Microsoft Windows NT 4.0 User Manual

Microsoft Windows NT Server White Paper

35

A System Policy is a set of registry settings that defines the computer re-

sources available to an individual or to a group of users. Policies define the

various facets of the desktop environment that a system administrator needs to

control, such as which applications are available, which applications appear on

the user’s desktop, which applications and options appear in the Start menu,

who can change their desktops and who cannot, and so forth. System policies

can be implemented for specific users, groups, computers, or for all users. You

create system policies with the System Policy Editor.

The System Policy Editor is a graphical tool provided with Windows NT

Server 4.0 that allows you to easily update the registry settings to generate the

correct environment for a particular user or group of users. The System Policy

Editor creates a file that contains registry settings which are then written to the

user or local machine portion of the registry database. User Profile settings

that are specific to a user who logs on to a given workstation or server, are

written to the registry under HKEY_CURRENT_USER. Likewise, machine-

specific settings are written under HKEY_LOCAL_MACHINE.

When you apply a System Policy, the new policy overwrites the existing

registry settings, thus giving you, as system administrator, the ability to set

restrictions for the client machine and user. When a user logs on to a

Windows NT 4.0 computer, the user’s profile is loaded first and then the Sys-

tem Policy is downloaded. Any registry settings that you have reconfigured,

whether these are machine-specific changes or are specific to the user logging

on, are changed before the user receives control of the desktop. Note that

System Policy changes are not dynamic; if you make a change to the policy,

affected users must log off and log back on so that the new policy can be

downloaded and applied.

With a properly implemented policy, you can customize the user’s environ-

ment to your specifications, despite the user’s preferences and regardless of

where he or she logs on. The settings available in the System Policy Editor

provide a variety of options for managing the user environment. For a detailed

list of these options, see the section “Registry Keys Modified by the System

Policy Editor Default Templates.”

System Policy Files

Policies can define a specific user’s settings or the settings for a group of us-

ers. The resulting policy file contains the registry settings for all users, groups,

and computers that will be using the policy file. Separate policy files for each

user, group, or computer are not necessary.

If you create a policy that will be automatically downloaded from validating

domain controllers, you should name the file NTconfig.pol. As system admin-

istrator, you have the option of renaming the policy file and, by modifying the

Windows NT-based workstation, directing the computer to update the policy

from a manual path. You can do this by either manually changing the registry

or by using System Policy. This path can even be a local path such that each

machine has its own policy file, but if a change is necessary to all machines,

SYSTEM POLICY – AN

INTRODUCTION