Windows NT System Policies had the following limitations that Active Directory Group Policy settings do not have:
- The policies persist in a user's profile until the specified policy is reversed or until you change the applicable registry setting. This behavior is frequently referred to as "tattooing" the registry.
- The policies are not secure.
- The policies cannot be refreshed without a restart.
- Software installation and maintenance
- Security settings
- Microsoft Internet Explorer maintenance
- Folder redirection
|Comparison||Group Policy||Windows NT 4.0 System Policy|
|Tool used||Microsoft Management Console (MMC) Group Policy snap-in||System Policy Editor (Poledit.exe)|
|Number of settings||More than 150 security-related settings and more than 620 registry-based settings||72 settings|
|Applied to||Users or computers in a specified Active Directory container (site, domain, or OU) or local computers and users||Domains or local computers and users|
|Extensible by||MMC or .adm files||.adm files|
|Persistence||Does not leave settings in the user profiles when the effective policy is changed||Persistent in user profiles until the specified policy is reversed or until you change the registry|
|Defined by||User or computer membership in security groups||User membership in security groups|
|Primary uses||Implement registry-based settings to control the desktop and user. Configure many types of security settings. Apply logon, logoff, startup, and shutdown scripts. Implement IntelliMirror software installation and maintenance. Implement IntelliMirror data and settings management. Optimize and maintain Internet Explorer.||Implement registry-based settings that govern the behavior of applications and operating system components, such as the Start menu.|
Which tool to use for a specific management taskIn an environment without Active Directory, you can use a variety of tools to manage system policy. Tools that you can use include the following:
- Microsoft Systems Management Server (SMS) 2003 to manage software distribution
- Internet Explorer Administration Kit to manage Internet Explorer settings
- System Policy to manage registry-based settings
For Active Directory client desktops that operate in other environments, such as in Windows NT 4.0, UNIX, Novell, or mixed environments, desktop management capabilities and tools vary. The following table summarizes the differences in desktop management tools and functionality in Active Directory environments and in non–Active Directory environments.
|Management task||Active Directory||Non–Active Directory|
|Configure registry-based settings for computers and for users.||Administrative Templates deployed by using Group Policy. Administrative Templates deployed by using the local Group Policy object.||System Policy. Local Group Policy object.|
|Manage local, domain, and network security.||Security settings deployed by using Group Policy. Security settings deployed by using the local Group Policy object.||Local Group Policy object.|
|Centrally install, update, and remove software.||SMS. Group Policy–based software distribution.||SMS.|
|Manage Internet Explorer configuration settings after deployment.||Internet Explorer maintenance in the Group Policy MMC snap-in. Internet Explorer maintenance deployed by using the local Group Policy object. Internet Explorer Administration Kit (IEAK).||Local Group Policy object. IEAK.|
|Apply scripts during user logon/logoff and during computer startup/shutdown.||Logon/logoff and startup/shutdown scripts can be centrally configured by using Group Policy or independently by using the local Group Policy object.||Local Group Policy object.|
|Centrally manage user folders and files on the network.||Local Group Policy object.||System Policy. Manipulation of registry settings by using logon scripts.|
|Centrally manage user settings on the network.||Roaming user profiles.||Roaming user profiles for Windows domains.|
Configuring System Policies
The Poledit.exe toolSystem Policies are created by using the Windows NT 4.0 System Policy Editor tool (Poledit.exe) to create the policy file (Ntconfig.pol).
The Poledit.exe tool is installed with Windows 2000 Server and with Windows 2000 Advanced Server.
You can use the Poledit.exe tool on Windows XP Professional–based computers if you install the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs.
To install the Administrative Tools package on a Windows XP Professional-based computer, open the i386 folder on the applicable Windows 2000 Server CD, and then double-click the Adminpak.msi file. Follow the instructions that appear in the Administrative Tools Setup Wizard.
When you install the Administrative Tools package, the Poledit.exe file and its supporting .adm files (Winnt.adm, Windows.adm, and Common.adm) are installed in the %systemroot%\System folder and in the Inf directory. The Poledit.exe file is not added to the Start menu. However, you can run the tool at the command prompt.
- The Windows NT 4.0 System Policy Editor or earlier versions of the System Policy Editor cannot read the Unicode-formatted .adm files that are shipped in Windows 2000 or in later versions. You must use the version of System Policy Editor that is included with Windows 2000 or with later versions. This version supports Unicode. Alternatively, if you resave the .adm files as .txt files without Unicode encoding, you can use an older version of the Poledit.exe tool.
- The Poledit.exe tool is not included in the Windows Server 2003 Adminpak.msi file. The Windows 2000 version of the Poledit.exe tool is unavailable for download from a Microsoft Web site.
Administrative TemplatesThe Poledit.exe tool uses files that are known as Administrative Templates (.adm files) to determine the registry settings that can be modified and the settings that are displayed in the System Policy Editor.
System Policy settings are written to the following locations in the registry:
- HKEY_CURRENT_USER\Software\Policies (preferred location)
- HKEY_LOCAL_MACHINE\Software\Policies (preferred location)
Note A computer account object can exist in a Windows NT 4.0 domain, and a user account object for a user of that computer can exist in an Active Directory domain, or vice versa. However, when you operate in such a mixed environment, users and computers are difficult to manage and may cause unpredictable behavior. For optimal central management, we recommend that you move from a mixed environment to a pure Active Directory environment.
How to specify the path of the policy fileBy default, Active Directory clients look for the policy file on the Netlogon share. However, you can change the location of this file. The UpdateMode registry entry forces the computer to retrieve the policy file from a specific location that is expressed as a Universal Naming Convention (UNC) path, regardless of which user logs on.
You can set the UpdateMode entry by using the System Policy Editor and the System.adm file. However, you must have the appropriate permissions to locate and read the policy file. Otherwise, the registry changes that note the new location of the policy file will not take effect. To modify the UpdateMode entry, use one of the following methods. (The methods are listed in order of preference.)
- Method 1: Modify the registry by using the local Group Policy object.
- Method 2: Modify the registry by using Registry Editor on each client, or use the Reg.exe program in a script.
- Method 3: Modify the registry by using the Poledit.exe tool. This method is the least desirable because you designate the location of the Ntconfig.pol file in the file itself.
Method 1: Modify the registry by using the local Group Policy object
- On the File menu, click Open Registry, and then double-click Local Computer.
- In the Properties dialog box, expand
Network, and then expand System policies update to display the remote update option.
- Click to select the Remote update box.
- In the Update mode list, click to select
Manual (use specific path).
- In the Path for manual update box, type the UNC path and the file name for the policy file, and then click
OK to save your changes.
Method 2: Modify the registry by using Registry Editor on each client, or use the Reg.exe program in a scriptImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
To make sure that clients can locate the System Policy file, you must configure the following registry keys on the clients:
This registry entry determines how the client will search for the Ntconfig.pol file that contains the policies.
Value name: UpdateMode
Data type: REG_DWORD
|0||System Policies are disabled.|
|1||Automatic mode searches for a policy file that is named Ntconfig.pol in the authenticating server's Netlogon share. This is the default value.|
|2||Manual mode searches for the specified policy file in the location that is specified by the NetworkPath value. If UpdateMode is set to a value of 2, you must specify an additional value that is named NetworkPath that specifies a local or network system policy path and file name.|
The NetworkPath setting is used to identify the location of the Ntconfig.pol file that is used to determine System Policies if the UpdateMode value is 2.
Value name: NetworkPath
Data type: REG_SZ
Method 3: Modify the registry by using the Poledit.exe toolTo retrieve the policy file from a specific location, follow these steps:
- Click Start, click Run, type poledit.exe, and then click
- Click Options, click Policy Template, and then in the Policy Template Optionsdialog box, make sure that System.adm is listed in the Current Policy Template(s)list. If System.adm is not listed, click Add to add this file.
- To open the Default Computer policy, click New Policy on the File menu, and then double-click
Default Computer in the Policies list.
Windows XP Professional-based client behaviorIn Windows XP Professional, policy changes are saved locally in the registry the first time that the following events occur:
- A client is modified locally by using the System Policy Editor.
- A client receives a default System Policy file from the Netlogon share of a domain controller.
How to create the policy file (Ntconfig.pol)
- Remove all #if version and #endif statements from the following .adm files, and then save the files:
For example, in the Inetres.adm file, remove these lines:
- #if version <= 2
- Click Start, click Run, type poledit.exe, and then click
- In the System Policy Editor window, click Policy Template on the Options menu.
- In the Policy Template Options dialog box, click Add, select one of the .adm files that you modified in step 1, and then click OK.
- Specify the appropriate policy settings as documented in System Policy Editor Help.
- Save the file as Ntconfig.pol. Save the file to the Netlogon share of the Windows NT 4.0 domain controller.
How to create an Ntconfig.pol file that is based on Windows XP Professional .adm filesYou can create a Ntconfig.pol file that is based on the Windows XP Professional .adm files and then apply these settings to Windows XP Professional–based clients. To do this, use the Poledit.exe tool. You can install Poledit.exe on Windows XP Professional–based clients by installing the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs.
Different environments where System Policies are used
Workgroups and third-party environmentsIf you do not have a Windows NT 4.0-based domain, you can configure the client to look for the Ntconfig.pol file in a specific location on the local computer or in any SMB share location. For more information about how to specify the path of the policy file, see "How to specify the path of the policy file" section.
Windows NT 4.0 domainsA Windows Active Directory client processes System Policy if either the user account or computer account exists in a Windows NT 4.0 domain. When a user logs on to a Windows Active Directory client in a Windows NT 4.0 domain and the client is running in Automatic mode, the client examines the Netlogon share on the validating domain controller for the Ntconfig.pol file. If the client finds the file, the client downloads and parses the file. The client parses the file for user, group, and computer policy data. Then, the client applies the appropriate settings. If the client does not locate the policy file on its validating domain controller, the client does not look elsewhere. Therefore, make sure that the Ntconfig.pol file is replicated among the domain controllers that perform authentication.
Resource Kit referencesPart II of the Windows XP Resource Kit – Chapter 5: Managing Desktops
Change and Configuration Management Deployment Guide
Microsoft Internet Explorer Administration Kit (IEAK)
Group Policy Settings Reference for Windows and Windows Server
Windows 2000 Server - Advanced topic: Creating custom .adm filesAn .adm file defines how registry-related Group Policy settings are displayed under the Administrative Templates nodes in the Group Policy user interface. Additionally, the .adm file specifies the registry locations that must be modified if an administrator must make a change. To download this documentation, visit the following Microsoft Web site:
The "Using Administrative Template Files with Registry-Based Group Policy" white paperThe "Using Administrative Template Files with Registry-Based Group Policy" white paper explains the concepts, architecture, and implementation details for registry-based Group Policy in Microsoft Windows operating systems. This white paper discusses how to create custom Administrative Template (.adm) files and includes a complete reference for the .adm language. To download this white paper, visit the following Microsoft Web site:
Windows Firewall policy template for Windows NT 4.0 domainsYou can manage Windows Firewall policies from Windows NT 4.0 domains by applying this template. To download this template, visit the following Microsoft Web site:
Group Policy .adm filesAdministrative Template files are used to populate user interface settings in the Group Policy Object Editor. Administrators can use these files to manage registry-based policy settings. Each successive Windows operating system and service pack includes a newer version of these .adm files.
Previously, customers could only obtain the most recent .adm files by obtaining the latest service pack or operating system. Now, these .adm files are available directly from the following Microsoft Web site: