Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next

MS Windows 200x/XP Professional Policies

Windows NT4 system policies allow the setting of registry parameters specific to users, groups, and computers (client workstations) that are members of the NT4-style domain. Such policy files will work with MS Windows 200x/XP clients also.

New to MS Windows 2000, Microsoft recently introduced a style of Group Policy that confers a superset of capabilities compared with NT4-style policies. Obviously, the tool used to create them is different, and the mechanism for implementing them is much improved.

The older NT4-style registry-based policies are known as Administrative Templates in MS Windows 2000/XP GPOs. The latter includes the ability to set various security configurations, enforce Internet Explorer browser settings, change and redirect aspects of the users desktop (including the location of My Documents files, as well as intrinsics of where menu items will appear in the Start menu). An additional new feature is the ability to make available particular software Windows applications to particular users and/or groups.

Remember, NT4 policy files are named NTConfig.POL and are stored in the root of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username and password and selects the domain name to which the logon will attempt to take place. During the logon process, the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating server and modifies the local registry values according to the settings in this file.

Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of a Windows 200x policy file is stored in the Active Directory itself and the other part is stored in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active Directory domain controllers. The part that is stored in the Active Directory itself is called the Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is known as the Group Policy Template (GPT).

With NT4 clients, the policy file is read and executed only as each user logs onto the network. MS Windows 200x policies are much more complex GPOs are processed and applied at client machine startup (machine specific part), and when the user logs onto the network, the user-specific part is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows the administrator to also set filters over the policy settings. No such equivalent capability exists with NT4-style policy files.

Administration of Windows 200x/XP Policies

Instead of using the tool called the System Policy Editor, commonly called Poledit (from the executable name poledit.exe ), GPOs are created and managed using a Microsoft Management Console (MMC) snap-in as follows:

  1. Go to the Windows 200x/XP menu Start->Programs->Administrative Tools and select the MMC snap-in called Active Directory Users and Computers

  2. Select the domain or organizational unit (OU) that you wish to manage, then right-click to open the context menu for that object, and select the Properties.

  3. Left-click on the Group Policy tab, then left-click on the New tab. Type a name for the new policy you will create.

  4. Left-click on the Edit tab to commence the steps needed to create the GPO.

All policy configuration options are controlled through the use of policy administrative templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP. Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x. The latter introduces many new features as well as extended definition capabilities. It is well beyond the scope of this documentation to explain how to program .adm files; for that, refer to the Microsoft Windows Resource Kit for your particular version of MS Windows.

Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire