Chapter 8 - System Policies

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

This chapter describes how system administrators can use system policies to control what users can and cannot do on the Microsoft Windows 98 desktop and on the network. These features can help decrease the cost of managing numerous computers by allowing you to manage configurations remotely.

See Also

  • For more information about automated installation, see Chapter 4, "Automated Installations." 

  • For more information about remote administration, see Chapter 23, "System and Remote Administration Tools." 

Overview of System Policies

Cc768178.spacer(en-us,TechNet.10).gif Cc768178.spacer(en-us,TechNet.10).gif

System policies allow you to override local registry values for user or computer settings. Policies are defined in a policy (POL) file, usually called Config.pol. When a user logs on, system policy settings overwrite default settings in the local registry. You can also set system policies to contain additional custom settings specific to the network.

Unlike System.dat and User.dat (the two files that make up the registry), Config.pol is not a required component of Windows 98 Setup. The following list summarizes the benefits of system policies.

You can use system policies to enforce system configuration. You can restrict what users are allowed to do from the desktop and what they are allowed to configure using Control Panel. Also, you can use system policies to centrally configure network settings, such as the network client configuration options and the ability to install or configure file and printer sharing services. Finally, you can use policies to customize such parts of the desktop as Network Neighborhood and the Programs folder.

You can change registry settings with System Policy Editor. You can use System Policy Editor to change many common registry settings for an individual computer, either local or remote. You can use these settings in a system policy file to change registry values on multiple computers.

You can apply system policies individually or for a group. You can use group policies to define a set of policies to be applied on the basis of membership in the groups already defined on a Windows NT or Novell NetWare network. Group policies make computer management on the corporate network easier by using the current administrative organization of users.

Windows 98 provides a set of policies that you can use to specify settings for users. You can also add new registry settings to this set of policies, or you can modify policy templates to create new custom policies for any applications that use the Windows 98 registry.

Important If you want to specify desktop, shell, and security settings for your organization as they relate to the Internet Explorer 4 (IE) browsing software or any part of the IE browsing software suite, use the Internet Explorer Administration Kit (IEAK) Profile Manager. The Profile Manager is an administrative tool that is automatically installed on your computer when you install the Windows 98 Resource Kit from the compact disc. The Profile Manager controls system policies for the IE browsing software suite. See Chapter 6, "Configuring the Active Desktop and Active Channels," and Chapter 20, "Internet Access and Tools," for more information.

Choosing to Use System Policies or Mandatory User Profiles

Cc768178.spacer(en-us,TechNet.10).gif Cc768178.spacer(en-us,TechNet.10).gif

You can use either system policies or mandatory user profiles to enforce user settings. In certain situations, it may be desirable to use both system policies and mandatory user profiles. The two features differ in the following ways:

  • System policies let you mandate user-specific and computer-specific settings. Mandatory user profiles let you mandate only user-specific settings.

  • System policies let you selectively determine a subset of user settings to control, and each user controls the remaining settings. Mandatory user profiles always control every user-specific setting. 

Before deciding to implement system policies, you should consider the following issues:

  • What types of restrictions and settings would you like to define and manage centrally? For example, do you want to limit access to the MS-DOS prompt and other applications, or to Control Panel options, or do you want to implement a standard desktop for all users? 

  • Do you want to use one set of standard settings for all users and computers, or do you want to customize settings by groups of users? Also, do you want to maintain individual settings for users and computers? Typically, you customize settings by groups, so that the majority of users are in groups (such as Accounting, Marketing, and so on), and a small group of individuals (such as administrators) have special privileges. If so, you must install special files to support group policies. 

  • Will you be using user system policies (as opposed to defining only computer policies)? If so, enable user profiles on the computers running Windows 98, and make sure that the computers use 32-bit, protected-mode network clients.

  • Do system policies in Windows 98 meet your system administration needs, or do you need a more sophisticated system? If you need a high level of administrative control, you might want to consider using a more sophisticated management software tool, such as Microsoft Systems Management Server, rather than System Policy Editor. For information, see Appendix E, "Microsoft Systems Management Server." 

Preparing to Use System Policies

Cc768178.spacer(en-us,TechNet.10).gif Cc768178.spacer(en-us,TechNet.10).gif

System policies offer you a powerful mechanism for increasing control and manageability of computers across the network. With system policies, you can do the following:

  • Restrict access to Control Panel options. 

  • Restrict what users can do from the desktop. 

  • Customize parts of the desktop. 

  • Configure network settings. 

For example, you can preset a user's environment so that the MS-DOS prompt or unapproved applications are not available. You can choose from the set of system policies offered by Windows 98 or create custom system policies.

Important You need to make some decisions about the default set of system policies before installing Windows 98. For more information, see Part 1, "Deployment and Installation," of the Microsoft Windows 98 Resource Kit.

The system policy entries you set through System Policy Editor are reflected in the policy file (Config.pol), which overwrites default User.dat and System.dat settings in the registry when the user logs on. Policy entries change registry settings in the following ways:

  • Desktop settings modify the HKEY_CURRENT_USER key in the registry, which defines the contents of User.dat. All policy settings affecting User.dat are defined for a specific user or for the default user. 

  • Logon and network access settings modify the HKEY_LOCAL_MACHINE key in the registry, which defines the contents of System.dat. All policy settings affecting System.dat are defined for a specific computer or for the default computer. 

Figure 8.1 shows how these settings are interrelated.

Cc768178.wrk0m01(en-us,TechNet.10).gif

Figure 8.1 How policy settings are interrelated 

To use System Policy Editor, first install it from the Windows 98 compact disc. The System Policy Editor consists of the following files. Poledit.exe, Poledit.inf, Windows.adm, and Common.adm. Other sample templates are provided but not required. Poledit.inf, Windows.adm, and Common.adm are placed in the Inf subdirectory of the Windows directory. Place Config.pol in a secure network location. Any custom templates you create use the ADM file name extension.

To install System Policy Editor

  1. In Control Panel, double-click Add/Remove Programs, click the Windows Setup tab, and then click Have Disk.

  2. In the Install From Disk dialog box, click Browse and specify the Netadmin\Poledit directory on the Microsoft Windows 98 Resource Kit compact disc.

  3. Click OK, and then click OK again in response to the dialog boxes. 

  4. In the Have Disk dialog box, select the System Policy Editor check box, and then click Install

If you want to enable group policies support, place Grouppol.dll in the System subdirectory of the Windows directory on each client computer. In addition, you must make some changes to the registry on each computer to use Grouppol.dll.

You can install group policies during Setup using a batch install script or at any time using the Add/Remove Programs option of Control Panel. Once group policies have been enabled, they are no longer displayed as an option in Add/Remove Programs.

To install group policies

  1. In Control Panel, double-click Add/Remove Programs, click the Windows Setup tab, and then click System Tools.

  2. Select the checkbox for Group Policies, click OK, and then click OK again. 

Important System policies are based on the content of the registry and cannot be edited with a text editor. To define and manage system policies, use System Policy Editor and other supporting tools.

You can, however, use a text editor to edit the template files used by System Policy Editor, as described in "Using System Policy Templates" later in this chapter. If you want to use system policies, perform the following preliminary steps:

  • On the administrator's computer, install System Policy Editor from the Netadmin\Poledit directory on the Microsoft Windows 98 Resource Kit compact disc. Decide which users can install and have access to this tool for modifying policies. You probably will not install System Policy Editor on most client computers. 

  • On the client computers, enable user profiles to ensure full support for system policies. If user profiles are not enabled, only the computer settings in any system policy will be written to the registry. 

  • Install support for group policies on the client computers if your site will use these. For more information, see "Using System Policy Editor" later in this chapter. 

How System Policies Work

When the user logs on, Windows 98 checks the user's configuration information for the location of the policy file. Windows 98 then downloads the policies and copies the information into the registry by using the following process:

  1. If user profiles are enabled, Windows 98 checks for the Config.pol file and parses it for the user and group names it contains. If it finds user information for this user, Windows 98 applies the user-specific policy. If it does not find the user in the Config.pol file, Windows 98 applies the Default User policy.

    If support for group policies has been installed on the computer, Windows 98 checks whether the user is registered as a member of any groups. If so, group policies are downloaded starting with the lowest-priority group and ending with the highest-priority group. Group policies are processed for all groups the user belongs to. The group with the highest priority is processed last so that the settings in that group's policy file supersede those in lower-priority groups. Group policies are not applied if policies have been defined for a specific user. Then, all settings are copied into the User.dat portion of the registry. 

  2. Windows 98 checks for the Config.pol file that contains information for this computer. If one exists, Windows 98 applies the computer-specific policies to the user's desktop environment. If a policy for that computer does not exist, Windows 98 applies the default computer policy. This data is then copied into the System.dat portion of the registry. 

By default, Windows 98 automatically attempts to download computer and user policies from the Netlogon directory on a Windows NT server or the Public directory on a NetWare server. This default location can be overridden in a policy file setting. If no server is present, Windows 98 uses the settings currently on the computer unless a manual update path for a policy is specified in the system registry.

System Policies for Users

You can manage user settings in system policies only if user profiles are enabled on the target computer. System Policy Editor uses the properties for Default User to define the default policies in the following areas:

Control Panel. Set policies to prevent the user from accessing such Control Panel features as network, password, or system settings.

Desktop. Set policies to use standard wallpaper and color schemes.

Network. Set policies to restrict peer resource sharing or to specify networking components and settings.

Shell. Set policies to customize folders on the desktop and to restrict changes to the user interface.

System. Set policies to restrict the use of registry editing tools, applications, and MS-DOS-based applications.

You can apply these policies to the default user, to specific named users, or to groups of users. For more information about the settings for each of these categories, see "System Policy Settings Summary" later in this chapter.

System Policies for Computers

You can use System Policy Editor to define settings for a default computer or for specific named computers. The default computer settings are used when no explicit computer specific policy has been configured.

Computer settings in system policies prevent users from modifying the hardware and environment settings for the operating system, ensuring that Windows 98 starts in a predictable way. You can set options to restrict access to computer-specific system and network features, as described in "System Policy Settings Summary" later in this chapter.

Internet Explorer Browsing Software System Policies

Windows 98 includes seven policy files, listed in Table 8.1, that contain settings for various components of the Internet Explorer browsing software. You can use these settings to control such things as the look of the Active Desktop and the Internet Explorer browsing software, and to specify the default security zone for Outlook Express HTML messages. For information about the Internet Explorer browsing software, see Chapter 20, "Internet Access and Tools" and Chapter 6, "Configuring the Active Desktop and Active Channels."

Table 8.1 Internet Explorer browsing software policy files 

File Name

User Policy

Computer Policy

Chat.adm

Settings for Chat

 

Conf.adm

Settings and restrictions for NetMeeting

Settings for NetMeeting protocols

Inetres.adm

Restrictions for Internet Explorer browsing software

Settings for Internet Explorer browsing software security and code download

Inetset.adm

Settings for Internet Explorer browsing software

Settings for Internet Explorer browsing software

Oe.adm

Settings for Outlook Express

 

Shell.adm

Settings and restrictions for the Active Desktop

 

Note You can also control Internet Explorer browsing software settings using the IEAK Profile Manager, which can be installed from the Microsoft Windows 98 Resource Kit compact disc. For information about the IEAK Profile Manager, see Chapter 6, "Configuring the Active Desktop and Active Channels" and Chapter 20, "Internet Access and Tools."

Preparing to Use System Policies on the Network

Cc768178.spacer(en-us,TechNet.10).gif Cc768178.spacer(en-us,TechNet.10).gif

You can have Windows 98 copy system policies from the network either manually or automatically. If you want to copy system policies automatically, Windows 98 locates the system policy file (Config.pol) in the proper directory on the network and downloads its policy settings into the registry of the local computer when the user logs on. If you want to copy system policies manually, Windows 98 copies the system policy file from a location you specify. Automatic downloading works only if the file name for the system policy file is Config.pol.

Note Windows 98 supports automatic downloading for Windows NT and NetWare networks. The 32-bit, protected-mode network clients — subsequently made available for other networks — might also provide support for automatic downloading.

Setting Up for Automatic Downloading of System Policies

By default, Windows 98 downloads system policies automatically. However, if you have switched to manual downloading, the following procedures describe how to return to automatic downloading.

If you have created a POL file, Windows 98 automatically downloads it from the Netlogon directory on a Windows NT network or from the Public directory on a NetWare network.

To set up automatic downloading on Windows NT networks

  1. In Control Panel, double-click Network, and then make sure that Client for Microsoft Networks is specified as the Primary Network Logon client and that the domain is defined. For more information, see Chapter 18, "Logon, Browsing, and Resource Sharing." 

  2. Create the policy file to be downloaded, and save it in the following location: 

    \\PDC\x$\WINNT\system32\Repl\Import\Scripts\Config.pol (where x = SystemDrive)

Important You must create the Config.pol file on a Windows 98 (or Windows 95) computer and then copy it to your Windows NT server in the location specified in the previous procedure. Because of the different registry formats in Windows 98/95 and Windows NT, creating the Config.pol file on the Windows NT server will prevent it from working on your Windows 98 client computers.

To set up automatic downloading on NetWare networks

  1. In Control Panel, double-click Network, and then make sure that Microsoft Client for NetWare Networks is specified as the Primary Network Logon client and that a preferred server is specified in properties for the network client. For more information, see Chapter 17, "Windows 98 on Third-Party Networks." 

  2. Create the policy file to be downloaded, and save it in the following location: 

    \\preferred server\sys\public\Config.pol

For NetWare networks, the client computers must be running Microsoft Client for NetWare Networks. If the client computers are using NetWare 3.x workstation shell (NETX) or Virtual Loadable Module (VLM), policies must be downloaded manually.

Important Make sure you place system policy files on the user's preferred server. Policy files are not available if they are stored on other NetWare servers or on computers running File and Printer Sharing for NetWare Networks.

Setting Up for Manual Downloading of System Policies

If you use the Remote Update policy, you can configure Windows 98 to allow you to download policy files manually (even when they are stored locally) by indicating a separate network or local computer location. Manual downloading overrides automatic downloading and allows you to choose where a user's policies are stored.

You can set up each computer individually for manual downloading, but this can be time-consuming. If possible (that is, when the client computers use 32-bit, protected-mode network clients), you should set up each computer for automatic downloading and then use the Remote Update policy to point specific computers to other servers as appropriate for your environment and users.

However, for real-mode network clients, such as Novell NETX or VLM, you must enable manual downloading on each computer. After you configure the client computer, the system policy file will be downloaded the next time the user logs on.

To configure a computer for manual downloading of system policies

  1. In System Policy Editor, click the File menu, and then click Open Registry

  2. Double-click Local Computer

  3. Double-click Windows 98 Network, double-click Update, and the select the Remote Update check box. 

    Note The remote computer must be running the Microsoft Remote Registry service, Remote Administration must be enabled, and user-level security must be enabled. 

    Make sure to type the universal naming convention (UNC) path and the file name in the Path for manual update box. 

On Windows NT or NetWare networks on which you are using automatic downloading of policies, you can set a system policy to allow manual downloading. This option works only after system policies have been downloaded automatically the first time after Windows 98 has been installed. The first automatic downloading includes information in the system policies that defines the location to be used for manual downloading.

To define the location of policies for manual downloading

  1. In System Policy Editor, open Config.pol, and then double-click the Default Computer icon. 

  2. Double-click Windows 98 Network, double-click Update, and then select the Remote Update check box. 

  3. In the Update Mode box, click Manual.

  4. In the Path for manual update box, type the UNC path and file name for the system policy file you want to download. Make sure this file exists in the location you specify. (Otherwise, an error will result.)

Important On a Windows NT network, you must create the Config.pol file on a Windows 98 computer and then copy it to your Windows NT server. Because of the different registry formats in Windows 98 and Windows NT, creating the Config.pol file on the Windows NT server will prevent it from working on your Windows 98 client computers.

On large networks, when thousands of users log on at the same time, all gaining access to the same policy file, you might experience slow network performance. To avoid a bottleneck, Windows 98 offers load balancing on Windows NT networks. With load balancing enabled, policies are taken from the logon server (which can be a domain controller or a backup domain controller) rather than the primary domain controller. Although this spreads the load over many servers, it does require that you replicate the policy file on each server. For information about Windows NT replication, see the Microsoft Windows NT Server Networking Guide in the Microsoft Windows NT Server Resource Kit (for Windows NT version 4.0).

Note Load-balancing works only when using a 32-bit protected mode client setup for automatic downloading of system policies.

To enable load balancing

  1. Perform the earlier procedure, "To define the location of policies for manual downloading." 

  2. Under Settings for Remote Update, make sure Load-balance is selected. 

If you want to use load balancing, make sure it is enabled on each client computer. Also, make sure you have a current policy file on each server that will participate in load balancing, including all Windows NT domain controllers and servers. One convenient way to implement load balancing is to set this policy in the Config.pol file that is on the primary domain controller. As each client computer downloads this policy, it will subsequently look for Config.pol on the logon server.

Using System Policy Editor

Cc768178.spacer(en-us,TechNet.10).gif Cc768178.spacer(en-us,TechNet.10).gif

You can use System Policy Editor to create system policies. More specifically, you can do the following with System Policy Editor:

  • Set entries for the default computer and user policy entries. This creates a default policy file for all users and computers, which is downloaded when each user logs on. 

  • Create entries for individual users, individual computers, or groups of users. By default, these include the policy entries you defined for Default User and Default Computer. 

  • Specify whether and in what manner you want policies downloaded from a centralized server, or specify whether you want to have policies downloaded from other specific locations for all or some users. 

Caution System Policy Editor is a powerful tool; you should restrict its use to network administrators. To avoid unauthorized use, do not install this tool on users' computers, and restrict access to the source files so users cannot install it themselves.

Installing System Policy Editor

You can install and use System Policy Editor from the Netadmin\Poledit directory on the Microsoft Windows 98 Resource Kit compact disc.

To install System Policy Editor

  1. In Control Panel, double-click the Add/Remove Programs icon, click the Windows Setup tab, and then click Have Disk.

  2. In the Install From Disk dialog box, click Browse and specify the Netadmin\Poledit directory on the Microsoft Windows 98 Resource Kit compact disc.

  3. Click OK, and then click OK again in response to the dialog boxes. 

  4. In the Have Disk dialog box, select the System Policy Editor check box, and then click Install

To run System Policy Editor
  • On the Start menu, click Run. Type poledit, and then click OK

If you want to use group policies, you must install that capability on each computer running Windows 98 by either using a custom setup script when you install Windows 98 or using the Add/Remove Programs option in Control Panel.

To set up capabilities for group policies using Add/Remove Programs

  1. In Control Panel, double-click Add/Remove Programs, click the Windows Setup tab, and then click Have Disk.

  2. In the Install From Disk dialog box, click Browse and specify the Netadmin\Poledit directory on the Microsoft Windows 98 Resource Kit compact disc.

  3. Click OK, and then click OK again in response to the dialog boxes. 

  4. In the Have Disk dialog box, select the Group Policies check box, and then click Install

Windows 98 Setup places Grouppol.dll in the Windows System directory on the client computer and makes the required registry changes.

For more information about adding the ability to use group policies when installing Windows 98 using custom setup scripts, see Chapter 4, "Automated Installations."

Modifying Policies and the Registry with System Policy Editor

You can use System Policy Editor in two different modes: Registry mode and Policy File mode:

  • In Registry mode, you can directly edit the registry of the local or the remote computer, and changes are reflected immediately. For more information about editing the registry for a remote computer, see Chapter 23, "System and Remote Administration Tools." 

  • In Policy File mode, you can create and modify system policy (POL) files for use on other computers. In this mode, the registry is edited indirectly. Changes are reflected only after the policy is downloaded when the user logs on. 

To use System Policy Editor in Registry mode

  • In System Policy Editor, on the File menu, click Open Registry. Then double-click the appropriate Local User or Local Computer icon, depending on what part of the registry you want to edit. After you make changes, you must shut down and restart the computer for the changes to take effect. 

    Cc768178.wrk0m50(en-us,TechNet.10).gif  

    Important Use Registry mode only when you want to make direct changes to the registry. You should typically change system settings by using the Control Panel options and other tools provided with Windows 98. 

To use System Policy Editor in Policy File mode

  • In System Policy Editor, on the File menu, click New or Open to open a policy file. 

    Cc768178.wrk0m51(en-us,TechNet.10).gif

When you edit settings in Policy File mode, clicking a registry option sets one of three possible states:

  • Selected

  • Cleared

  • Dimmed 

Each time you select an option, the display cycles to show the next possible state. This is different from selecting a standard check box, which sets an option only to on or off. Table 8.2 summarizes the three possible states for options in a policy file.

Table 8.2 Option states in a policy file 

Option state

Meaning
 

Cc768178.wrk0m52(en-us,TechNet.10).gif

Selected — this policy will be implemented, changing the state of the user's computer to conform to the policy when the user logs on. If the option was previously checked the last time the user logged on, Windows 98 makes no changes.
 

Cc768178.wrk0m53(en-us,TechNet.10).gif

Cleared — this generally forces the registry setting to the opposite of the on state. Depending on the specific policy, this has the effect of either implementing or not implementing the policy each time the user logs on.
 

Cc768178.wrk0m54(en-us,TechNet.10).gif

Dimmed — the setting is unchanged from the last time the user logged on, and Windows 98 will make no related modifications to the system configuration.
The dimmed state ensures that Windows 98 provides quick processing at system startup, because it does not need to process each entry each time a user logs on.

Caution When you define a policy option, make sure you have set the proper state for the option. If you set an option by selecting it but then change your mind and clear the option, you can inadvertently destroy the user's previous configuration. If you decide not to set a particular policy option, make sure that option is shaded so that the user can configure and retain the setting for that option.

For example, you might select the option to specify Microsoft Client for NetWare Networks and then click again to clear that option. When the user logs on and the policy is downloaded, this setting would wipe out the user's current configuration that specifies Client for NetWare Networks.

If a setting requires additional information, an edit control appears at the bottom of the Default User Properties dialog box. For example, if Wallpaper is selected in the Desktop settings, the following dialog box appears.

Cc768178.wrk0m55(en-us,TechNet.10).gif 

Usually, if a policy has been selected and you no longer want to enforce it, you should clear the box to cancel the policy. However, in the following cases, a few policies might behave differently than you might expect if the check box is cleared:

  • The policy setting contains an edit box that must be completed (as opposed to a simple check box). 

  • The policy setting can also be set by users through Control Panel. 

In these cases, you should consider making sure the check box is dimmed when you no longer want to enforce the policies. A user can then modify this information as needed.

Table 8.3 describes the results of different settings for such policies.

Table 8.3 Policy settings and their behavior 

Policy

Behavior

Settings for Wallpaper

· Selecting it forces the specified wallpaper to be used.
· Clearing it removes the wallpaper (the user will not have any wallpaper).
· Leaving it dimmed means that the user can choose wallpaper after clicking Display in Control Panel.

Client for NetWare Networks: Preferred Server

· Selecting it sets the preferred server you specify.
· Clearing it deletes the preferred server from the computer's registry. The user must specify the preferred server at every logon if set to primary logon.
· Leaving it dimmed means the user can specify the preferred server after clicking Network in Control Panel.

Microsoft Client for Windows Networks: Domain

· Selecting it sets the Windows NT Logon domain you specify.
· Clearing it deletes the domain setting from the computer's registry. The user must specify the domain at every logon if set to primary logon.
· Leaving it dimmed means the user can specify the domain after clicking Network in Control Panel.

Microsoft Client for Windows Networks: Workgroup

· Selecting it sets the workgroup for that computer.
· Clearing it deletes the workgroup setting from the computer's registry.
· Leaving it dimmed means the user can specify the workgroup after clicking Network in Control Panel.

Creating System Policies

Cc768178.spacer(en-us,TechNet.10).gif Cc768178.spacer(en-us,TechNet.10).gif

This section describes procedures for creating system policies.

To take advantage of automatic downloading, discussed earlier, create a policy file that contains user, computer, and group entries to reside in the Netlogon share of a Windows NT server or the Public directory of a NetWare server. Based on the client selected, Windows 98 automatically looks in one of these locations to download your newly created system policy.

To view or edit default system policies

  1. In System Policy Editor, click the File menu, and then click New File.

  2. Double-click Default User to define the default settings for user-specific policies.

    – Or – 

    Double-click Default Computer to define the settings for computer-specific policies. 

  3. Select the policies you want to put in place.

Creating Policies for Individual Users or Computers

This section describes how to create a system policy for a user or computer.

Tip To reduce the management load, minimize the number of user and computer entries in system policy files. Consider first creating one standard system policy for all users by editing default settings, and then creating settings for individuals on an exception basis.

To create system policies for a new user or computer

  1. In System Policy Editor, click the Edit menu, and then click Add User or Add Computer

  2. Type the name of the user or computer you want to add. System Policy Editor adds an icon for each user or computer you add.

Tip You can easily copy policy values to the new user or computer from an existing user or computer by copying and pasting them. Highlight an existing user or computer, and on the Edit menu, click Copy. Then highlight the new user or computer, and on the Edit menu, click Paste.

To edit existing system policies

  1. In System Policy Editor, double-click the icon for the user or computer policies you want to edit.

  2. Select or clear individual policies by clicking the policy name. 

Creating Policies for Groups

Group policies are supported for both Windows NT and NetWare networks. Creating policies for groups is similar to creating policies for users or computers.

You must first make sure that Grouppol.dll, which supports group policies, has been successfully installed on each client computer. For more information, see "Installing System Policy Editor" earlier in this chapter.

You cannot create new groups by using System Policy Editor; you can use only existing groups on the NetWare or Windows NT network. To create a new group, use the tools provided with your network administrative software.

To create system policies for groups

  1. In System Policy Editor, click the Edit menu, and then click Add Group.

  2. Type the name of the group you want to add, and then click OK

    – Or – 

    If user-level security is enabled, click Browse, click the name of the group you want, and then click OK

  3. Select or clear policies by clicking the policy name.

Group policies are downloaded starting with the lowest-priority group and ending with the highest-priority group. All groups are processed. The group with the highest priority is processed last so that any of the settings in that group's policy file supersede those in lower-priority groups. You can use one policy file for each group, even if some of the client computers in the group do not have support installed for group policies. Client computers that are not configured for using group policies will ignore group policy files.

Important If a policy exists for a specific named user, group policies are not applied to that user.

To set priority levels for groups

  1. In System Policy Editor, click the File menu, and then click Open File

  2. Locate the Config.pol file, and then click Open.

  3. On the Options menu, click Group Priority.

  4. In the Group Priority dialog box, click on a group name, and then use Move Up and Move Down to move it into its relative priority. 

    Cc768178.wrk0m56(en-us,TechNet.10).gif 

Creating NetWare Directory Services System Policies

Microsoft Service for NetWare Directory Services supports system policies on a Novell Directory Services (NDS) network. When your users log on, Windows looks for the policy file in the location you specify.

Note The first time system policies are implemented on an NDS tree, the tree's schema database, which defines the objects in the tree, is modified. This happens because the schema provides templates for each NDS object type, and adding system policies is a modification of some templates. To modify the schema, you must have Supervisor rights to the [Root] on the NDS tree. Subsequent implementations of system policies, however, can be done by administrators who do not have Supervisor rights to the [Root] on the NDS tree.

If you plan to implement user or group system policies, you must enable user profiles on your network. Also, for group policies, at least one NetWare version 4.1 server on the network must have bindery emulation enabled. Make sure the group and all the users in the group are in the bindery context for the server.

To set the system policies in a new or existing policy file

  1. In System Policy Editor, click the Options menu, and then click Template

  2. Click Open Template, and then type the path for Filename.adm.

  3. If you have already implemented system policies on your network, open the current policy file. 

    – Or – 

    If you have not implemented system policies on your network, on the File menu, click New

  4. Set the policies, and then save them as Config.pol. (If a policy file with a different name already exists on your network, type the name of that policy file instead.) The new settings will be merged into the existing policy file. 

To specify the location of the policy file

  1. In Network Neighborhood, find the organization or organizational unit object for which you have created the policy file.

  2. Right-click the icon for the organization or organizational unit object, and then click Properties

  3. Click the NDS Administration Settings tab. 

    Note To gain access to the NDS Administration Settings tab, you must be a trustee for the volume object. You must also have the Supervisor object and Supervisor property correct for the volume. 

  4. Type the path and name of the system policy file.

Any container (Organization or Organizational Unit) can have its own policy file. When a user logs on to NDS, the Service for NetWare Directory Services looks in the parent container of the logon container, and so on up to the root.

The advantage of this is that you can put a policy file in the root and have it apply to every object in the tree, or you can have individual system policy files in any container below the root.

Managing Custom Folders for Use with System Policies

You can define five system policies to create a custom desktop. These policies use custom folders, created by the administrator, that contain the specific settings for the customized desktop. Table 8.4 summarizes the policies used to create a custom desktop.

Table 8.4 System policies used to create a custom desktop 

Policy

Description

Custom Programs Folder

Shortcuts that appear in the Programs group on the Start menu.

Custom Network Neighborhood

Shortcuts to resources that appear in Network Neighborhood, including shortcuts to shared printers and files and to Dial-Up Networking connections.

Custom Desktop Icons

Shortcuts that appear on the desktop.

Custom Start Menu

Shortcuts and other options that appear on the Start menu, as defined by using the Taskbar Properties dialog box.

Custom Startup Folder

Programs or batch files that appear in the Startup group on the Start menu.

Before you create a custom desktop by using system policies, you must define custom folders.

To define custom folders for use with policy files

  1. Create and place the custom folders in a central location where users can gain access. You can use any valid folder names for the folders you create. Windows 98 uses the path defined for the related policy to find the folder. 

    Note To prevent accidental removal or unauthorized changes, place custom folders in directories where users are restricted to read-only access. 

    Place the custom set of files and shortcuts you want in each folder.

    • You can place any kind of files in the custom folders. 

    • For shortcuts, make sure that the path specified in the Target box in Shortcut properties is a UNC name, rather than a mapped directory. Otherwise, the users who will access resources using these shortcuts must have the same drives mapped in their logon scripts. 

Caution Do not place folders in the custom Network Neighborhood. Windows 98 does not support this feature, and unpredictable results can occur.

To create a custom desktop using system policies

  1. In System Policy Editor, open the System Policy file. 

  2. In the System Policy file, set the related policies. 

  3. In the Path to get Program items from box, type the path to the folder's location. 

    Cc768178.wrk0m57(en-us,TechNet.10).gif 

  4. If you selected the Custom Programs Folder or Custom Desktop Icons policies, also select the Hide Start Menu subfolders policy check box to enable it. Otherwise, multiple Programs entries will appear on the user's Start menu — one for the location of the Custom Programs Folder and one for the default location. 

If the custom folders will not be stored in the directories where Windows 98 automatically looks for them, you must specify another location when you specify the Custom Folders policies. For example, you might want to create these folders where the system policy files are located on the server.

The following list shows the default locations for custom folders.

  • Custom Programs Folders: 

    c:\windows\profiles\username\start menu\programs 

  • Custom Desktop Icons: 

    c:\windows\profiles\username\desktop 

  • Custom Startup Folder: 

    c:\windows\profiles\username\start menu\programs\startup 

  • Custom Network Neighborhood: 

    c:\windows\profiles\username\nethood 

  • Custom Start Menu: 

    c:\windows\profiles\username\start menu 

NetWare Directory Services System Policies

Table 8.5 summarizes the new system policies provided by Microsoft Service for NetWare Directory Services.

Table 8.5 New system policies provided by Microsoft Service for NetWare Directory Services 

Option

Description

Default Name Context

Sets the default context.

Preferred Tree

Sets the default NDS tree.

Disable automatic tree logon

Causes you to be prompted to log on to the NDS tree when starting Windows 98, even if your NDS password is the same as your Windows password.

Enable logon confirmation

Causes a confirmation dialog box to appear after you log on.

Default type of NetWare logon

Specifies whether you log on as a bindery user (for example, by using logon /b) or an NDS user by default.

Don't show Advanced logon button

Hides the Advanced button on the logon dialog box. The Advanced button enables you to choose a different tree or context when you log on.

Don't allow browsing outside the default context

Hides Directory Services containers outside the default context.

Don't show volume objects

Hides NDS volume objects from the directory tree in Network Neighborhood.

Don't show server objects

Hides NDS server objects from the directory tree in Network Neighborhood.

Don't show servers that aren't NDS objects

Hides all servers that are not objects in the Directory Tree (for example, bindery servers and peer servers).

Don't show printer objects

Hides NDS printer objects in Network Neighborhood.

Don't show print queue objects

Hides NDS queue objects in Network Neighborhood.

Don't show container objects

Hides NDS organizations and organizational units in Network Neighborhood.

Don't show peer workgroups

Hides Windows 98 workgroups within Network Neighborhood.

Load NetWare DLLs at startup

Automatically loads Novell-supplied NetWare dynamic-link libraries (DLLs) required by some NDS applications.

Restricting Access to Computer-Specific Settings

Cc768178.spacer(en-us,TechNet.10).gif Cc768178.spacer(en-us,TechNet.10).gif

When you double-click the Default Computer icon in System Policy Editor, a list of system policy options for settings that apply to the computer appears. This section describes these options.

Restricting Access to Network Settings

Within this category of options, you can restrict the user's ability to share files and printers. Typically, you might want to set these policies to apply when file and printer sharing services are installed but when you do not want users to change which resources are shared on their computers. Table 8.6 describes the system policies you can apply to file and printer sharing.

Table 8.6 User policies restricting access to file and printer sharing 

Option

Description

Sharing

 

Disable file sharing controls

Removes the Sharing properties from directories in Windows Explorer.

Disable print sharing controls

Removes the Sharing properties from the Printer directory.

Restricting Access to Shell Settings

Table 8.7 describes the system policies you can apply to folders and user interface options.

Table 8.7 User policies restricting access to shell settings 

Option

Description

Custom Folders

 

Custom Programs Folder

Customizes the contents of the Programs directory. You must also type a path for the directory containing complete files or LNK files that define the Programs directory items.

Custom Desktop Icons

Customizes desktop icons. You must also type a path for the directory containing complete files or LNK files that define the desktop shortcuts.

Hide Start Menu subfolders

Check this when you use a custom Programs folder. Otherwise, two Programs entries will appear on the user's Start menu.

Custom Startup Folder

Customizes the contents of the Startup directory. You must also type a path for the directory containing complete files or LNK files that define the Startup directory items.

Custom Network Neighborhood

Customizes the contents of Network Neighborhood. You must also type a path for the directory containing complete files or LNK files that define the Network Neighborhood items.

Custom Start Menu

Customizes what is listed on the Start menu. You must also type a path for the directory containing complete files or LNK files that define the Start menu items.

Restrictions

 

Remove 'Run' command

Prevents access to the Run command on the Start menu.

Remove Folders from 'Settings' on Start Menu

Prevents access to any item listed under Settings on the Start menu.

Remove Taskbar from 'Settings' on Start Menu

Prevents access to the Taskbar item listed under Settings on the Start menu.

Remove 'Find' command

Prevents access to any item listed under Find on the Start menu.

Hide Drives in 'My Computer'

Prevents display of drives in My Computer.

Hide Network Neighborhood

Prevents access to Network Neighborhood.

No 'Entire Network' in Network Neighborhood

Prevents access to the Entire Network icon in Network Neighborhood.

No workgroup contents in Network Neighborhood

Prevents workgroup contents from being displayed in Network Neighborhood.

Hide all items on Desktop

Prevents access to all items on the desktop.

Disable Shut Down command

Prevents access to the Shut Down command on the Start menu; displays explanation in a dialog box.

Don't save settings at exit

Prevents settings from being written to the file system.

Restricting Access to System Settings

The system policies in this category restrict the use of registry editing tools, applications, and MS-DOS- based applications. Table 8.8 describes the policies you can set within this category.

Table 8.8 User policies restricting access to system settings 

Option

Description

Restrictions

 

Disable registry editing tools

Prevents users from running registry editing tools.

Only run allowed Windows applications

Prevents users from running any Windows-based applications except those that are listed. Click Show to define the allowed applications.

Disable MS-DOS prompt

Prevents access to the MS-DOS prompt.

Disable single-mode MS-DOS applications

Prevents users from running MS-DOS- based applications in MS-DOS mode.

Restricting Access to Computer-Specific Network Settings

This category of options includes system policy settings for the following:

  • Enabling user-level security. 

  • Logon dialog box settings. 

  • Microsoft Client for NetWare Networks settings. 

  • Microsoft Client for Windows Networks settings. 

  • Password settings. 

  • Dial-Up Networking settings. 

  • Sharing settings. 

  • Simple Network Management Protocol (SNMP) settings. 

  • Update settings for policy downloading. 

These system policies are applied to the computer and are stored in System.dat. Table 8.9 describes the system policies you can set in this category.

Table 8.9 Computer policies restricting access to network settings 

Option

Description

Access Control

 

User-level access control

Enables user-level security on the local computer using pass-through logon validation by a Windows NT or a NetWare server. You must specify the server or domain, and the type of authenticator for validation.

Logon

 

Logon Banner

Allows you to specify text for a caption and other text to be displayed in a logon banner.

Require validation from network for Windows access

Each logging on must be validated by a server before access to Windows is allowed. This policy has no effect on a portable computer after it is undocked.

Don't show last user at logon

The user name field will be blank in the network logon screen.

Don't show logon progress

Disables the display of the logon progress dialog.

Password

 

Hide share passwords with asterisks

Replaces characters with asterisks when users type passwords to access a shared resource. Applies to share-level security only; this setting is on by default.

Disable password caching

Prevents saving passwords. (Notice that the user cannot successfully use the Quick Logon feature for Microsoft networks if password caching is disabled.)

Require alphanumeric Windows password

Requires that the Windows password contain a combination of letters and numbers.

Minimum Windows password length

Requires that the Windows logon password has at least the specified number of characters.

Proxy Server

 

Disable automatic location of proxy server

Prevents Windows 98 from checking with the Dynamic Host Configuration Protocol (DHCP) server for the presence of a proxy server.

Microsoft Client for NetWare Networks

 

Preferred server

Allows you to specify the name of the NetWare network server this computer should log on to first.

Support long file names

Allows support for long file names. The values are 0 (no support for long file names on NetWare servers), 1 (support on NetWare servers version 3.12 and later), and 2 (support if the NetWare server supports long file names).

Disable automatic NetWare login

Specifies that Windows 98 should not first silently use the user's name and password to attempt to connect to a NetWare server, which is the default behavior.

Microsoft Client for Windows Networks

 

Log on to Windows NT

Specifies that this computer can participate in a Windows NT domain. Type the name of the domain. If this option is checked, the next two options are also available.

Display domain logon confirmation

Displays a message when the domain controller has validated user logon.

Disable caching of domain password

Specifies that no caching is used for the network password.

Workgroup

Specifies that this computer can participate in a workgroup. Type the name of the workgroup.

Alternate Workgroup

Specifies that an alternate workgroup must be defined to see Microsoft peer servers in other workgroups if your workgroup does not have any computers running File and Printer Sharing for Microsoft Networks (that is, they all run File and Printer Sharing for NetWare), but the computer runs a Microsoft network client. The workgroup specified should include at least one computer running File and Printer Sharing for Microsoft Networks.

File and Printer Sharing for NetWare Networks

 

Disable SAP Advertising

Disables the Service Advertising Protocol (SAP). This computer will not advertise its presence, and NETX or VLM clients cannot see it or connect to it

File and Printer Sharing for Microsoft Networks

 

Disable file sharing

Prevents file sharing over a network.

Disable print sharing

Prevents printer sharing over a network.

Dial-Up Networking

 

Disable dial-in

Prevents dial-in connections to the computer.

Update

 

Remote Update

Defines how system policies will be updated. If this option is selected, the next four options are also available.

Update Mode

Determines whether system policies are downloaded automatically (the default) or manually.

Path for manual update

Specifies the UNC path and file name for manual downloading of system policies.

Display error messages

When a user logs on, if the system policy file is not available, displays an error message.

Load-balance

For Windows NT networks, allows Windows 98 to look for policy files on the logon domain.

Restricting Access to Computer-Specific System Settings

This category of options includes system policy settings for the network path for setup and user profiles. Table 8.10 describes the system policies you can set within this category.

Table 8.10 Computer policies restricting access to system settings 

Option

Description

Enable User Profiles

Enables basic user profiles functionality.

Network path for Windows Setup

Defines the network or local location of the Windows 98 Setup program and files. You must also type a UNC or local path for the setup directory.

Network path for Windows Tour

Defines the network location of the Windows 98 Tour program. You must also type a UNC path ending with Discover.exe.

Communities

Specifies one or more groups of hosts to which this computer belongs for purposes of SNMP administration. These are the communities that are allowed to query the SNMP agent.

Permitted managers

Specifies Internet protocol (IP) or Internetwork Packet Exchange (IPX) addresses allowed to obtain information from an SNMP agent. If this policy is not checked, any SNMP console can query the agent.

Traps For 'Public' community

Specifies trap destinations, or IP or IPX addresses of hosts in the public community to which you want the SNMP service to send traps. For more information about sending traps to other communities, see Chapter 23, "System and Remote Administration Tools."

Internet MIB (RFC 1156)

Allows you to specify the contact name and location if you are using Internet MIB.

Run

Defines applications and utilities to run when the user logs on. Click Show to specify items to run.

Run Once

Defines applications and utilities to run once when the user logs on. Click Show to specify items to run. (See comment below.)

Run Services

Defines services to run at system startup. Click Show to specify items to run.

Digital Signature Check

Allows you to specify how to handle installation of non-Microsoft signed drivers.

Disable Windows Update

Removes the Windows Update shortcut from the Start menu and prevents access to the Windows Update Web site

Override Local Web Page

Allows you to specify a path to a local Web page that is displayed when a user clicks on a Windows Update shortcut before connecting to the Internet with the Internet Connection Wizard.

Override Windows Update Site URL

Allows you to specify the URL of a site your users will access in place of the Windows Update Web site.

You can set the Run Once system policy to set values in the Run Once registry key, allowing any executable file to be run just once after a user logs on to the computer. After the related program is started, its name is removed automatically from the registry so it does not run again. However, if you leave this option selected in the policy file, every time the user logs on, that executable name will be placed in the Run Once registry key to be run again. To ensure that the executable runs only once, select the policy only long enough to be downloaded once into the user's registry. Then the policy must be cleared or changed so the same Run Once entry does not run the next time the user logs on.

System Policy Settings Summary

Cc768178.spacer(en-us,TechNet.10).gif Cc768178.spacer(en-us,TechNet.10).gif

This section summarizes the policy options you can set by default in Windows 98. They are determined by a template (Windows.adm), which can be modified as discussed in "Using System Policy Templates" later in this chapter. You might find it helpful to run System Policy Editor as you study these options.

These policies are described in the order they appear in System Policy Editor. For each category, you must click the option that appears in bold type to display the related policies you can define for that category.

Restricting Access to User-Specific Settings

When you double-click Default User in System Policy Editor, a list of Control Panel, desktop, network, shell (user interface), and system settings appears so that you can predefine or restrict access to settings that apply when the user logs on to the system. These system policy settings are stored in User.dat.

Restricting Access to Control Panels

Table 8.11 describes the system policies you can apply to restrict access to settings in the Display, Network, Passwords, Printers, and System options of Control Panel.

Table 8.11 User policies restricting access to Control Panel options 

Option

Description

Restrict Display settings

 

Disable Display Control Panel

Prevents access to Display in Control Panel.

Hide Background page

Hides the Background properties of Display in Control Panel.

Hide Screen Saver page

Hides the Screen Saver properties of Display in Control Panel.

Hide Appearance page

Hides the Appearance properties of Display in Control Panel.

Hide Settings page

Hides the Settings properties of Display in Control Panel

Restrict Network settings

 

Disable Network Control Panel

Prevents access to Network in Control Panel.

Hide Identification page

Hides the Identification properties of Network in Control Panel.

Hide Access Control page

Hides the Access Control (user-level versus share-level) properties of Network in Control Panel.

Restrict Passwords settings

 

Disable Passwords Control Panel

Prevents access to Passwords in Control Panel.

Hide Change Passwords page

Hides the Change Passwords properties of Passwords in Control Panel.

Hide Remote Administration page

Hides the Remote Administration properties of Passwords in Control Panel.

Hide User Profiles page

Hides the User Profiles properties of Passwords in Control Panel.

Restrict Printers settings

 

Hide General and Details pages

Hides the General and Details properties of Printers in Control Panel.

Disable Deletion of Printers

Prevents the deletion of installed printers.

Disable Addition of Printers

Prevents the installation of printers.

Restrict System settings

 

Hide Device Manager page

Hides the Device Manager properties of System in Control Panel.

Hide Hardware Profiles page

Hides the Hardware Profiles properties of System in Control Panel.

Hide File System button

Hides the File System button from the Performance properties of System in Control Panel.

Hide Virtual Memory button

Hides the Virtual Memory button from the Performance properties of System in Control Panel.

Using System Policy Templates

Cc768178.spacer(en-us,TechNet.10).gif Cc768178.spacer(en-us,TechNet.10).gif

When you run System Policy Editor, Windows 98 opens the default policy template, which contains existing policies you can enable or modify. A template is a listing of the possible policies you can use. By default, this template file is named Windows.adm and is stored in the Windows INF directory.

Creating a Custom System Policy Template

You can create custom system policy templates (ADM files) and switch between multiple templates in System Policy Editor. For example, it might be helpful to have system policy settings for corporate-specific applications, such as an in-house database, custom front end, or electronic mail package. After a template has been customized, you can load it and use it to set values in the registry.

Note If you want to define system policies for applications, the applications must be able to read the Windows 98 registry.

Creating your own template is helpful when you want to define a specific set of registry settings in your system policies, including settings not definable by default through System Policy Editor. As shown in Figure 8.2, the template defines the policies you can set through System Policy Editor. Changes you make there are reflected in the policy file (shown in the example as Config.pol), which in turn updates the registry when the user logs on.

Cc768178.wrk0m02(en-us,TechNet.10).gif

Figure 8.2 Using a custom system policy template to define policies 

To use a template other than the default template

  1. In System Policy Editor, make sure all policy files are closed. 

  2. On the Options menu, click Template

  3. Click Open Template, and select an ADM file to be your template to begin setting system policies. Click Open

  4. Click Close to return to System Policy Editor. 

You can create your own templates to be read by System Policy Editor. Users can then load a template and use it to set values in the registry. To create a template, use a text editor, such as WordPad, to edit or write an ADM file. You can open the default template named Windows.adm in the Windows INF directory to use as an example.

A template uses several key words, syntaxes, and symbols, as summarized in the following list.

  • Class: 

    CLASS category_type

  • Category: 

    CATEGORY name

[KEYNAME key_name] [... policy definition statements ...] END CATEGORY

  • Policy: 

    POLICY name

[KEYNAME key_name] [... part definition statements ...] END POLICY

  • Part: 

    PART name part_type

type-dependent data [KEYNAME key_name ] VALUENAME value_name END PART

Table 8.12 describes the keywords in system policy templates. Following this table are lists of the controls and values that can be defined in templates.

Table 8.12 System policy template keywords 

Template keyword

Description

CLASS

Defines the registry key that can be edited; the value must be USER or MACHINE, corresponding to HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, respectively.

CATEGORY name

Defines a category in System Policy Editor. Category names that contain spaces must be enclosed in quotes. A category statement can appear only once for each category name.

END CATEGORY

Defines the end of a category and all its policies.

POLICY name

Defines a policy within a category. Policy names that contain spaces must be enclosed in quotes.

END POLICY

Defines the end of a policy and all its parts.

PART name

Defines one or more controls that can be used to set the values of a policy. Part names that contain spaces must be enclosed in quotes. Policy part types and type-dependent data are described in the following tables.

END PART

Defines the end of the control list.

VALUEON

Specifies the setting to assign to the value when the policy is selected.

VALUEOFF

Specifies the setting to assign to the value when the policy is cleared.

KEYNAME 

Specifies the full path of the registry key. This is an optional registry key name to use for the category or policy. If there is a key name specified, it is used by all child categories, policies, and parts, unless they define a key name of their own.

VALUENAME 

Defines the registry value entry name.

VALUE 

Specifies the registry value to set to a VALUENAME.

!!

Indicates a string value.

[strings]

Defines a section containing string values.

A system policy template uses the part control indicators listed in Table 8.13.

Table 8.13 System policy template part control indicators 

Part control indicator

Description

CHECKBOX

Displays a check box. The value is nonzero if checked by the user, and its value entry is deleted if it is unchecked.

NUMERIC

Displays an edit field with an optional spin control that accepts a numeric value.

EDITTEXT

Displays an edit field that accepts alphanumeric text.

COMBOBOX

Displays a combo box, which is an edit field plus a drop-down list for suggested values.

TEXT

Displays a line of static (label) text. There is no registry value associated with this part type.

DROPDOWNLIST

Displays a drop-down list. The user can choose from only one of the entries supplied. The main advantage of a drop-down list is that, based on the user's selection, a number of extra registry edits can be performed.

LISTBOX

Displays a list box with Add and Remove buttons. This is the only part type that can be used to manage multiple values under one key.

A system policy template uses the type-specific information listed in Table 8.14.

Table 8.14 System policy template type-specific information 

Type-specific modifier

Description

CHECKBOX

 

DEFCHECKED

Causes the check box initially to be checked.

VALUEON

If specified, overrides the default "on" behavior of the check box. For example: VALUEON "On" writes "On" to the registry.

VALUEOFF

If specified, overrides the default "off" behavior of the check box. For example: VALUEOFF "Off" writes "Off" to the registry.

ACTIONLISTON

Specifies the optional actions to be taken if check box is "on."

ACTIONLISTOFF

Specifies the optional actions to be taken if check box is "off."

NUMERIC

 

DEFAULT value

Specifies the initial numeric value for the edit field. If this statement is not specified, the edit field is initially empty.

MIN value

Specifies the minimum value for a number. Default value is 0.

MAX value

Specifies the maximum value for a number. Default value is 9999.

SPIN value

Specifies the increments to use for a spin control. Specifying SPIN 0 removes the spin control; SPIN 1 is the default.

REQUIRED

If specified, System Policy Editor will not allow a policy containing this part to be enabled unless a value has been entered.

TXTCONVERT

Writes values as strings rather than binary values.

EDITTEXT

 

DEFAULT value

Specifies the initial string for the edit field. If this statement is not specified, the edit field is initially empty.

EXPANDABLETEXT

Writes the value to the registry with the data type REG_EXPAND_SZ. This allows the use of environment variables.

MAXLEN value

Specifies the maximum length of the string in the edit field.

REQUIRED

If specified, System Policy Editor will not allow a policy containing this part to be enabled unless a value has been entered.

OEMCONVERT

Sets the ES_OEMCONVERT style in the edit field so that typed text is mapped from ANSI to OEM and back.

COMBOBOX

Accepts all the key words that EDITTEXT does, as well as NOSORT and SUGGESTIONS.

NOSORT

If specified, values in the combo box are not sorted alphabetically. This is useful when a sorted value list would cause them to be displayed in an illogical order.

SUGGESTIONS

Begins a list of suggestions to be placed in the drop-down list. Suggestions are separated with spaces and can be enclosed by quotes. The list is terminated with END SUGGESTIONS. For example:
SUGGESTIONS
Alaska Alabama Mississippi "New York"
END SUGGESTIONS

TEXT

Contains no type-specific data.

DROPDOWNLIST

 

NOSORT

If specified, values in the drop-down list are not sorted. This is useful when a sorted value list would cause them to be displayed in an illogical order.

REQUIRED

If specified, System Policy Editor will not allow a policy containing this part to be enabled unless a value has bee4n entered.

ITEMLIST

Begins a list of the items in the drop-down list. The list is terminated with END ITEMLIST. Each item in the list is specified as follows:
NAME name VALUE value
[ACTIONLIST actionlist]
...
name is the text to be displayed in the related drop-down list.
value is the value to be written for the part's value if this item is selected. Values are assumed to be strings, unless they are preceded by the key word NUMERIC. For example:
VALUE "Some value"
VALUE NUMERIC 1
If the VALUE key word is followed by the DELETE key word (that is, VALUE DELETE), this registry name/value pair will be deleted.
actionlist is an optional list to be used if this value is selected.

LISTBOX

 

VALUENAME

Cannot be used with the list box type, because there is no single value name associated with this type. By default, only one column appears in the list box, and for each entry a value is created with an identical value name and value data. For instance, the List Entry value in the list box would create a value named "List Entry" containing "List Entry" as data.

VALUEPREFIX prefix

Defines the prefix to be used in determining value names. If a prefix is specified, this prefix plus "1," "2," and so on will be used instead of the default value naming scheme listed earlier in this table. The prefix can be empty (" "), which will cause the value names to be "1," "2," and so on. A prefix of SomeName will generate value names "SomeName1," "SomeName2," and so on.

EXPLICITVALUE

Causes the user to specify the value data and the value name. The list box shows two columns for each item, one for the name and one for the data. This key word cannot be used with the VALUEPREFIX key word.

ADDITIVE

If specified, values set in the list box are used in addition to whatever values exist in the target registry. Existing values are not deleted; by default, if ADDITIVE is not specified, the content of list boxes will "override" whatever values are set in the target registry.

Strings

 

!!

Indicates a string value. For example:
!!StrConst

[strings]

Defines a section containing string values; the values are defined in the following format:
var_name=string value
For example:
StrConst="Control Name"

Comments

Can be added by preceding the line with a semicolon (;).

Troubleshooting System Policies

Cc768178.spacer(en-us,TechNet.10).gif Cc768178.spacer(en-us,TechNet.10).gif

This section discusses some common problems that you might encounter when implementing system policies and suggests some ways to fix these problems.

In general, when troubleshooting problems with system policies, verify the following:

  • The related registry key is correct in the policy template (ADM) file. 

  • The related policy is set properly in the policy (POL) file. 

  • The related application actually uses the registry key being changed. 

  • The policy file is located in the correct network location, and the network location is accessible from the computer running Windows 98. 

  • For group policies, the user name, group name, and computer name are correct, and the user is a member of the specified group. 

When troubleshooting system policies, you should turn on error messages. You can do this from the Remote Update policy, as explained in "Setting Up for Manual Downloading of System Policies" earlier in this chapter. This setting displays error messages when policies cannot be downloaded correctly; the error messages might help identify the problem.

The computer seems to be picking up some of the policies, but not all of them. 

In this case, the computer might not be picking up any policies for Default User or for a particular user; it might be picking up only policies set for Default Computer or for a particular computer. In this case, make sure that user profiles are enabled on that computer. In Control Panel, double-click Passwords, click the User Profiles tab, and then set the desired options.

The computer does not seem to be picking up policies from a Config.pol file on the Windows NT domain. 

  • Make sure that there is a Config.pol file in the Netlogon share or folder on the primary domain controller on the Windows NT network.\\PDC\x$\WINNT\system32\Repl\Import\Scripts\Config.pol (where x = SystemDrive). 

  • Make sure that the client computer has its domain set properly in the properties for Client for Microsoft Networks, in the Network option in Control Panel. 

  • Make sure that the client computer is successfully logging on to that domain. 

  • Make sure that the client computer is configured for automatic policy downloading. You can set this by using the Remote Update policy, as described in "Setting Up for Manual Downloading of System Policies" earlier in this chapter. Windows 98 is configured for automatic policy downloading by default. 

  • Enable error messages on the client computer, and see if an error message is displayed. 

The computer running Microsoft Client for NetWare Networks does not seem to be picking up the policies from a Config.pol file on the NetWare server. 

  • Make sure that there is a Config.pol in the Public directory on the SYS: volume of a NetWare 3.x or 4.x server. You cannot put the Config.pol file on a computer running Windows 98 with File and Printer Sharing for NetWare Networks unless you are set up for manual downloading of system policies. 

  • Make sure that the client computer has its Preferred Server set to the NetWare server that contains Config.pol. This setting is located in the properties for Client for NetWare Networks, in the Network option in Control Panel. 

  • Make sure that the client computer is successfully logging on to that preferred server. 

  • Make sure that the client computer is configured for automatic policy downloading. You can set this by using the Remote Update policy, as described in "Setting Up for Manual Downloading of System Policies" earlier in this chapter. 

  • Enable error messages on the client computer, and see if an error message is displayed. 

The computer running a Novell-supplied VLM or NETX client does not seem to be picking up the policies from the Config.pol on the NetWare server, even though the file is in SYS:PUBLIC. 

Automatic downloading of system policies on a NetWare server works only when the client computer is running Microsoft Client for NetWare Networks. If the computer is running the Novell-supplied VLM or NETX client, you must use manual downloading from a mapped drive. For more information, see "Setting Up for Manual Downloading of System Policies" earlier in this chapter.

The client computer is set for manual downloading, but it is not picking up the policies. 

  • Make sure that the path specified for manual downloading includes the name of the policy file itself. 

  • Make sure that the directory in which you placed the policy file can be accessed by the user that is logging on to the computer running Windows 98. 

You have implemented a policy and then cleared it, but it appears to still be in effect, or it does not do what you thought it would do. 

Does the policy have an edit box that needs to be completed? For example, do you need to specify the wallpaper or workgroup name? If so, clearing the policy actually deletes the registry setting for that value. For example, by clearing the wallpaper policy, the wallpaper registry setting is made to be blank, and thus the user will have no wallpaper.

For all policies that involve settings that users can manipulate by using an option in Control Panel, the best way to stop enforcing that policy is to make sure that policy setting is unavailable, in order to allow the users to make their own choices. These policies are listed in "Using System Policy Editor" earlier in this chapter.

Does the user have the correct POL file? In automatic downloading of the policy file, the latest POL file may not yet have replicated to the other domain controllers at the time the user logs on. If this happens, and the user downloads an old copy of the POL file, ensure the policy has been replicated to the user's logon server, restart the Windows 98 machine, and then logon again to download the new POL file**.** 

You set up group policies, but one or more of the users do not get these group policies when they log on. 

  • Is there a policy for that particular user? If so, group policies are ignored by design. This allows you to make exceptions to group policies for particular users. 

  • Make sure that the client computer is set up for group policy support. 

  • Make sure that the user or users are really members of that group. 

  • Make sure that the user or users are members of another group with higher priority. 

  • Make sure that user profiles are enabled on the client computer. 

You used the policy named Only Run Allowed Windows Applications, but then you could not turn off this policy because you forgot to include Poledit.exe in the list. 

  • Did you set this policy for all users? If not, log on as another user, and run System Policy Editor to cancel this policy. 

  • If you can run Registry Editor, go to the following key and delete the RestrictRun entry: 

    HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \Explore 

    If you previously set this policy for the Default User, and as a result, no user can run System Policy Editor or Registry Editor, try the following:

    • If possible, disable user profiles in the Passwords option in Control Panel. You should be able to log on and run System Policy Editor. Then undo the policy and re-enable user profiles. 

    • If you cannot disable user profiles because the Passwords option in Control Panel has been disabled, you must either rename the policy file on the server and logon as a user who has not logged on at the computer and change the policy, reinstall Windows 98 (so that user profiles will not be enabled), or use the Windows 98 startup disk and run the real-mode Registry Editor to disable user profiles. 

You need to prevent users from modifying their computer configuration, including even more restrictions than are available through standard system policies. 

Use one or more of the following methods for ensuring administrative control of the computer's configuration.

  • In Msdos.sys for the user's computer, set BootKeys=0 and BootSafe=0 so the user cannot press F8 to avoid starting Windows 98 and to prevent the computer from booting in Safe Mode. In addition, make sure that floppy disk startup is not enabled in the computer's complementary metal oxide semiconductor (CMOS) settings, and use password protection to prevent CMOS modifications. For more information about making these changes, see the documentation from your computer's manufacturer. 

  • For the registry on the user's computer, use System Policy Editor to enable the registry setting named Require Validation By Network For Windows Access. 

  • In the system policies that are downloaded when the user logs on, set the policy named Disable Registry Editing Tools. 

Cc768178.spacer(en-us,TechNet.10).gif