The procedures that are described in this article do not apply to client computers that are running Microsoft Windows 2000, Microsoft Windows XP Professional, or Microsoft Windows Server 2003 in some conditions. System Policy settings are used to configure client computers that are running Windows NT 4.0, Microsoft Windows Millennium Edition (Me), and Microsoft Windows 98. However, in a Windows 2000 network or in a Windows Server 2003 network, you must use Group Policy settings to configure and control computers that are running Windows 2000, Windows XP Professional, or Windows Server 2003. System Policy settings are different from Windows 2000 Group Policy settings in that they overwrite registry settings on the client computer with persistent changes. This behavior is known as "tattooing."
When you use System Policy settings for client computers that are running Windows 2000, Windows XP Professional, or Windows Server 2003, consider the following guidelines:
- Client computers that are running Windows 2000, Windows XP Professional, or Windows Server 2003 ignore System Policy settings that are placed in the Netlogon share of a Windows 2000 domain controller or a Windows Server 2003 domain controller. Instead, they apply Group Policy settings.
- Computers that are running Windows 2000, Windows XP Professional, or Windows Server 2003 and that are joined to a Windows NT 4.0 domain apply System Policy settings from the Netlogon share of a Windows NT 4.0 domain controller.
- Windows NT 4.0-based client computers apply System Policy settings that are placed in the Netlogon share of a domain controller that is running Windows 2000, Windows Server 2003, or Windows NT 4.0.
- System Policy settings are applied to domains.
- System Policy settings may also be controlled by user membership in security groups.
- System Policy settings are not secure.
- System Policy settings persist in users’ profiles (this is sometimes referred to as tattooing the registry), as explained earlier in this article. This means that after a registry setting is set by using a Windows NT 4.0 System Policy setting, the setting persists until the specified policy is reversed or until the user edits the registry.
- System Policy settings are limited to desktop lockdown.
To implement a System Policy setting to affect all Terminal Server users who log on to the console or through the Terminal Server client, follow these steps:
- Start System Policy Editor (Poledit.exe), and then make the changes for your policy.
- On the File menu, click Save As, and then save the policy file on your hard disk. For example, save the file as C:\Ntconfig.pol.
- On the File menu, click Open Registry.
- Double-click Local Computer, double-click
Network, double-click System Policies Update, and then click to select the Remote Update check box.
- In the Update Mode box, click
Manual (Use Specific Path), type a path in the Path for Manual Update dialog box (for example, type
- You can name the policy file anything you like.
- To display an error message if the policy file is not found when Windows NT starts, click to select the Display Error Message check box.
- Click OK.
- Save your policy to the path that you specified in step 5, and then exit Policy Editor.
- Restart Windows NT for the changes in the policy to take effect.
The settings in this procedure modify the following path in the registry:
Subcategory: System Policies update
Selection: Remote update
Description: Controls how policies are applied to a Windows NT 4.0-based computer. With UpdateMode set to 1 (Automatic, the default), Windows NT makes a connection to the Netlogon share of the validating domain controller in the user's context and then checks for the existence of the policy file, NTconfig.pol. With UpdateMode set to 2 (Manual), Windows NT reads the string that is specified in the NetworkPath value and then checks that path for the existence of the policy file (in this case, the policy file name should be included in the NetworkPath value). With UpdateMode set to 0 (Off), a policy file is not downloaded from any system. Therefore, it is not applied.
|Registry Entry||Type||Values and Descriptions|
|UpdateMode||REG_DWORD||Off = 0, Automatic=1; Manual=2|
|NetworkPath||REG_SZ||Text of UNC path for manual update|
|Verbose||REG_DWORD||Display error messages Off = 0 or value not present; On = 1|
|LoadBalance||REG_DWORD||Off = 0 or value not present; On = 1|
For additional information about using a GPO Loopback policy, click the following article number to view the article in the Microsoft Knowledge Base:
For additional information about how to use System Policy settings in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 192794 - Last Review: Mar 15, 2008 - Revision: 1