How to apply System Policy settings to Terminal Server (192794)
The information in this article applies to:
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Server
- Microsoft Windows NT Server 4.0 Terminal Server Edition
This article was previously published under Q192794 Important This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that you
understand how to restore the registry if a problem occurs. For information
about how to back up, restore, and edit the registry, click the following
article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows Registry SUMMARYMicrosoft Windows NT System Policy settings are applied when
a user or a computer account is a member of a Windows NT domain. By comparison,
Group Policy settings are applied when a user or a computer account is a member
of an Active Directory directory service domain. With Microsoft Windows NT
Server 4.0 Terminal Server Edition, you may want to apply System Policy
settings to affect users who log on to the terminal server through the console
or through the Terminal Server client.
The procedures that are
described in this article do not apply to client computers that are running
Microsoft Windows 2000, Microsoft Windows XP Professional, or Microsoft Windows
Server 2003 in some conditions. System Policy settings are used to configure
client computers that are running Windows NT 4.0, Microsoft Windows Millennium
Edition (Me), and Microsoft Windows 98. However, in a Windows 2000 network or
in a Windows Server 2003 network, you must use Group Policy settings to
configure and control computers that are running Windows 2000, Windows XP
Professional, or Windows Server 2003. System Policy settings are different from
Windows 2000 Group Policy settings in that they overwrite registry settings on
the client computer with persistent changes. This behavior is known as
"tattooing."
MORE INFORMATION When you use System Policy settings for client
computers that are running Windows 2000, Windows XP Professional, or Windows
Server 2003, consider the following guidelines:
- Client computers that are running Windows 2000, Windows XP
Professional, or Windows Server 2003 ignore System Policy settings that are
placed in the Netlogon share of a Windows 2000 domain controller or a Windows
Server 2003 domain controller. Instead, they apply Group Policy settings.
- Computers that are running Windows 2000, Windows XP
Professional, or Windows Server 2003 and that are joined to a Windows NT 4.0
domain apply System Policy settings from the Netlogon share of a Windows NT 4.0
domain controller.
- Windows NT 4.0-based client computers apply System Policy
settings that are placed in the Netlogon share of a domain controller that is
running Windows 2000, Windows Server 2003, or Windows NT 4.0.
When you use System Policy settings for client computers that
are running Windows NT 4.0 (or Windows 95 or Windows 98), consider the
following guidelines:
- System Policy settings are applied to domains.
- System Policy settings may also be controlled by user
membership in security groups.
- System Policy settings are not secure.
- System Policy settings persist in users' profiles (this is
sometimes referred to as tattooing the registry), as explained earlier in this
article. This means that after a registry setting is set by using a Windows NT
4.0 System Policy setting, the setting persists until the specified policy is
reversed or until the user edits the registry.
- System Policy settings are limited to desktop
lockdown.
To implement a System Policy setting to affect all
Terminal Server users who log on to the console or through the Terminal Server
client, follow these steps:
- Start System Policy Editor (Poledit.exe), and then make the
changes for your policy.
- On the File menu, click Save
As, and then save the policy file on your hard disk. For example, save
the file as C:\Ntconfig.pol.
- On the File menu, click Open
Registry.
- Double-click Local Computer, double-click
Network, double-click System Policies Update,
and then click to select the Remote Update check
box.
- In the Update Mode box, click
Manual (Use Specific Path), type a path in the Path
for Manual Update dialog box (for example, type
c:\ntconfig.pol).
Notes- You can name the policy file anything you
like.
- To display an error message if the policy file is not
found when Windows NT starts, click to select the Display Error
Message check box.
- Click OK.
- Save your policy to the path that you specified in step 5,
and then exit Policy Editor.
- Restart Windows NT for the changes in the policy to take
effect.
Tip Every user or computer account that logs on after a policy is in
place is subject to the policy. Therefore, it is a good idea not to edit the
default user or computer account until you are familiar with System Policy
settings. Make a test user/group account in "User Manager," and then make a
specific policy for this user/group in System Policy Editor. After you have the
policy working correctly, you can then transfer the policy to the production
environment. The settings in this procedure modify the following
path in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update
Remote Update: Category: Network Subcategory: System Policies
update Selection: Remote update
Description: Controls how policies are applied to a Windows NT 4.0-based
computer. With UpdateMode set to 1 (Automatic, the default), Windows NT makes a
connection to the Netlogon share of the validating domain controller in the
user's context and then checks for the existence of the policy file,
NTconfig.pol. With UpdateMode set to 2 (Manual), Windows NT reads the string
that is specified in the NetworkPath value and then checks that path for the
existence of the policy file (in this case, the policy file name should be
included in the NetworkPath value). With UpdateMode set to 0 (Off), a policy
file is not downloaded from any system. Therefore, it is not applied. Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update|
| UpdateMode | REG_DWORD | Off = 0, Automatic=1;
Manual=2 | | NetworkPath | REG_SZ | Text of UNC path for
manual update | | Verbose | REG_DWORD | Display error messages Off
= 0 or value not present; On = 1 | | LoadBalance | REG_DWORD | Off = 0 or value not
present; On = 1 |
Note The UpdateMode registry entry only applies for the Windows NT 4.0
policy. For members of an Active Directory forest, the UpdateMode registry
entry is ignored, and instead, the Group Policy settings that are configured in
Active Directory are applied. To gain the same effect as using the UpdateMode
entry, you can use a GPO Loopback policy. For additional information about using
a GPO Loopback policy, click the following article number to view the article
in the Microsoft Knowledge Base: 260370 How to apply Group Policy objects to Terminal Services servers For additional information about how to use
System Policy settings in Windows 2000, click the following article number to
view the article in the Microsoft Knowledge Base: 318753
How to create a System Policy setting in Windows 2000
| Modification Type: | Major | Last Reviewed: | 2/28/2006 |
|---|
| Keywords: | kbinfo KB192794 kbAudITPRO |
|---|
|