Without policy, bad things happen. Security breaks down, since you can't mandate security configurations; users get frustrated because they can't configure their computers properly; and users frequently change settings that they shouldn't or break their computers because they don't understand what they're doing. Policy prevents these problems.
Policy enables you to configure settings and prevent users from changing them. Configure security settings, for example, and users can't deviate from them. Disable portions of the Windows user interface to prevent users from changing those settings. Policy is the way to configure settings that are, well, a matter of corporate policy. It's also the way to provide great customer service by setting up users' computers to work properly in their environments and preventing human error -- both of which make users happy.
Environments with Active Directory and Windows 2000 or Windows XP client computers can use group policy. Click here for more information about group policy. Many organizations haven't yet deployed Active Directory, though, so group policy is out of the question. Regardless, system policy is still an option.
Editing system policy
System policy is the only Windows-based policy feature for environments that don't use Active Directory. It's also the only Windows-based policy feature for managing computers running Windows NT 4.0, Windows Millennium Edition and Windows 98.
To edit system policy, you use System Policy Editor (Poledit.exe). To configure system policy for Windows NT 4.0 clients, use the version of Poledit.exe that comes with Windows NT 4.0 or Windows Server 2003. To configure system policy for Windows Millennium Edition or Windows 98, use the version of Poledit.exe that comes with either version of Windows. You must first install System Policy Editor using Add/Remove Programs, though. The Windows NT-based and the Windows 98-based versions of Poledit.exe product policy files aren't interchangeable, so don't try creating system policy for Windows 98 with the version of Poledit.exe that comes with Windows Server 2003.
After running System Policy Editor, create a new policy by clicking File -> New Policy. You'll see two icons: Default Computer and Default User. Since these two policy settings apply to all computers and all users, you shouldn't edit them. Instead, create new policies based on group membership. To do that, you click Edit -> Add Group. Doing so gives you more granular control and prevents you from making changes that outright prevent access to a computer or features. After you've added a group to system policy, double-click the group to edit it. Editing a group in System Policy Editor is similar to editing group policy.
You should be aware of two nasty drawbacks of system policy that group policy doesn't have:
System policy makes permanent changes to the registry. Tongue and cheek, these are called tattoos. Whereas removing a group policy object from a user or computer automatically restores the original settings, removing system policy does not. You must manually restore the original settings.
System policy doesn't apply periodically. Group policy applies every 90 minutes by default. System policy only applies when the computer starts and when the user logs onto it. So, when using system policy, you're at the mercy of users who just lock their keyboards at the end of the day instead of logging off of their computers.
After editing system policy, you must save it to a policy file. Click File -> Save As. For computers running Windows 98 or Windows Millennium Edition, save the file as Config.pol in the NETLOGON share: \Server\NETLOGON\config.pol. Server is the name of the domain controller authenticating the account. For computers running Windows NT 4.0, save the file as Ntconfig.pol in the same location: \Server\NETLOGON\Ntconfig.pol.
Click here to continue to part two to learn how to deploy system policies and about third-party alternatives.
About the author: Jerry Honeycutt is a well-known author, speaker and columnist who specializes in desktop deployment and management and has toured cities throughout the world teaching IT professionals how to deploy the business desktop. Jerry is also SearchWin2000.com's resident expert for its Desktop Administration Ask the Experts category.
