Which tool to use for a specific management task
In an environment without Active Directory, you can use a variety of tools to manage system policy. Tools that you can use include the following:
- Microsoft Systems Management Server (SMS) 2003 to manage software distribution
- Internet Explorer Administration Kit to manage Internet Explorer settings
- System Policy to manage registry-based settings
Additionally, each local computer has its own local Group Policy object, regardless of whether the computer participates in a domain. Although administrators can configure a variety of settings by using the local Group Policy object, System Policy scales more easily to lots of clients. The local Group Policy object is useful if you want to apply certain settings to a small number of Active Directory clients in a Windows NT 4.0-based domain or in other non-Active Directory domains.
For Active Directory client desktops that operate in other environments, such as in Windows NT 4.0, UNIX, Novell, or mixed environments, desktop management capabilities and tools vary. The following table summarizes the differences in desktop management tools and functionality in Active Directory environments and in non–Active Directory environments.
|Management task||Active Directory||Non–Active Directory |
|Configure registry-based settings for computers and for users.||Administrative Templates deployed by using Group Policy. Administrative Templates deployed by using the local Group Policy object. ||System Policy. Local Group Policy object. |
|Manage local, domain, and network security.||Security settings deployed by using Group Policy. Security settings deployed by using the local Group Policy object. ||Local Group Policy object.|
|Centrally install, update, and remove software.||SMS. Group Policy–based software distribution. ||SMS.|
|Manage Internet Explorer configuration settings after deployment.||Internet Explorer maintenance in the Group Policy MMC snap-in. Internet Explorer maintenance deployed by using the local Group Policy object. Internet Explorer Administration Kit (IEAK). ||Local Group Policy object. IEAK. |
|Apply scripts during user logon/logoff and during computer startup/shutdown.||Logon/logoff and startup/shutdown scripts can be centrally configured by using Group Policy or independently by using the local Group Policy object.||Local Group Policy object.|
|Centrally manage user folders and files on the network.||Local Group Policy object.||System Policy. Manipulation of registry settings by using logon scripts. |
|Centrally manage user settings on the network.||Roaming user profiles.||Roaming user profiles for Windows domains.|
You can also manage Microsoft Windows XP Professional-based desktops on Unix and Novell networks by using standards-based protocols such as TCP/IP, Simple Network Management Protocol (SNMP), Telnet, and Internetwork Packet Exchange (IPX). To enable policy-based administration on Unix and Novell networks, use a local Group Policy object or System Policy.
Configuring System Policies
The Poledit.exe tool
System Policies are created by using the Windows NT 4.0 System Policy Editor tool (Poledit.exe) to create the policy file (Ntconfig.pol).
The Poledit.exe tool is installed with Windows 2000 Server and with Windows 2000 Advanced Server.
You can use the Poledit.exe tool on Windows XP Professional–based computers if you install the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs.
To install the Administrative Tools package on a Windows XP Professional-based computer, open the i386 folder on the applicable Windows 2000 Server CD, and then double-click the Adminpak.msi file. Follow the instructions that appear in the Administrative Tools Setup Wizard.
When you install the Administrative Tools package, the Poledit.exe file and its supporting .adm files (Winnt.adm, Windows.adm, and Common.adm) are installed in the %systemroot%\System folder and in the Inf directory. The Poledit.exe file is not added to the Start menu. However, you can run the tool at the command prompt.Notes
- The Windows NT 4.0 System Policy Editor or earlier versions of the System Policy Editor cannot read the Unicode-formatted .adm files that are shipped in Windows 2000 or in later versions. You must use the version of System Policy Editor that is included with Windows 2000 or with later versions. This version supports Unicode. Alternatively, if you resave the .adm files as .txt files without Unicode encoding, you can use an older version of the Poledit.exe tool.
- The Poledit.exe tool is not included in the Windows Server 2003 Adminpak.msi file. The Windows 2000 version of the Poledit.exe tool is unavailable for download from a Microsoft Web site.
The Poledit.exe tool uses files that are known as Administrative Templates (.adm files) to determine the registry settings that can be modified and the settings that are displayed in the System Policy Editor.
System Policy settings are written to the following locations in the registry:
- HKEY_CURRENT_USER\Software\Policies (preferred location)
- HKEY_LOCAL_MACHINE\Software\Policies (preferred location)
An Active Directory client processes System Policy if the user, the computer account, or both accounts are in a Windows NT 4.0 domain. The client looks for the Ntconfig.pol file that is used by Windows NT 4.0 System Policy. By default, the client looks for this file in the Netlogon share of the authenticating Windows NT 4.0 domain controller.Note
A computer account object can exist in a Windows NT 4.0 domain, and a user account object for a user of that computer can exist in an Active Directory domain, or vice versa. However, when you operate in such a mixed environment, users and computers are difficult to manage and may cause unpredictable behavior. For optimal central management, we recommend that you move from a mixed environment to a pure Active Directory environment.
How to specify the path of the policy file
By default, Active Directory clients look for the policy file on the Netlogon share. However, you can change the location of this file. The UpdateMode registry entry forces the computer to retrieve the policy file from a specific location that is expressed as a Universal Naming Convention (UNC) path, regardless of which user logs on.
You can set the UpdateMode entry by using the System Policy Editor and the System.adm file. However, you must have the appropriate permissions to locate and read the policy file. Otherwise, the registry changes that note the new location of the policy file will not take effect. To modify the UpdateMode entry, use one of the following methods. (The methods are listed in order of preference.)
- Method 1: Modify the registry by using the local Group Policy object.
- Method 2: Modify the registry by using Registry Editor on each client, or use the Reg.exe program in a script.
- Method 3: Modify the registry by using the Poledit.exe tool. This method is the least desirable because you designate the location of the Ntconfig.pol file in the file itself.
Method 1: Modify the registry by using the local Group Policy object
- On the File menu, click Open Registry, and then double-click Local Computer.
- In the Properties dialog box, expand Network, and then expand System policies update to display the remote update option.
- Click to select the Remote update box.
- In the Update mode list, click to select Manual (use specific path).
- In the Path for manual update box, type the UNC path and the file name for the policy file, and then click OK to save your changes.
Method 2: Modify the registry by using Registry Editor on each client, or use the Reg.exeprogram in a scriptImportant
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
To make sure that clients can locate the System Policy file, you must configure the following registry keys on the clients:UpdateMode value
This registry entry determines how the client will search for the Ntconfig.pol file that contains the policies.
Value name: UpdateMode
Data type: REG_DWORD
|0||System Policies are disabled.|
|1||Automatic mode searches for a policy file that is named Ntconfig.pol in the authenticating server's Netlogon share. This is the default value.|
|2||Manual mode searches for the specified policy file in the location that is specified by the NetworkPath value. If UpdateMode is set to a value of 2, you must specify an additional value that is named NetworkPath that specifies a local or network system policy path and file name.|
The NetworkPath setting is used to identify the location of the Ntconfig.pol file that is used to determine System Policies if the UpdateMode value is 2.
Value name: NetworkPath
Data type: REG_SZ
Method 3: Modify the registry by using the Poledit.exe tool
To retrieve the policy file from a specific location, follow these steps:
- Click Start, click Run, type poledit.exe, and then click OK.
- Click Options, click Policy Template, and then in the Policy Template Options dialog box, make sure that System.adm is listed in the Current Policy Template(s) list. If System.adm is not listed, click Add to add this file.
- To open the Default Computer policy, click New Policy on the File menu, and then double-click Default Computer in the Policies list.
Windows XP Professional-based client behavior
In Windows XP Professional, policy changes are saved locally in the registry the first time that the following events occur:
- A client is modified locally by using the System Policy Editor.
- A client receives a default System Policy file from the Netlogon share of a domain controller.
Thereafter, the Windows XP Professional–based client does not examine a domain controller again to find a policy file. All policy updates use the location that you manually specified. This change is permanent until you change the policy file to reset the option to Automatic
How to create the policy file (Ntconfig.pol)
- Remove all #if version and #endif statements from the following .adm files, and then save the files:
This step prevents the unintended loading of these files by the Poledit.exe tool.
For example, in the Inetres.adm file, remove these lines:
- Click Start, click Run, type poledit.exe, and then click OK.
- In the System Policy Editor window, click Policy Template on the Options menu.
- In the Policy Template Options dialog box, click Add, select one of the .adm files that you modified in step 1, and then click OK.
- Specify the appropriate policy settings as documented in System Policy Editor Help.
- Save the file as Ntconfig.pol. Save the file to the Netlogon share of the Windows NT 4.0 domain controller.
How to create an Ntconfig.pol file that is based on Windows XP Professional .adm files
You can create a Ntconfig.pol file that is based on the Windows XP Professional .adm files and then apply these settings to Windows XP Professional–based clients. To do this, use the Poledit.exe tool. You can install Poledit.exe on Windows XP Professional–based clients by installing the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs.
Different environments where System Policies are used
Workgroups and third-party environments
If you do not have a Windows NT 4.0-based domain, you can configure the client to look for the Ntconfig.pol file in a specific location on the local computer or in any SMB share location. For more information about how to specify the path of the policy file, see "How to specify the path of the policy file" section.
Windows NT 4.0 domains
A Windows Active Directory client processes System Policy if either the user account or computer account exists in a Windows NT 4.0 domain. When a user logs on to a Windows Active Directory client in a Windows NT 4.0 domain and the client is running in Automatic mode, the client examines the Netlogon share on the validating domain controller for the Ntconfig.pol file. If the client finds the file, the client downloads and parses the file. The client parses the file for user, group, and computer policy data. Then, the client applies the appropriate settings. If the client does not locate the policy file on its validating domain controller, the client does not look elsewhere. Therefore, make sure that the Ntconfig.pol file is replicated among the domain controllers that perform authentication.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
How to apply local policies to all users except administrators in a workgroup setting in Windows 2000
Group Policies for Windows 2000 Professional clients in Windows NT 4.0 domain or workgroups
Writing custom ADM files for System Policy Editor
How to apply System Policy settings to Terminal Server
How to create a Windows NT 4.0 system policy to manage Windows Firewall in a Windows NT 4.0 domain
How to create a system policy setting in Microsoft Windows Server 2003
How to import custom .adm files in Internet Explorer Administration Kit
Resource Kit references
Part II of the Windows XP Resource Kit – Chapter 5: Managing Desktops
Managing Desktops in Various Network Environments
Managing Desktops Without Active Directory
Change and Configuration Management Deployment Guide
Microsoft Internet Explorer Administration Kit (IEAK)
Group Policy Settings Reference for Windows and Windows Server
Windows 2000 Server - Advanced topic: Creating custom .adm files
An .adm file defines how registry-related Group Policy settings are displayed under the Administrative Templates nodes in the Group Policy user interface. Additionally, the .adm file specifies the registry locations that must be modified if an administrator must make a change. To download this documentation, visit the following Microsoft Web site:
The "Using Administrative Template Files with Registry-Based Group Policy" white paper
The "Using Administrative Template Files with Registry-Based Group Policy" white paper explains the concepts, architecture, and implementation details for registry-based Group Policy in Microsoft Windows operating systems. This white paper discusses how to create custom Administrative Template (.adm) files and includes a complete reference for the .adm language. To download this white paper, visit the following Microsoft Web site:
Windows Firewall policy template for Windows NT 4.0 domains
You can manage Windows Firewall policies from Windows NT 4.0 domains by applying this template. To download this template, visit the following Microsoft Web site:
Group Policy .adm files
Administrative Template files are used to populate user interface settings in the Group Policy Object Editor. Administrators can use these files to manage registry-based policy settings. Each successive Windows operating system and service pack includes a newer version of these .adm files.
Previously, customers could only obtain the most recent .adm files by obtaining the latest service pack or operating system. Now, these .adm files are available directly from the following Microsoft Web site:
You can obtain the original version of the .adm files that are included with each operating system or service pack. Each set of .adm files is included in a Microsoft Windows Installer package that you can download.