MS Windows 200x/XP Professional Policies
Windows NT4 system policies allow the setting of registry parameters specific to
users, groups, and computers (client workstations) that are members of the NT4-style
domain. Such policy files will work with MS Windows 200x/XP clients also.
New to MS Windows 2000, Microsoft recently introduced a style of Group Policy that confers
a superset of capabilities compared with NT4-style policies. Obviously, the tool used
to create them is different, and the mechanism for implementing them is much improved.
The older NT4-style registry-based policies are known as
in MS Windows 2000/XP GPOs. The latter includes the ability to set various security
configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
users desktop (including the location of
My Documents files, as
well as intrinsics of where menu items will appear in the Start menu). An additional new
feature is the ability to make available particular software Windows applications to particular
users and/or groups.
Remember, NT4 policy files are named
NTConfig.POL and are stored in the root
of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username and password
and selects the domain name to which the logon will attempt to take place. During the logon process,
the client machine reads the
NTConfig.POL file from the NETLOGON share on
the authenticating server and modifies the local registry values according to the settings in this file.
Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of
a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
Directory domain controllers. The part that is stored in the Active Directory itself is called the
Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is
known as the Group Policy Template (GPT).
With NT4 clients, the policy file is read and executed only as each user logs onto the network.
MS Windows 200x policies are much more complex GPOs are processed and applied at client machine
startup (machine specific part), and when the user logs onto the network, the user-specific part
is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject
to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
the administrator to also set filters over the policy settings. No such equivalent capability
exists with NT4-style policy files.
Administration of Windows 200x/XP Policies
Instead of using the tool called the System Policy Editor, commonly called Poledit (from the
), GPOs are created and managed using a
Microsoft Management Console (MMC) snap-in as follows:
Go to the Windows 200x/XP menu
and select the MMC snap-in called
Select the domain or organizational unit (OU) that you wish to manage, then right-click
to open the context menu for that object, and select the .
Left-click on the Group Policy tab, then
left-click on the New tab. Type a name
for the new policy you will create.
Left-click on the Edit tab to commence the steps needed to create the GPO.
All policy configuration options are controlled through the use of policy administrative
templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP.
Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x.
The latter introduces many new features as well as extended definition capabilities. It is
well beyond the scope of this documentation to explain how to program .adm files; for that,
refer to the Microsoft Windows Resource Kit for your particular
version of MS Windows.