Article ID: 910203 - View products that this article applies to.
This article discusses how to implement system policies for Microsoft Windows XP-based, Microsoft Windows 2000-based, and Microsoft Windows Server 2003-based client computers in non-Active Directory directory service environments.
Before the implementation of Group Policy settings and of Active Directory in Windows 2000, computer and user policy settings were implemented as Microsoft Windows NT "System Policies."
Windows NT System Policies had the following limitations that Active Directory Group Policy settings do not have:
Collapse this tableExpand this table
Which tool to use for a specific management taskIn an environment without Active Directory, you can use a variety of tools to manage system policy. Tools that you can use include the following:
For Active Directory client desktops that operate in other environments, such as in Windows NT 4.0, UNIX, Novell, or mixed environments, desktop management capabilities and tools vary. The following table summarizes the differences in desktop management tools and functionality in Active Directory environments and in non–Active Directory environments.
You can also manage Microsoft Windows XP Professional-based desktops on Unix and Novell networks by using standards-based protocols such as TCP/IP, Simple Network Management Protocol (SNMP), Telnet, and Internetwork Packet Exchange (IPX). To enable policy-based administration on Unix and Novell networks, use a local Group Policy object or System Policy.
Collapse this tableExpand this table
Configuring System Policies
The Poledit.exe toolSystem Policies are created by using the Windows NT 4.0 System Policy Editor tool (Poledit.exe) to create the policy file (Ntconfig.pol).
The Poledit.exe tool is installed with Windows 2000 Server and with Windows 2000 Advanced Server.
You can use the Poledit.exe tool on Windows XP Professional–based computers if you install the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs.
To install the Administrative Tools package on a Windows XP Professional-based computer, open the i386 folder on the applicable Windows 2000 Server CD, and then double-click the Adminpak.msi file. Follow the instructions that appear in the Administrative Tools Setup Wizard.
When you install the Administrative Tools package, the Poledit.exe file and its supporting .adm files (Winnt.adm, Windows.adm, and Common.adm) are installed in the %systemroot%\System folder and in the Inf directory. The Poledit.exe file is not added to the Start menu. However, you can run the tool at the command prompt.
Administrative TemplatesThe Poledit.exe tool uses files that are known as Administrative Templates (.adm files) to determine the registry settings that can be modified and the settings that are displayed in the System Policy Editor.
System Policy settings are written to the following locations in the registry:
Note A computer account object can exist in a Windows NT 4.0 domain, and a user account object for a user of that computer can exist in an Active Directory domain, or vice versa. However, when you operate in such a mixed environment, users and computers are difficult to manage and may cause unpredictable behavior. For optimal central management, we recommend that you move from a mixed environment to a pure Active Directory environment.
How to specify the path of the policy fileBy default, Active Directory clients look for the policy file on the Netlogon share. However, you can change the location of this file. The UpdateMode registry entry forces the computer to retrieve the policy file from a specific location that is expressed as a Universal Naming Convention (UNC) path, regardless of which user logs on.
You can set the UpdateMode entry by using the System Policy Editor and the System.adm file. However, you must have the appropriate permissions to locate and read the policy file. Otherwise, the registry changes that note the new location of the policy file will not take effect. To modify the UpdateMode entry, use one of the following methods. (The methods are listed in order of preference.)
Method 1: Modify the registry by using the local Group Policy object
Method 2: Modify the registry by using Registry Editor on each client, or use the Reg.exe program in a scriptImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
To make sure that clients can locate the System Policy file, you must configure the following registry keys on the clients:
This registry entry determines how the client will search for the Ntconfig.pol file that contains the policies.
Value name: UpdateMode
Data type: REG_DWORD
Collapse this tableExpand this table
The NetworkPath setting is used to identify the location of the Ntconfig.pol file that is used to determine System Policies if the UpdateMode value is 2.
Value name: NetworkPath
Data type: REG_SZ
Collapse this tableExpand this table
Method 3: Modify the registry by using the Poledit.exe toolTo retrieve the policy file from a specific location, follow these steps:
Windows XP Professional-based client behaviorIn Windows XP Professional, policy changes are saved locally in the registry the first time that the following events occur:
How to create the policy file (Ntconfig.pol)
How to create an Ntconfig.pol file that is based on Windows XP Professional .adm filesYou can create a Ntconfig.pol file that is based on the Windows XP Professional .adm files and then apply these settings to Windows XP Professional–based clients. To do this, use the Poledit.exe tool. You can install Poledit.exe on Windows XP Professional–based clients by installing the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs.
Different environments where System Policies are used
Workgroups and third-party environmentsIf you do not have a Windows NT 4.0-based domain, you can configure the client to look for the Ntconfig.pol file in a specific location on the local computer or in any SMB share location. For more information about how to specify the path of the policy file, see "How to specify the path of the policy file" section.
Windows NT 4.0 domainsA Windows Active Directory client processes System Policy if either the user account or computer account exists in a Windows NT 4.0 domain. When a user logs on to a Windows Active Directory client in a Windows NT 4.0 domain and the client is running in Automatic mode, the client examines the Netlogon share on the validating domain controller for the Ntconfig.pol file. If the client finds the file, the client downloads and parses the file. The client parses the file for user, group, and computer policy data. Then, the client applies the appropriate settings. If the client does not locate the policy file on its validating domain controller, the client does not look elsewhere. Therefore, make sure that the Ntconfig.pol file is replicated among the domain controllers that perform authentication.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/293655/ )How to apply local policies to all users except administrators in a workgroup setting in Windows 2000
(http://support.microsoft.com/kb/274478/ )Group Policies for Windows 2000 Professional clients in Windows NT 4.0 domain or workgroups
(http://support.microsoft.com/kb/225087/ )Writing custom ADM files for System Policy Editor
(http://support.microsoft.com/kb/192794/ )How to apply System Policy settings to Terminal Server
(http://support.microsoft.com/kb/897100/ )How to create a Windows NT 4.0 system policy to manage Windows Firewall in a Windows NT 4.0 domain
(http://support.microsoft.com/kb/814598/ )How to create a system policy setting in Microsoft Windows Server 2003
(http://support.microsoft.com/kb/268511/ )How to import custom .adm files in Internet Explorer Administration Kit
Resource Kit referencesPart II of the Windows XP Resource Kit – Chapter 5: Managing Desktops
http://technet.microsoft.com/en-us/library/bb457103.aspxManaging Desktops in Various Network Environments
http://technet.microsoft.com/en-us/library/bb457103.aspxManaging Desktops Without Active Directory
Change and Configuration Management Deployment Guide
Microsoft Internet Explorer Administration Kit (IEAK)
Group Policy Settings Reference for Windows and Windows Server
Windows 2000 Server - Advanced topic: Creating custom .adm filesAn .adm file defines how registry-related Group Policy settings are displayed under the Administrative Templates nodes in the Group Policy user interface. Additionally, the .adm file specifies the registry locations that must be modified if an administrator must make a change. To download this documentation, visit the following Microsoft Web site:
The "Using Administrative Template Files with Registry-Based Group Policy" white paperThe "Using Administrative Template Files with Registry-Based Group Policy" white paper explains the concepts, architecture, and implementation details for registry-based Group Policy in Microsoft Windows operating systems. This white paper discusses how to create custom Administrative Template (.adm) files and includes a complete reference for the .adm language. To download this white paper, visit the following Microsoft Web site:
Windows Firewall policy template for Windows NT 4.0 domainsYou can manage Windows Firewall policies from Windows NT 4.0 domains by applying this template. To download this template, visit the following Microsoft Web site:
Group Policy .adm filesAdministrative Template files are used to populate user interface settings in the Group Policy Object Editor. Administrators can use these files to manage registry-based policy settings. Each successive Windows operating system and service pack includes a newer version of these .adm files.
Previously, customers could only obtain the most recent .adm files by obtaining the latest service pack or operating system. Now, these .adm files are available directly from the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=enYou can obtain the original version of the .adm files that are included with each operating system or service pack. Each set of .adm files is included in a Microsoft Windows Installer package that you can download.
Article ID: 910203 - Last Review: May 17, 2012 - Revision: 3.0
Contact us for more help
Connect with Answer Desk for expert help.