicolon (;).

The following example shows a template that uses all the types of controls. This sample .ADM file is included with the Windows 95 Resource Kit utilities.

CLASS USER
CATEGORY "Control Category 1"
KEYNAME KeyName1
   POLICY "Policy1"
      ; actions to take when policy is checked
      ACTIONLISTON
         KEYNAME KeyName1
         VALUENAME Checked1   VALUE "AAA"
         VALUENAME Checked2   VALUE "BBB"
         VALUENAME Checked3   VALUE "CCC"
         KEYNAME KeyName2
         VALUENAME Unchecked1   VALUE DELETE
         VALUENAME Unchecked2   VALUE DELETE
         VALUENAME Unchecked3   VALUE "not checked"
      END ACTIONLISTON
      ; actions to take when policy is unchecked
      ACTIONLISTOFF 
         KEYNAME KeyName1
         VALUENAME Checked1   VALUE ""
         VALUENAME Checked2   VALUE ""
         VALUENAME Checked3   VALUE ""
         KEYNAME KeyName2
         VALUENAME Unchecked1   VALUE "AAA"
         VALUENAME Unchecked2   VALUE "BBB"
         VALUENAME Unchecked3   VALUE "CCC"
      END ACTIONLISTOFF
   END POLICY
   POLICY "CheckBox"
      PART "CheckBox1:" CHECKBOX DEFCHECKED
         VALUENAME "CheckBox Control"
         VALUEON "is checked" VALUEOFF "is not checked"
      END PART
   END POLICY
END CATEGORY
CATEGORY "Control Category 2"
KEYNAME KeyName3
   POLICY "Static and Spin"
      PART "Below is a spin control" TEXT
      END PART
      PART "Spin:" NUMERIC SPIN 10 REQUIRED
      MAX 110
      VALUENAME "Spin" 
      END PART
   END POLICY
   CATEGORY "Sub Category 1"
   KEYNAME KeyName4
      POLICY "ComboBox"
         PART "Combo:" COMBOBOX
         SUGGESTIONS 
            One Two Three Four
         END SUGGESTIONS
         VALUENAME "Combo Control" 
         END PART
      END POLICY
      POLICY "Drop Down List"
         PART "DropDown" DROPDOWNLIST
         VALUENAME DropDown REQUIRED
         ITEMLIST
            NAME "Name One" VALUE "Value One"
            ACTIONLIST
               VALUENAME "Value Name 1"   VALUE "Value 1"
               VALUENAME "Value Name 2"   VALUE "Value 2"
            END ACTIONLIST
            NAME "Name Two" VALUE "Value Two"
            ACTIONLIST
               VALUENAME "Value Name 1"   VALUE DELETE
               VALUENAME "Value Name 2"   VALUE DELETE
            END ACTIONLIST
            NAME "Name Three" VALUE NUMERIC 333
            NAME "Name Four" VALUE "Value Four"
         END ITEMLIST
         END Part
      END POLICY
   END CATEGORY
   POLICY "Edit"   
      PART "Edit" EDITTEXT
      MAXLEN 10
      VALUENAME Edit 
      DEFAULT "Edit Default"
      END Part
   END POLICY
   POLICY "List Box"
   KEYNAME KeyName5
      PART "List Box Control" LISTBOX EXPLICITVALUE
      END PART
   END POLICY
END CATEGORY

The following shows the policies created by this sample .ADM file as they appear in System Policy Editor.

Troubleshooting with System Policy Editor

This section contains some common problems that you might encounter when implementing system policies and some suggestions for fixing those problems.

In general, when troubleshooting problems with system policies, verify the following:

The related Registry key is correct in the policy template (.ADM) file.
The related policy is set properly in the policy (.POL) file.
The related application actually uses the Registry key being changed.
The policy file is located in the correct network location, and the network location is accessible from the computer running Windows 95.
For group policies, the user name, group name, and computer name are correct, and the user is a member of the specified group.

When troubleshooting system policies, you should turn on error messages. You can do this from the Remote Update policy, as explained in "Setting Up for Manual Downloading of System Policies" earlier in this chapter. This setting displays error messages when policies cannot be downloaded correctly; the error messages might help identify the problem.

The computer seems to be picking up some of the policies, but not all of them.

In this case, the computer might not be picking up any policies for Default User or for a particular user; it might be picking up only policies set for Default Computer or for a particular computer. In this case, make sure that user profiles are enabled on that computer. In the Passwords option in Control Panel, click the User Profile tab and set the desired options.

The computer does not seem to be picking up policies from a CONFIG.POL file on the Windows NT domain.

Make sure that there is a CONFIG.POL file in the NETLOGON directory on the primary domain controller on the Windows NT network.
Make sure that the client computer has its domain set properly in the properties for Client for Microsoft Networks in the Network option in Control Panel.
Make sure that the client computer is successfully logging on to that domain.
Make sure that the client computer is configured for automatic policy downloading. You can set this by using the Remote Update policy, as described in "Setting Up for Manual Downloading of System Policies" earlier in this chapter. Windows 95 is configured for automatic policy downloading by default.
Enable error messages on the client computer and see if an error message is displayed.

The computer running Microsoft Client for NetWare Networks does not seem to be picking up the policies from a CONFIG.POL file on the NetWare server.

Make sure that there is a CONFIG.POL in the PUBLIC directory on the SYS: volume of a NetWare 3.x or 4.x server. You cannot put the CONFIG.POL file on a computer running Windows 95 with File and Print Sharing for NetWare Networks.
Make sure that the client computer has its Preferred Server set to the NetWare server that contains CONFIG.POL. This setting is located in the properties for Client for NetWare Networks in the Network option in Control Panel.
Make sure that the client computer is successfully logging on to that preferred server.
Make sure that the client computer is configured for automatic policy downloading. You can set this by using the Remote Update policy, as described in "Setting Up for Manual Downloading of System Policies" earlier in this chapter.
Enable error messages on the client computer and see if an error message is displayed.

The computer running a Novell-supplied VLM or NETX client does not seem to be picking up the policies from the CONFIG.POL on the NetWare server, even though the file is in SYS:PUBLIC.

Automatic downloading of system policies on a NetWare server works only when the client computer is running Microsoft Client for NetWare Networks. If the computer is running the Novell-supplied VLM or NETX client, then you must use manual downloading from a mapped drive. For information, see "Setting Up for Manual Downloading of System Policies" earlier in this chapter.

The client computer is set for manual downloading, but it is not picking up the policies.

Make sure that the path specified for manual downloading includes the name of the policy file itself.
Make sure that the directory in which you placed the policy file can be accessed by the user that is logging on to the computer running Windows 95.

You have implemented a policy and then cleared it, but it appears to still be in effect, or it does not do what you thought it would do.

Does the policy have an edit box that needs to be completed? For example, do you need to specify the wallpaper or workgroup name? If so, then by clearing the policy, you are actually deleting the Registry setting for that value. For example, by clearing the wallpaper policy, the wallpaper Registry setting is made to be blank, and thus the user will have no wallpaper.

For all policies that involve settings that users can manipulate by using an option in Control Panel, the best way to stop enforcing that policy is to make sure that policy setting is grayed, in order to allow the users to make their own choices. These policies are listed in "System Policy Editor" earlier in this chapter.

You set up group policies, but one or more of the users do not get these group policies when they log on.

Is there a policy for that particular user? If so, then group policies are ignored by design. This allows you to make exceptions to group policies for particular users.
Make sure that the client computer is set up for group support.
Make sure that the user or users are really members of that group.
Make sure that user profiles are enabled on the client computer.

You used the policy named Only Run Allowed Windows Applications, but then you could not turn off this policy because you forgot to include POLEDIT.EXE in the list.

Did you set this policy for all users? If not, then log on as another user, and run System Policy Editor to cancel this policy.
If you can run Registry Editor, go to the following key and delete the RestrictRun entry:

Hkey_Current_User \Software \Microsoft \Windows \CurrentVersion \Policies \Explore

If you previously set this policy for the Default User and, as a result, no user can run System Policy Editor or Registry Editor, then try the following:

  - If possible, disable user profiles in the Passwords option in Control Panel. Then you should be able to log on and run System Policy Editor. Then undo the policy and re-enable user profiles.

  - If you cannot disable user profiles because the Passwords option in Control Panel has been disabled, you must either reinstall Windows 95 (so that user profiles will not be enabled). Or use the Windows 95 startup disk and run the real-mode Registry Editor to disable user profiles.

You need to prevent users from modifying their computer configuration, including even more restrictions than are available through standard system policies.

Use one or more of the following methods for ensuring administrative control of the computer's configuration.

In MSDOS.SYS for the user's computer, set BootKeys=1 so the user cannot press F8 to avoid starting Windows 95. In addition, make sure that floppy-disk startup is not enabled in the computer's CMOS settings, and use password protection to prevent CMOS modifications. For information about making these changes, see the documentation from your computer's manufacturer.
For the Registry on the user's computer, use System Policy Editor to enable the Registry setting named Require Validation By Network For Windows Access.
In the system policies that are downloaded when the user logs on, set the policy named Disable Registry Editing Tools.
Set the policy named Only Run Allowed Windows Applications, and make sure that System Policy Editor and Registry Editor are not on the list of allowed applications.
Set up the user's computer to run Windows 95 as a shared installation, as described in Chapter 4, "Server-Based Setup for Windows 95."

User Profiles and System Policies: The Basics

On This Page

User Profiles and System Policies: The Issues

User Profiles Overview

How Do User Profiles Work?

Enabling User Profiles

To enable user profiles on a local computer after setup

Setting Up User Profiles on a Windows NT Network

Setting Up User Profiles on a NetWare Network

Disabling Standard Roving Profiles

Maintaining Roving User Profiles on Other Networks

Defining Mandatory User Profiles

System Policies Overview

How Do System Policies Work?

Overview of System Policies for Users

Overview of System Policies for Computers

System Policy Editor

Installing System Policy Editor

Using System Policy Editor

System Policies Overview

Setting Up for Automatic Downloading of System Policies

Setting Up for Manual Downloading of System Policies

Creating System Policies

To view or edit default system policies

Creating Policies for Individual Users or Computers

Creating Policies for Groups

Managing Custom Folders for Use with System Policies

System Policy Examples

Recommended Standard Desktop Configuration

Recommended Maximum Control Desktop Configuration

System Policy Settings Summary

Restricting Access to User-Specific Settings

Restricting Access to Computer-Specific Settings

System Policy Templates

To use a template other than the default template

Troubleshooting with System Policy Editor

The computer seems to be picking up some of the policies, but not all of them.

Additional resources