Using policies to manage Windows desktops, part 1

Too many organizations aren't using the full power of Windows to manage their desktops. Rather than controlling their settings, they toss the operating system into their environment and then hope for the best. Wishful thinking at its worst.

Without policy, bad things happen. Security breaks down, since you can't mandate security configurations; users get frustrated because they can't configure their computers properly; and users frequently change settings that they shouldn't or break their computers because they don't understand what they're doing. Policy prevents these problems.

Policy enables you to configure settings and prevent users from changing them. Configure security settings, for example, and users can't deviate from them. Disable portions of the Windows user interface to prevent users from changing those settings. Policy is the way to configure settings that are, well, a matter of corporate policy. It's also the way to provide great customer service by setting up users' computers to work properly in their environments and preventing human error -- both of which make users happy.

Environments with Active Directory and Windows 2000 or Windows XP client computers can use group policy. Click here for more information about group policy. Many organizations haven't yet deployed Active Directory, though, so group policy is out of the question. Regardless, system policy is still an option.

Editing system policy

System policy is the only Windows-based policy feature for environments that don't use Active Directory. It's also the only Windows-based policy feature for managing computers running Windows NT 4.0, Windows Millennium Edition and Windows 98.

To edit system policy, you use System Policy Editor (Poledit.exe). To configure system policy for Windows NT 4.0 clients, use the version of Poledit.exe that comes with Windows NT 4.0 or Windows Server 2003. To configure system policy for Windows Millennium Edition or Windows 98, use the version of Poledit.exe that comes with either version of Windows. You must first install System Policy Editor using Add/Remove Programs, though. The Windows NT-based and the Windows 98-based versions of Poledit.exe product policy files aren't interchangeable, so don't try creating system policy for Windows 98 with the version of Poledit.exe that comes with Windows Server 2003.

After running System Policy Editor, create a new policy by clicking File -> New Policy. You'll see two icons: Default Computer and Default User. Since these two policy settings apply to all computers and all users, you shouldn't edit them. Instead, create new policies based on group membership. To do that, you click Edit -> Add Group. Doing so gives you more granular control and prevents you from making changes that outright prevent access to a computer or features. After you've added a group to system policy, double-click the group to edit it. Editing a group in System Policy Editor is similar to editing group policy.

You should be aware of two nasty drawbacks of system policy that group policy doesn't have:

System policy makes permanent changes to the registry. Tongue and cheek, these are called tattoos. Whereas removing a group policy object from a user or computer automatically restores the original settings, removing system policy does not. You must manually restore the original settings.

System policy doesn't apply periodically. Group policy applies every 90 minutes by default. System policy only applies when the computer starts and when the user logs onto it. So, when using system policy, you're at the mercy of users who just lock their keyboards at the end of the day instead of logging off of their computers.

After editing system policy, you must save it to a policy file. Click File -> Save As. For computers running Windows 98 or Windows Millennium Edition, save the file as Config.pol in the NETLOGON share: ServerNETLOGONconfig.pol. Server is the name of the domain controller authenticating the account. For computers running Windows NT 4.0, save the file as Ntconfig.pol in the same location: ServerNETLOGONNtconfig.pol.

Click here to continue to part two to learn how to deploy system policies and about third-party alternatives.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Windows Network Administration More remote scripting tricks: Managing Windows networks using scripts, Part 11 Understanding remote scripting -- Managing Windows networks using scripts, part 9 Network mapping in Vista for Windows XP How to set passwords on folders in Windows 2003 servers How to configure Windows Server 2008 advanced firewall MMC snap-in Recovering domain controllers after a server disk failure Recovering from a server disk failure: The shortcomings of NTBCKUP Troubleshooting remote scripting using Network Monitor 3.0 -- Managing Windows networks using scripts, part 8 Remote Desktop troubleshooting Enabling Windows Vista's Network Mapping feature on domain networks RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary four-way server  (SearchNetworking.com) mail user agent  (SearchNetworking.com) netstat  (SearchNetworking.com) Technical Office Protocol  (SearchNetworking.com) Telnet  (SearchNetworking.com) two-way server  (SearchNetworking.com) virtual network adapter  (SearchNetworking.com) virtual network computing  (SearchNetworking.com) virtual systems management  (SearchNetworking.com) VxWorks  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.