How To Create a System Policy Setting in Microsoft Windows Server 2003 (814598)
The information in this article applies to:
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Small Business Server 2003, Premium Edition
- Microsoft Windows Small Business Server 2003, Standard Edition
For a Microsoft Windows 2000 version of this article, see 318753.
SUMMARYThis step-by-step article describes how to create System
Policy settings for down-level client computers in a Windows Server 2003
domain. In a Windows Server 2003 network, you can use Group Policy settings to
configure and control Windows Server 2003-based computers, Windows 2000-based computers, and Microsoft Windows
XP Professional-based computers. However, to configure Microsoft Windows NT
4.0-based
client computers, Microsoft Windows Millennium Edition-based
client computers, and Microsoft Windows 98-based
client computers, you must use System Policy settings. System Policy settings
are different from Windows Server 2003 Group Policy settings in that they
overwrite registry settings on the client computer with persistent changes.
This behavior is known as "tattooing." back to
the topHow to Create a System Policy Setting To create System Policy settings, use the System Policy Editor
(Poledit.exe) for the type of client you want the policy to apply to.
- For Windows NT-based clients, use either the System Policy
Editor program that is included with Windows NT Server 4.0 or the program that
is included with Windows Server 2003.
NOTE: After you create System
Policy settings with the Windows 2000 version of System Policy Editor, you
cannot edit the settings by using the Windows NT 4.0 version of the program.
- For Windows Millennium Edition-based clients or Windows 98-based clients, use the version
of System Policy Editor that is included on the Windows 98 or Windows Millennium Edition
CD.
back to the top For Windows NT Clients- Start System Policy Editor. To do so:
- Click Start, and then click
Run.
- In the Open box, type
poledit, and then click OK.
- On the File menu, click New
Policy. IMPORTANT: The Default Computer icon and the Default User icon are
displayed in the System Policy Editor window. Because System Policy settings
create persistent changes to the client computer registry, you may
inadvertently block access to a client computer for all users (including the
administrator). Therefore, Microsoft recommends that you leave the
Default Computer and Default User System Policy settings unchanged. Instead,
create new policies based on either group membership or individual client
computers.
- On the Edit menu, click Add
Group.
- Click Browse, and then move to the
security group to which you want to apply this policy (for example, Domain
Users).
- Click Add, and then click
OK.
- Repeat steps 3 to 5 to add any additional groups to the
System Policy setting.
- In the System Policy Editor window, double-click the group
that you added.
- Expand the
category that contains the environment settings that you want to change (for
example, expand Shell).
- In each category, perform one of the following steps:
- Enable a policy item. Click to select the check box of the item that you want to
enable. For example, to enable the Remove Shut Down command
from Start menu policy setting, expand Shell, expand
Restrictions, and then click to select the Remove Shut
Down command from Start menu check box.
- Disable a policy item. Click to clear the check box of the item that you want to
disable. For example, to disable the Remove Shut Down command
from Start menu policy setting, expand Shell, expand
Restrictions, and then click to clear the Remove Shut
Down command from Start menu check box.
- Leave a policy item non-configured. If the check box of the item is either cleared or it is selected,
click it until it has a shaded background. For example, to leave the
Remove Shut Down command on Start menu
policy setting non-configured, expand Shell, expand
Restrictions, and then click the Remove Shut
Down command from Start menu check box until it has a
shaded background.
NOTE: This setting has the same effect as the Windows 2000 Group
Policy "Not Configured" setting.
- When you are finished configuring the policy setting, click
OK.
NOTE: You can configure different policies for individual users,
groups, and computers. - When you are finished configuring policies for the users,
groups, or computers that you want to configure, click Save As
on the File menu.
- In the File name box, type the following
Universal Naming Convention (UNC) path and file name, where
server_name is the name of the domain controller:
\\server_name\netlogon\ntconfig.pol
- Click Save.
- Quit System Policy Editor.
back to the top For Windows 98 and Windows Millennium Edition Clients- Install the System Policy Editor on a Windows Millennium Edition or Windows
98 client computer:
- Click Start, point to
Settings, and then click Control Panel.
- Double-click Add/Remove Programs, and
then click the Windows Setup tab.
- Click Have Disk, click
Browse, and then move to the following folder on the
Windows 98 CD: Tools\Reskit\Netadmin\Poledit
- In the left pane, click poledit.inf,
and then click OK.
- Click OK in the Install From
Disk dialog box. In the Components list, click to
select the following check boxes, and then click Install.
- Group Policies
- System Policy Editor
- Click OK.
- Start System Policy Editor. To do so:
- Click Start, point to
Programs, point to Accessories, point to
System Tools, and then click System Policy
Editor.
- On the File menu, click New
Policy.
- Follow steps 3 through 10 of the "For Windows NT Clients"
section of this article to create System Policy settings for Windows Millennium Edition and
Windows 98 clients.
- When you are finished configuring policies for the users,
groups, or computers that you want, click Save As on the
File menu.
- In the File name box, type the following
UNC path and file name, where server_name is the
name of the domain controller.
\\server_name\netlogon\config.pol
- Click Save.
NOTE: The file name for the Windows Millennium Edition or Windows 98 System Policy
setting is Config.pol instead of Ntconfig.pol (for Windows NT 4.0-based client
computers). - Quit System Policy Editor.
back to the top Configure Windows Millennium Edition and Windows 98 Clients to Use System Policy Settings Make the following configuration changes to the Windows Millennium Edition and
Windows 98 client computers:
- Install Group Policy settings.
NOTE: These are different from the Group Policy settings that Windows 2000
uses. - Configure network clients with user-level access control.
- Configure client computers to use Profiles.
- Enable load balancing.
back to the top How to Install Group Policy SettingsTo enable Windows Millennium Edition and Windows 98-based client computers to
recognize Windows 2000 and Windows NT 4.0 security groups, install the Group
Policy feature. To do so, use one of the following methods
- On a single Windows Millennium Edition-based computer or Windows 98-based computer:
- Click Start, point to
Settings, and then click Control Panel.
- Double-click Add/Remove Programs, and
then click the Windows Setup tab.
- Click Have Disk, click
Browse, and then move to the following folder on the
Windows 98 CD: Tools\Reskit\Netadmin\Poledit
- In the left pane, click Poledit.inf,
and then click OK.
- In the Install From Disk dialog box,
click OK.
- In the Components list, click to
select the Group Policies check box, and then click
Install.
- Click OK.
- On a number of Windows Millennium Edition-based computers or Windows 98-based computers:
- Copy the Grouppol.dll file from the
Tools\Reskit\Netadmin\Poledit folder on the Windows 98 CD to the Windows\System
folder of each client computer.
NOTE: You can put this file in a network share, and then copy it to
the client computer by using a batch file during the logon process. - Run the Grouppol.reg file from the
Tools\Reskit\Netadmin\Poledit folder on the Windows 98 CD on each client
computer.
NOTE: To automate these registry changes, copy the Grouppol.reg to a
network share, and then run the Regedit.exe command with the "silent" (/s)
switch from a logon batch file, for example: regedit.exe /s
\\server_name\share_name\grouppol.reg
back to the top How to Configure User-Level Access Control- Click Start, point to
Settings, click Control Panel, and then
double-click Network.
- Click the Access Control tab.
- Click User-level access control.
- If the correct domain is not displayed in the
Obtain list of users and groups from box, type the name of the
domain that you want to use.
- If you are prompted to select an authenticator, click
Windows NT domain in the Select the kind of
authenticator you typed list, and then click OK.
- Click OK.
- Click Yes when you are prompted to restart
the computer
back to the top How to Enable User ProfilesWhen you enable user profiles, each user is configured with
separate desktop and Start menu items. This configuration prevents a System
Policy setting that changes the desktop or Start menu for a particular user or
group from changing the Windows environment for all other users who log on to
the computer. Note Because there are several versions of Microsoft Windows, the
following steps may be different on your computer. If they are, see your
product documentation to complete these steps.
- Click Start, point to
Settings, click Control Panel, and then
double-click Passwords.
- Click the User Profiles tab.
- Click Users can customize their
preferences.
- Click to select the Include desktop icons and My Network Places
contents in user settingscheck box, click to select the Include Start menu and Program groups in user
settings check box, and then click
OK.
- When you are prompted to restart the computer, click
Yes.
back to the topHow to Enable Load-Balancing ClientsIn a Windows 2003 domain, all domain controllers are peers.
However, only one domain controller holds the operations master role of the
primary domain controller (PDC) for down-level clients. Therefore, all
Windows Millennium Edition and Windows 98 client computers try to retrieve System Policy
settings from the Windows 2003 domain controller that has the PDC operations
master role. To allow the Windows Millennium Edition and Windows 98 clients to
retrieve System Policy settings from any domain controller, enable the
load-balancing feature.
For additional information about how to enable load balancing, click the following article number to view the article in the Microsoft Knowledge Base:
197986
How
to Configure Windows 95 Policies with Load Balancing
- System Policy Setting Placement.
You can create System Policy settings for clients that are
running Windows 2000, Windows NT 4.0, Windows Millennium Edition, Windows 98, and Windows 95.
System Policy settings are put in the Netlogon share of a domain controller.
When you put System Policy settings somewhere, consider the following guidelines:
- Windows XP and Windows 2000-based client computers
ignore System Policy settings that are put in the Netlogon share of a
Windows 2003 domain controller. Instead, they will apply Group Policy settings.
- Windows XP and Windows 2000-based computers that are
joined to a Windows NT 4.0 domain will apply System Policy settings from the
Netlogon share of a Windows NT 4.0 domain controller.
- Windows XP and Windows NT 4.0-based client computers
will apply System Policy settings that are put in the Netlogon share of
Windows 2000 or Windows NT 4.0-based domain controller.
- Windows Millennium Edition, Windows 98, and Windows 95-based client
computers will apply System Policy settings that are put in the Netlogon
share of Windows 2000 or Windows NT 4.0-based domain controller.
- System Policy Settings Order.
By default, System Policy settings are applied in the order in which they
are created. However, you can arrange the order in which the
policies are applied by listing the groups that are affected by the policy; you list the affected groups by
priority. For example, if you create a System Policy setting for a Users group
that disables the Shut Down command on the Start menu and you create a System
Policy setting for an Administrators group that enables this command, a user
who is a member of both groups may have the Shut Down command disabled if the
Users group is listed above the Administrators group in order of priority. To
order the groups:
- Start System Policy Editor.
- On the File menu, click Open
policy.
- Open the policy that you want. For Windows Millennium Edition
and Windows 98-based computers, open Config.pol. For Windows NT 4.0-based
computer, open Ntconfig.pol.
- On the Options menu, click
Group Priority.
- Click a group in the Group Order list,
and then click either Move Up or Move Down.
- After you configure the groups in order of priority,
click OK.
NOTE: In some cases, you may want to create an administrative group
and list it with the highest priority. When you do this, an administrative
user who is also a member of another group can still log
on to the domain. - On the File menu, click
Save.
- Quit System Policy Editor.
- System Policy Application.
System Policy settings are applied to the client computers
at the following times
- User policies are applied when the user logs on to the
domain.
- Computer policies are applied when you restart the
computer.
back to the
top
Modification Type: | Minor | Last Reviewed: | 7/2/2004 |
---|
Keywords: | kbHOWTOmaster KB814598 |
---|
|
|
©2004 Microsoft Corporation. All rights reserved.
|
|