HOW TO: Create a System Policy Setting in Windows 2000 (318753)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q318753

IN THIS TASK

SUMMARY

This step-by-step article describes how to create System Policy settings for down-level client computers in a Windows 2000 domain. In a Windows 2000 network, you can use Group Policy settings to configure and control Windows 2000 and Microsoft Windows XP Professional-based computers. However, to configure Microsoft Windows NT 4.0, Microsoft Windows Millennium Edition (Me), and Microsoft Windows 98-based client computers, you must use System Policy settings. System Policy settings are different from Windows 2000 Group Policy settings in that they overwrite registry settings on the client computer with persistent changes. This behavior is known as "tattooing."

back to the top

How to Create a System Policy Setting

To create System Policy settings, use the System Policy Editor (Poledit.exe) for the type of client for which you want the policy to apply.
  • For Windows NT-based clients, use either the System Policy Editor program that is included with Windows NT Server 4.0 or the program that is included with Windows 2000 Server.

    NOTE: After you create System Policy settings with the Windows 2000 version of System Policy Editor, you cannot edit the settings by using the Windows NT 4.0 version of the program.
  • For Windows Me or Windows 98-based clients, use the version of System Policy Editor that is included on the Windows 98 compact disc (CD).
back to the top

For Windows NT Clients

  1. Start System Policy Editor. To do so:
    1. Click Start, and then click Run.
    2. In the Open box, type poledit, and then click OK.
  2. On the File menu, click New Policy.

    IMPORTANT: The Default Computer icon and the Default User icon are displayed in the System Policy Editor window. Because System Policy settings create persistent changes to the client computer registry, you may inadvertently block access to a client computer for all users (including the administrator). For this reason, Microsoft recommends that you leave the Default Computer and Default User System Policy settings unchanged. Instead, create new policies based on either group membership or individual client computers.
  3. On the Edit menu, click Add Group.
  4. Click Browse, and then navigate to the security group to which you want to apply this policy (for example, Domain Users).
  5. Click Add, and then click OK.
  6. Repeat steps 3 to 5 to add any additional groups to the System Policy setting.
  7. In the System Policy Editor window, double-click the group that you added.
  8. Click the plus sign (+) to expand the category that contains the environment settings that you want to change (for example, expand Shell).
  9. In each category, perform one of the following steps:
    • Enable a policy item.
      Click to select the check box of the item that you want to enable. For example, to enable the Remove Shut Down command from Start menu policy setting, expand Shell, expand Restrictions, and then click to select the Remove Shut Down command from Start menu check box.
    • Disable a policy item.
      Click to clear the check box of the item that you want to disable. For example, to disable the Remove Shut Down command from Start menu policy setting, expand Shell, expand Restrictions, and then click to clear the Remove Shut Down command from Start menu check box.
    • Leave a policy item non-configured.
      If the check box of the item is either cleared or it is selected, click it until it has a shaded background. For example, to leave the Remove Shut Down command from Start menu policy setting non-configured, expand Shell, expand Restrictions, and then click the Remove Shut Down command from Start menu check box until it has a shaded background.

      NOTE: This setting has the same effect as the Windows 2000 Group Policy "Not Configured" setting.
  10. When you are finished configuring the policy setting, click OK.

    NOTE: You can configure different policies for individual users, groups, and computers.
  11. When you are finished configuring policies for the users, groups, or computers that you want to configure, click Save As on the File menu.
  12. In the File name box, type the following Universal Naming Convention (UNC) path and file name, where server_name is the name of the domain controller:

    \\server_name\netlogon\ntconfig.pol

  13. Click Save.
  14. Quit System Policy Editor.
back to the top

For Windows Me or Windows 98 Clients

  1. Install the System Policy Editor on a Windows Me or Windows 98 client computer:
    1. Click Start, point to Settings, and then click Control Panel.
    2. Double-click Add/Remove Programs, and then click the Windows Setup tab.
    3. Click Have Disk, click Browse, and then navigate to the following folder on the Windows 98 compact disc (CD):

      Tools\Reskit\Netadmin\Poledit

    4. In the left pane, click poledit.inf, and then click OK.
    5. Click OK in the Install From Disk dialog box.
    6. In the Components list, click to select the following check boxes, and then click Install.

      Group Policies
      System Policy Editor

    7. Click OK.
  2. Start System Policy Editor. To do so, click Start, point to Programs, point to Accessories, point to System Tools, and then click System Policy Editor.
  3. On the File menu, click New Policy.
  4. Follow steps 3 through 10 of the For Windows NT Clients section of this article to create System Policy settings for Windows Me and Windows 98 clients.
  5. When you are finished configuring policies for the users, groups, or computers that you want, click Save As on the File menu.
  6. In the File name box, type the following UNC path and file name, where server_name is the name of the domain controller.

    \\server_name\netlogon\config.pol

  7. Click Save.

    NOTE: The file name for the Windows Me or Windows 98 System Policy setting is Config.pol instead of Ntconfig.pol (for Windows NT 4.0-based client computers).
  8. Quit System Policy Editor.
back to the top

Configure Windows Me and Windows 98 Clients to Use System Policy Settings

Make the following configuration changes to the Windows Me and Windows 98 client computers:
  1. Install Group Policy settings.

    NOTE: These are not the same Group Policy settings that Windows 2000 uses.
  2. Configure network clients with user-level access control.
  3. Configure client computers to use Profiles.
  4. Enable load balancing.
back to the top

How to Install Group Policy Settings

To enable Windows Me and Windows 98-based client computers to recognize Windows 2000 and Windows NT 4.0 security groups, install the Group Policy feature. To do so, use one of the following methods:
  • On a single Windows Me or Windows 98-based computer:
    1. Click Start, point to Settings, and then click Control Panel.
    2. Double-click Add/Remove Programs, and then click the Windows Setup tab.
    3. Click Have Disk, click Browse, and then navigate to the following folder on the Windows 98 CD:

      Tools\Reskit\Netadmin\Poledit

    4. In the left pane, click Poledit.inf, and then click OK.
    5. In the Install From Disk dialog box, click OK.
    6. In the Components list, click to select the Group Policies check box, and then click Install.
    7. Click OK.
  • On a number of Windows Me or Windows 98-based computers:
    1. Copy the Grouppol.dll file from the Tools\Reskit\Netadmin\Poledit folder on the Windows 98 CD to the Windows\System folder of each client computer.

      NOTE: You can place this file in a network share, and then copy it to the client computer by using a batch file during the logon process.
    2. Run the Grouppol.reg file from the Tools\Reskit\Netadmin\Poledit folder on the Windows 98 CD on each client computer.

      NOTE: To automate these registry changes, copy the Grouppol.reg to a network share, and then run the Regedit.exe command with the "silent" (/s) switch from a logon batch file, for example:

      regedit.exe /s \\server_name\share_name\grouppol.reg

back to the top

How to Configure User-Level Access Control

  1. Click Start, point to Settings, click Control Panel, and then double-click Network.
  2. Click the Access Control tab.
  3. Click User-level access control.

    If the correct domain is not displayed in the Obtain list of users and groups from box, type the name of the domain that you want to use.
  4. If you are prompted to select an authenticator, click Windows NT domain from the Select the kind of authenticator you typed list, and then click OK.
  5. Click OK.
  6. Click Yes when you are prompted to restart the computer.
back to the top

How to Enable User Profiles

When you enable user profiles, each user is configured with separate desktop and Start menu items. This configuration prevents a System Policy setting that changes the desktop or Start menu for a particular user or group from changing the Windows environment for all other users who log on to the computer.

NOTE: Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
  1. Click Start, point to Settings, click Control Panel, and then double-click Passwords.
  2. Click the User Profiles tab.
  3. ClickUsers can customize their preferences.
  4. Click to select the following check boxes, and then click OK.
    • Include desktop icons and My Network Places contents in user settings
    • Include Start menu and Program groups in user settings
  5. When you are prompted to restart the computer, click Yes.
back to the top

How to Enable Load Balancing

In a Windows 2000 domain, all domain controllers are peers. However, only one domain controller holds the operations master role of the primary domain controller (PDC) for down-level clients. For this reason, all Windows Me and Windows 98 client computers attempt to retrieve System Policy settings from the Windows 2000 domain controller that has the PDC operations master role.

To allow the Windows Me and Windows 98 clients to retrieve System Policy settings from any domain controller, enable the load-balancing feature. For additional information about how to enable load balancing, click the article number below to view the article in the Microsoft Knowledge Base:

197986 How to Configure Windows 95 Policies with Load Balancing

back to the top

Troubleshooting

  • System Policy Setting Placement.
    You can create System Policy settings for clients that are running Windows 2000, Windows NT 4.0, Windows Me, Windows 98, and Windows 95. System Policy settings are placed in the Netlogon share of a domain controller. When you place System Policy settings, consider the following guidelines:

    • Windows 2000-based client computers ignore System Policy settings that are placed in the Netlogon share of a Windows 2000 domain controller. Instead, they will apply Group Policy settings.
    • Windows 2000-based computers that are joined to a Windows NT 4.0 domain will apply System Policy settings from the Netlogon share of a Windows NT 4.0 domain controller.
    • Windows NT 4.0-based client computers will apply System Policy settings that are placed in the Netlogon share of Windows 2000 or Windows NT 4.0-based domain controller.
    • Windows Me, Windows 98, and Windows 95-based client computers will apply System Policy settings that are placed in the Netlogon share of Windows 2000 or Windows NT 4.0-based domain controller.
  • System Policy Settings Order.
    System Policy settings are applied in the order that they are created, by default. However, you can arrange the order in which the policies are applied by listing the groups that are affected by the policy by priority. For example, if you create a System Policy setting for a Users group that disables the Shut Down command on the Start menu and you create a System Policy setting for an Administrators group that enables this command, a user who is a member of both groups may have the Shut Down command disabled if the Users group is listed above the Administrators group in order of priority. To order the groups:

    1. Start System Policy Editor.
    2. On the File menu, click Open policy.
    3. Open the policy that you want.

      For Windows Me and Windows 98-based computers, open Config.pol. For Windows NT 4.0-based computer, open Ntconfig.pol.
    4. On the Options menu, click Group Priority.
    5. Click a group in the Group Order list, and then click either Move Up or Move Down.
    6. After you configure the groups in order of priority, click OK.

      NOTE: In some cases, you may want to create an administrative group and list it with the highest priority in order to prevent an administrative user that is also a member of another group from being restricted from logging on to the domain.
    7. On the File menu, click Save.
    8. Quit System Policy Editor.
  • System Policy Application.
    System Policy settings are applied to the client computers at the following times:

    • User policies are applied when the user logs on to the domain.
    • Computer policies are applied when you restart the computer.
back to the top

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

151176 Policy Registry Entries (Default User)

back to the top
Modification Type:MajorLast Reviewed:10/30/2003
Keywords:kbhowto kbHOWTOmaster KB318753 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.