How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments

Applies to: Microsoft Windows Server 2003 Standard Edition (32-bit x86)Microsoft Windows Server 2003 Enterprise Edition (32-bit x86)Microsoft Windows XP Professional


This article discusses how to implement system policies for Microsoft Windows XP-based, Microsoft Windows 2000-based, and Microsoft Windows Server 2003-based client computers in non-Active Directory directory service environments.


Before the implementation of Group Policy settings and of Active Directory in Windows 2000, computer and user policy settings were implemented as Microsoft Windows NT "System Policies."

Windows NT System Policies had the following limitations that Active Directory Group Policy settings do not have:
  • The policies persist in a user's profile until the specified policy is reversed or until you change the applicable registry setting. This behavior is frequently referred to as "tattooing" the registry.
  • The policies are not secure.
  • The policies cannot be refreshed without a restart.
Group Policy includes the functionality of Windows NT 4.0 System Policies. Group Policy also provides additional policy settings for the following items:
  • Scripts
  • Software installation and maintenance
  • Security settings
  • Microsoft Internet Explorer maintenance
  • Folder redirection
The following table compares Group Policy and Windows NT 4.0 System Policy.
ComparisonGroup PolicyWindows NT 4.0 System Policy
Tool usedMicrosoft Management Console (MMC) Group Policy snap-inSystem Policy Editor (Poledit.exe)
Number of settingsMore than 150 security-related settings and more than 620 registry-based settings72 settings
Applied toUsers or computers in a specified Active Directory container (site, domain, or OU) or local computers and usersDomains or local computers and users
SecuritySecureNot secure
Extensible byMMC or .adm files.adm files
PersistenceDoes not leave settings in the user profiles when the effective policy is changedPersistent in user profiles until the specified policy is reversed or until you change the registry
Defined byUser or computer membership in security groupsUser membership in security groups
Primary usesImplement registry-based settings to control the desktop and user. Configure many types of security settings. Apply logon, logoff, startup, and shutdown scripts. Implement IntelliMirror software installation and maintenance. Implement IntelliMirror data and settings management. Optimize and maintain Internet Explorer. Implement registry-based settings that govern the behavior of applications and operating system components, such as the Start menu.

More Information

Which tool to use for a specific management task

In an environment without Active Directory, you can use a variety of tools to manage system policy. Tools that you can use include the following:
  • Microsoft Systems Management Server (SMS) 2003 to manage software distribution
  • Internet Explorer Administration Kit to manage Internet Explorer settings
  • System Policy to manage registry-based settings
Additionally, each local computer has its own local Group Policy object, regardless of whether the computer participates in a domain. Although administrators can configure a variety of settings by using the local Group Policy object, System Policy scales more easily to lots of clients. The local Group Policy object is useful if you want to apply certain settings to a small number of Active Directory clients in a Windows NT 4.0-based domain or in other non-Active Directory domains.

For Active Directory client desktops that operate in other environments, such as in Windows NT 4.0, UNIX, Novell, or mixed environments, desktop management capabilities and tools vary. The following table summarizes the differences in desktop management tools and functionality in Active Directory environments and in non–Active Directory environments.
Management taskActive DirectoryNon–Active Directory
Configure registry-based settings for computers and for users.Administrative Templates deployed by using Group Policy. Administrative Templates deployed by using the local Group Policy object.
System Policy. Local Group Policy object.
Manage local, domain, and network security.Security settings deployed by using Group Policy. Security settings deployed by using the local Group Policy object. Local Group Policy object.
Centrally install, update, and remove software.SMS. Group Policy–based software distribution. SMS.
Manage Internet Explorer configuration settings after deployment.Internet Explorer maintenance in the Group Policy MMC snap-in. Internet Explorer maintenance deployed by using the local Group Policy object. Internet Explorer Administration Kit (IEAK). Local Group Policy object. IEAK.
Apply scripts during user logon/logoff and during computer startup/shutdown.Logon/logoff and startup/shutdown scripts can be centrally configured by using Group Policy or independently by using the local Group Policy object.Local Group Policy object.
Centrally manage user folders and files on the network.Local Group Policy object.System Policy. Manipulation of registry settings by using logon scripts.
Centrally manage user settings on the network.Roaming user profiles.Roaming user profiles for Windows domains.
You can also manage Microsoft Windows XP Professional-based desktops on Unix and Novell networks by using standards-based protocols such as TCP/IP, Simple Network Management Protocol (SNMP), Telnet, and Internetwork Packet Exchange (IPX). To enable policy-based administration on Unix and Novell networks, use a local Group Policy object or System Policy.

Configuring System Policies

The Poledit.exe tool

System Policies are created by using the Windows NT 4.0 System Policy Editor tool (Poledit.exe) to create the policy file (Ntconfig.pol).

The Poledit.exe tool is installed with Windows 2000 Server and with Windows 2000 Advanced Server.

You can use the Poledit.exe tool on Windows XP Professional–based computers if you install the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs.

To install the Administrative Tools package on a Windows XP Professional-based computer, open the i386 folder on the applicable Windows 2000 Server CD, and then double-click the Adminpak.msi file. Follow the instructions that appear in the Administrative Tools Setup Wizard.

When you install the Administrative Tools package, the Poledit.exe file and its supporting .adm files (Winnt.adm, Windows.adm, and Common.adm) are installed in the %systemroot%\System folder and in the Inf directory. The Poledit.exe file is not added to the Start menu. However, you can run the tool at the command prompt.

  • The Windows NT 4.0 System Policy Editor or earlier versions of the System Policy Editor cannot read the Unicode-formatted .adm files that are shipped in Windows 2000 or in later versions. You must use the version of System Policy Editor that is included with Windows 2000 or with later versions. This version supports Unicode. Alternatively, if you resave the .adm files as .txt files without Unicode encoding, you can use an older version of the Poledit.exe tool.
  • The Poledit.exe tool is not included in the Windows Server 2003 Adminpak.msi file. The Windows 2000 version of the Poledit.exe tool is unavailable for download from a Microsoft Web site.

Administrative Templates

The Poledit.exe tool uses files that are known as Administrative Templates (.adm files) to determine the registry settings that can be modified and the settings that are displayed in the System Policy Editor.

System Policy settings are written to the following locations in the registry:
  • HKEY_CURRENT_USER\Software\Policies (preferred location)
  • HKEY_LOCAL_MACHINE\Software\Policies (preferred location)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
An Active Directory client processes System Policy if the user, the computer account, or both accounts are in a Windows NT 4.0 domain. The client looks for the Ntconfig.pol file that is used by Windows NT 4.0 System Policy. By default, the client looks for this file in the Netlogon share of the authenticating Windows NT 4.0 domain controller.

Note A computer account object can exist in a Windows NT 4.0 domain, and a user account object for a user of that computer can exist in an Active Directory domain, or vice versa. However, when you operate in such a mixed environment, users and computers are difficult to manage and may cause unpredictable behavior. For optimal central management, we recommend that you move from a mixed environment to a pure Active Directory environment.

How to specify the path of the policy file

By default, Active Directory clients look for the policy file on the Netlogon share. However, you can change the location of this file. The UpdateMode registry entry forces the computer to retrieve the policy file from a specific location that is expressed as a Universal Naming Convention (UNC) path, regardless of which user logs on.

You can set the UpdateMode entry by using the System Policy Editor and the System.adm file. However, you must have the appropriate permissions to locate and read the policy file. Otherwise, the registry changes that note the new location of the policy file will not take effect. To modify the UpdateMode entry, use one of the following methods. (The methods are listed in order of preference.)
  • Method 1: Modify the registry by using the local Group Policy object.
  • Method 2: Modify the registry by using Registry Editor on each client, or use the Reg.exe program in a script.
  • Method 3: Modify the registry by using the Poledit.exe tool. This method is the least desirable because you designate the location of the Ntconfig.pol file in the file itself.
Method 1: Modify the registry by using the local Group Policy object
  1. On the File menu, click Open Registry, and then double-click Local Computer.
  2. In the Properties dialog box, expand
    Network, and then expand System policies update to display the remote update option.
  3. Click to select the Remote update box.
  4. In the Update mode list, click to select
    Manual (use specific path).
  5. In the Path for manual update box, type the UNC path and the file name for the policy file, and then click
    OK to save your changes.
Method 2: Modify the registry by using Registry Editor on each client, or use the Reg.exe program in a script
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To make sure that clients can locate the System Policy file, you must configure the following registry keys on the clients:

UpdateMode value
This registry entry determines how the client will search for the Ntconfig.pol file that contains the policies.
Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update
Value name: UpdateMode
Data type: REG_DWORD
0System Policies are disabled.
1Automatic mode searches for a policy file that is named Ntconfig.pol in the authenticating server's Netlogon share. This is the default value.
2Manual mode searches for the specified policy file in the location that is specified by the NetworkPath value. If UpdateMode is set to a value of 2, you must specify an additional value that is named NetworkPath that specifies a local or network system policy path and file name.
NetworkPath value
The NetworkPath setting is used to identify the location of the Ntconfig.pol file that is used to determine System Policies if the UpdateMode value is 2.

Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update
Value name: NetworkPath
Data type: REG_SZ
UNC path\\Server_name\Share_name\File_name
Local pathC:\Folder_name\File_name
Method 3: Modify the registry by using the Poledit.exe tool
To retrieve the policy file from a specific location, follow these steps:
  1. Click Start, click Run, type poledit.exe, and then click
  2. Click Options, click Policy Template, and then in the Policy Template Optionsdialog box, make sure that System.adm is listed in the Current Policy Template(s)list. If System.adm is not listed, click Add to add this file.
  3. To open the Default Computer policy, click New Policy on the File menu, and then double-click
    Default Computer in the Policies list.

Windows XP Professional-based client behavior

In Windows XP Professional, policy changes are saved locally in the registry the first time that the following events occur:
  • A client is modified locally by using the System Policy Editor.
  • A client receives a default System Policy file from the Netlogon share of a domain controller.
Thereafter, the Windows XP Professional–based client does not examine a domain controller again to find a policy file. All policy updates use the location that you manually specified. This change is permanent until you change the policy file to reset the option to Automatic.

How to create the policy file (Ntconfig.pol)

  1. Remove all #if version and #endif statements from the following .adm files, and then save the files:
    • System.adm
    • Inetres.adm
    • Conf.adm
    This step prevents the unintended loading of these files by the Poledit.exe tool.

    For example, in the Inetres.adm file, remove these lines:
    • #if version <= 2
    • #endif
  2. Click Start, click Run, type poledit.exe, and then click
  3. In the System Policy Editor window, click Policy Template on the Options menu.
  4. In the Policy Template Options dialog box, click Add, select one of the .adm files that you modified in step 1, and then click OK.
  5. Specify the appropriate policy settings as documented in System Policy Editor Help.
  6. Save the file as Ntconfig.pol. Save the file to the Netlogon share of the Windows NT 4.0 domain controller.

How to create an Ntconfig.pol file that is based on Windows XP Professional .adm files

You can create a Ntconfig.pol file that is based on the Windows XP Professional .adm files and then apply these settings to Windows XP Professional–based clients. To do this, use the Poledit.exe tool. You can install Poledit.exe on Windows XP Professional–based clients by installing the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs.

Different environments where System Policies are used

Workgroups and third-party environments

If you do not have a Windows NT 4.0-based domain, you can configure the client to look for the Ntconfig.pol file in a specific location on the local computer or in any SMB share location. For more information about how to specify the path of the policy file, see "How to specify the path of the policy file" section.

Windows NT 4.0 domains

A Windows Active Directory client processes System Policy if either the user account or computer account exists in a Windows NT 4.0 domain. When a user logs on to a Windows Active Directory client in a Windows NT 4.0 domain and the client is running in Automatic mode, the client examines the Netlogon share on the validating domain controller for the Ntconfig.pol file. If the client finds the file, the client downloads and parses the file. The client parses the file for user, group, and computer policy data. Then, the client applies the appropriate settings. If the client does not locate the policy file on its validating domain controller, the client does not look elsewhere. Therefore, make sure that the Ntconfig.pol file is replicated among the domain controllers that perform authentication.


For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
293655 How to apply local policies to all users except administrators in a workgroup setting in Windows 2000
274478 Group Policies for Windows 2000 Professional clients in Windows NT 4.0 domain or workgroups
225087 Writing custom ADM files for System Policy Editor
192794 How to apply System Policy settings to Terminal Server
897100 How to create a Windows NT 4.0 system policy to manage Windows Firewall in a Windows NT 4.0 domain
814598 How to create a system policy setting in Microsoft Windows Server 2003
268511 How to import custom .adm files in Internet Explorer Administration Kit

Resource Kit references

Part II of the Windows XP Resource Kit – Chapter 5: Managing DesktopsManaging Desktops in Various Network EnvironmentsManaging Desktops Without Active Directory

Other resources

Change and Configuration Management Deployment Guide

Microsoft Internet Explorer Administration Kit (IEAK)

Group Policy Settings Reference for Windows and Windows Server

Windows 2000 Server - Advanced topic: Creating custom .adm files

An .adm file defines how registry-related Group Policy settings are displayed under the Administrative Templates nodes in the Group Policy user interface. Additionally, the .adm file specifies the registry locations that must be modified if an administrator must make a change. To download this documentation, visit the following Microsoft Web site:

The "Using Administrative Template Files with Registry-Based Group Policy" white paper

The "Using Administrative Template Files with Registry-Based Group Policy" white paper explains the concepts, architecture, and implementation details for registry-based Group Policy in Microsoft Windows operating systems. This white paper discusses how to create custom Administrative Template (.adm) files and includes a complete reference for the .adm language.

Windows Firewall policy template for Windows NT 4.0 domains

You can manage Windows Firewall policies from Windows NT 4.0 domains by applying this template.

Group Policy .adm files

Administrative Template files are used to populate user interface settings in the Group Policy Object Editor. Administrators can use these files to manage registry-based policy settings. Each successive Windows operating system and service pack includes a newer version of these .adm files.

Previously, customers could only obtain the most recent .adm files by obtaining the latest service pack or operating system. Now, these .adm files are available directly from the following Microsoft Web site:You can obtain the original version of the .adm files that are included with each operating system or service pack. Each set of .adm files is included in a Microsoft Windows Installer package that you can download.