How To Create a System Policy Setting in Microsoft Windows Server 2003 (814598)



The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP 64-Bit Edition Version 2003
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition

For a Microsoft Windows 2000 version of this article, see 318753.

SUMMARY

This step-by-step article describes how to create System Policy settings for down-level client computers in a Windows Server 2003 domain. In a Windows Server 2003 network, you can use Group Policy settings to configure and control Windows Server 2003-based computers, Windows 2000-based computers, and Microsoft Windows XP Professional-based computers. However, to configure Microsoft Windows NT 4.0-based client computers, Microsoft Windows Millennium Edition-based client computers, and Microsoft Windows 98-based client computers, you must use System Policy settings. System Policy settings are different from Windows Server 2003 Group Policy settings in that they overwrite registry settings on the client computer with persistent changes. This behavior is known as "tattooing." back to the top

How to Create a System Policy Setting

To create System Policy settings, use the System Policy Editor (Poledit.exe) for the type of client you want the policy to apply to.
  • For Windows NT-based clients, use either the System Policy Editor program that is included with Windows NT Server 4.0 or the program that is included with Windows Server 2003.

    NOTE: After you create System Policy settings with the Windows 2000 version of System Policy Editor, you cannot edit the settings by using the Windows NT 4.0 version of the program.
  • For Windows Millennium Edition-based clients or Windows 98-based clients, use the version of System Policy Editor that is included on the Windows 98 or Windows Millennium Edition CD.
back to the top

For Windows NT Clients

  1. Start System Policy Editor. To do so:
    1. Click Start, and then click Run.
    2. In the Open box, type poledit, and then click OK.
  2. On the File menu, click New Policy. IMPORTANT: The Default Computer icon and the Default User icon are displayed in the System Policy Editor window. Because System Policy settings create persistent changes to the client computer registry, you may inadvertently block access to a client computer for all users (including the administrator). Therefore, Microsoft recommends that you leave the Default Computer and Default User System Policy settings unchanged. Instead, create new policies based on either group membership or individual client computers.
  3. On the Edit menu, click Add Group.
  4. Click Browse, and then move to the security group to which you want to apply this policy (for example, Domain Users).
  5. Click Add, and then click OK.
  6. Repeat steps 3 to 5 to add any additional groups to the System Policy setting.
  7. In the System Policy Editor window, double-click the group that you added.
  8. Expand the category that contains the environment settings that you want to change (for example, expand Shell).
  9. In each category, perform one of the following steps:
    • Enable a policy item. Click to select the check box of the item that you want to enable. For example, to enable the Remove Shut Down command from Start menu policy setting, expand Shell, expand Restrictions, and then click to select the Remove Shut Down command from Start menu check box.
    • Disable a policy item. Click to clear the check box of the item that you want to disable. For example, to disable the Remove Shut Down command from Start menu policy setting, expand Shell, expand Restrictions, and then click to clear the Remove Shut Down command from Start menu check box.
    • Leave a policy item non-configured. If the check box of the item is either cleared or it is selected, click it until it has a shaded background. For example, to leave the Remove Shut Down command on Start menu policy setting non-configured, expand Shell, expand Restrictions, and then click the Remove Shut Down command from Start menu check box until it has a shaded background.

      NOTE: This setting has the same effect as the Windows 2000 Group Policy "Not Configured" setting.
  10. When you are finished configuring the policy setting, click OK.

    NOTE: You can configure different policies for individual users, groups, and computers.
  11. When you are finished configuring policies for the users, groups, or computers that you want to configure, click Save As on the File menu.
  12. In the File name box, type the following Universal Naming Convention (UNC) path and file name, where server_name is the name of the domain controller: \\server_name\netlogon\ntconfig.pol
  13. Click Save.
  14. Quit System Policy Editor.
back to the top

For Windows 98 and Windows Millennium Edition Clients

  1. Install the System Policy Editor on a Windows Millennium Edition or Windows 98 client computer:
    1. Click Start, point to Settings, and then click Control Panel.
    2. Double-click Add/Remove Programs, and then click the Windows Setup tab.
    3. Click Have Disk, click Browse, and then move to the following folder on the Windows 98 CD: Tools\Reskit\Netadmin\Poledit
    4. In the left pane, click poledit.inf, and then click OK.
    5. Click OK in the Install From Disk dialog box. In the Components list, click to select the following check boxes, and then click Install.
      • Group Policies
      • System Policy Editor
    6. Click OK.
  2. Start System Policy Editor. To do so:
    • Click Start, point to Programs, point to Accessories, point to System Tools, and then click System Policy Editor.
  3. On the File menu, click New Policy.
  4. Follow steps 3 through 10 of the "For Windows NT Clients" section of this article to create System Policy settings for Windows Millennium Edition and Windows 98 clients.
  5. When you are finished configuring policies for the users, groups, or computers that you want, click Save As on the File menu.
  6. In the File name box, type the following UNC path and file name, where server_name is the name of the domain controller. \\server_name\netlogon\config.pol
  7. Click Save.

    NOTE: The file name for the Windows Millennium Edition or Windows 98 System Policy setting is Config.pol instead of Ntconfig.pol (for Windows NT 4.0-based client computers).
  8. Quit System Policy Editor.
back to the top

Configure Windows Millennium Edition and Windows 98 Clients to Use System Policy Settings

Make the following configuration changes to the Windows Millennium Edition and Windows 98 client computers:
  1. Install Group Policy settings.

    NOTE: These are different from the Group Policy settings that Windows 2000 uses.
  2. Configure network clients with user-level access control.
  3. Configure client computers to use Profiles.
  4. Enable load balancing.
back to the top

How to Install Group Policy Settings

To enable Windows Millennium Edition and Windows 98-based client computers to recognize Windows 2000 and Windows NT 4.0 security groups, install the Group Policy feature. To do so, use one of the following methods
  • On a single Windows Millennium Edition-based computer or Windows 98-based computer:
    1. Click Start, point to Settings, and then click Control Panel.
    2. Double-click Add/Remove Programs, and then click the Windows Setup tab.
    3. Click Have Disk, click Browse, and then move to the following folder on the Windows 98 CD: Tools\Reskit\Netadmin\Poledit
    4. In the left pane, click Poledit.inf, and then click OK.
    5. In the Install From Disk dialog box, click OK.
    6. In the Components list, click to select the Group Policies check box, and then click Install.
    7. Click OK.
  • On a number of Windows Millennium Edition-based computers or Windows 98-based computers:
    1. Copy the Grouppol.dll file from the Tools\Reskit\Netadmin\Poledit folder on the Windows 98 CD to the Windows\System folder of each client computer.

      NOTE: You can put this file in a network share, and then copy it to the client computer by using a batch file during the logon process.
    2. Run the Grouppol.reg file from the Tools\Reskit\Netadmin\Poledit folder on the Windows 98 CD on each client computer.

      NOTE: To automate these registry changes, copy the Grouppol.reg to a network share, and then run the Regedit.exe command with the "silent" (/s) switch from a logon batch file, for example: regedit.exe /s \\server_name\share_name\grouppol.reg
back to the top

How to Configure User-Level Access Control

  1. Click Start, point to Settings, click Control Panel, and then double-click Network.
  2. Click the Access Control tab.
  3. Click User-level access control.
  4. If the correct domain is not displayed in the Obtain list of users and groups from box, type the name of the domain that you want to use.
  5. If you are prompted to select an authenticator, click Windows NT domain in the Select the kind of authenticator you typed list, and then click OK.
  6. Click OK.
  7. Click Yes when you are prompted to restart the computer
back to the top

How to Enable User Profiles

When you enable user profiles, each user is configured with separate desktop and Start menu items. This configuration prevents a System Policy setting that changes the desktop or Start menu for a particular user or group from changing the Windows environment for all other users who log on to the computer.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
  1. Click Start, point to Settings, click Control Panel, and then double-click Passwords.
  2. Click the User Profiles tab.
  3. Click Users can customize their preferences.
  4. Click to select the Include desktop icons and My Network Places contents in user settingscheck box, click to select the Include Start menu and Program groups in user settings check box, and then click OK.
  5. When you are prompted to restart the computer, click Yes.
back to the top

How to Enable Load-Balancing Clients

In a Windows 2003 domain, all domain controllers are peers. However, only one domain controller holds the operations master role of the primary domain controller (PDC) for down-level clients. Therefore, all Windows Millennium Edition and Windows 98 client computers try to retrieve System Policy settings from the Windows 2003 domain controller that has the PDC operations master role.

To allow the Windows Millennium Edition and Windows 98 clients to retrieve System Policy settings from any domain controller, enable the load-balancing feature. For additional information about how to enable load balancing, click the following article number to view the article in the Microsoft Knowledge Base:

197986 How to Configure Windows 95 Policies with Load Balancing

back to the top
Troubleshoot

  • System Policy Setting Placement.
    You can create System Policy settings for clients that are running Windows 2000, Windows NT 4.0, Windows Millennium Edition, Windows 98, and Windows 95. System Policy settings are put in the Netlogon share of a domain controller. When you put System Policy settings somewhere, consider the following guidelines:
    • Windows XP and Windows 2000-based client computers ignore System Policy settings that are put in the Netlogon share of a Windows 2003 domain controller. Instead, they will apply Group Policy settings.
    • Windows XP and Windows 2000-based computers that are joined to a Windows NT 4.0 domain will apply System Policy settings from the Netlogon share of a Windows NT 4.0 domain controller.
    • Windows XP and Windows NT 4.0-based client computers will apply System Policy settings that are put in the Netlogon share of Windows 2000 or Windows NT 4.0-based domain controller.
    • Windows Millennium Edition, Windows 98, and Windows 95-based client computers will apply System Policy settings that are put in the Netlogon share of Windows 2000 or Windows NT 4.0-based domain controller.
  • System Policy Settings Order.
    By default, System Policy settings are applied in the order in which they are created. However, you can arrange the order in which the policies are applied by listing the groups that are affected by the policy; you list the affected groups by priority. For example, if you create a System Policy setting for a Users group that disables the Shut Down command on the Start menu and you create a System Policy setting for an Administrators group that enables this command, a user who is a member of both groups may have the Shut Down command disabled if the Users group is listed above the Administrators group in order of priority. To order the groups:
    1. Start System Policy Editor.
    2. On the File menu, click Open policy.
    3. Open the policy that you want. For Windows Millennium Edition and Windows 98-based computers, open Config.pol. For Windows NT 4.0-based computer, open Ntconfig.pol.
    4. On the Options menu, click Group Priority.
    5. Click a group in the Group Order list, and then click either Move Up or Move Down.
    6. After you configure the groups in order of priority, click OK.

      NOTE: In some cases, you may want to create an administrative group and list it with the highest priority. When you do this, an administrative user who is also a member of another group can still log on to the domain.
    7. On the File menu, click Save.
    8. Quit System Policy Editor.
  • System Policy Application.
    System Policy settings are applied to the client computers at the following times
    • User policies are applied when the user logs on to the domain.
    • Computer policies are applied when you restart the computer.
back to the top

Modification Type:MinorLast Reviewed:7/2/2004
Keywords:kbHOWTOmaster KB814598