Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to apply System Policy settings to Terminal Server


View products that this article applies to.

Summary

Microsoft Windows NT System Policy settings are applied when a user or a computer account is a member of a Windows NT domain. By comparison, Group Policy settings are applied when a user or a computer account is a member of an Active Directory directory service domain. With Microsoft Windows NT Server 4.0 Terminal Server Edition, you may want to apply System Policy settings to affect users who log on to the terminal server through the console or through the Terminal Server client.

The procedures that are described in this article do not apply to client computers that are running Microsoft Windows 2000, Microsoft Windows XP Professional, or Microsoft Windows Server 2003 in some conditions. System Policy settings are used to configure client computers that are running Windows NT 4.0, Microsoft Windows Millennium Edition (Me), and Microsoft Windows 98. However, in a Windows 2000 network or in a Windows Server 2003 network, you must use Group Policy settings to configure and control computers that are running Windows 2000, Windows XP Professional, or Windows Server 2003. System Policy settings are different from Windows 2000 Group Policy settings in that they overwrite registry settings on the client computer with persistent changes. This behavior is known as "tattooing."

↑ Back to the top


More information

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

When you use System Policy settings for client computers that are running Windows 2000, Windows XP Professional, or Windows Server 2003, consider the following guidelines:
  • Client computers that are running Windows 2000, Windows XP Professional, or Windows Server 2003 ignore System Policy settings that are placed in the Netlogon share of a Windows 2000 domain controller or a Windows Server 2003 domain controller. Instead, they apply Group Policy settings.
  • Computers that are running Windows 2000, Windows XP Professional, or Windows Server 2003 and that are joined to a Windows NT 4.0 domain apply System Policy settings from the Netlogon share of a Windows NT 4.0 domain controller.
  • Windows NT 4.0-based client computers apply System Policy settings that are placed in the Netlogon share of a domain controller that is running Windows 2000, Windows Server 2003, or Windows NT 4.0.
When you use System Policy settings for client computers that are running Windows NT 4.0 (or Windows 95 or Windows 98), consider the following guidelines:
  • System Policy settings are applied to domains.
  • System Policy settings may also be controlled by user membership in security groups.
  • System Policy settings are not secure.
  • System Policy settings persist in users� profiles (this is sometimes referred to as tattooing the registry), as explained earlier in this article. This means that after a registry setting is set by using a Windows NT 4.0 System Policy setting, the setting persists until the specified policy is reversed or until the user edits the registry.
  • System Policy settings are limited to desktop lockdown.


To implement a System Policy setting to affect all Terminal Server users who log on to the console or through the Terminal Server client, follow these steps:
  1. Start System Policy Editor (Poledit.exe), and then make the changes for your policy.
  2. On the File menu, click Save As, and then save the policy file on your hard disk. For example, save the file as C:\Ntconfig.pol.
  3. On the File menu, click Open Registry.
  4. Double-click Local Computer, double-click Network, double-click System Policies Update, and then click to select the Remote Update check box.
  5. In the Update Mode box, click Manual (Use Specific Path), type a path in the Path for Manual Update dialog box (for example, type c:\ntconfig.pol).

    Notes
    • You can name the policy file anything you like.
    • To display an error message if the policy file is not found when Windows NT starts, click to select the Display Error Message check box.
  6. Click OK.
  7. Save your policy to the path that you specified in step 5, and then exit Policy Editor.
  8. Restart Windows NT for the changes in the policy to take effect.
Tip Every user or computer account that logs on after a policy is in place is subject to the policy. Therefore, it is a good idea not to edit the default user or computer account until you are familiar with System Policy settings. Make a test user/group account in "User Manager," and then make a specific policy for this user/group in System Policy Editor. After you have the policy working correctly, you can then transfer the policy to the production environment.

The settings in this procedure modify the following path in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update


Remote Update:
Category: Network
Subcategory: System Policies update
Selection: Remote update

Description: Controls how policies are applied to a Windows NT 4.0-based computer. With UpdateMode set to 1 (Automatic, the default), Windows NT makes a connection to the Netlogon share of the validating domain controller in the user's context and then checks for the existence of the policy file, NTconfig.pol. With UpdateMode set to 2 (Manual), Windows NT reads the string that is specified in the NetworkPath value and then checks that path for the existence of the policy file (in this case, the policy file name should be included in the NetworkPath value). With UpdateMode set to 0 (Off), a policy file is not downloaded from any system. Therefore, it is not applied.

Key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update
Registry EntryTypeValues and Descriptions
UpdateModeREG_DWORDOff = 0, Automatic=1; Manual=2
NetworkPathREG_SZText of UNC path for manual update
VerboseREG_DWORD Display error messages Off = 0 or value not present; On = 1
LoadBalanceREG_DWORD Off = 0 or value not present; On = 1
Note The UpdateMode registry entry only applies for the Windows NT 4.0 policy. For members of an Active Directory forest, the UpdateMode registry entry is ignored, and instead, the Group Policy settings that are configured in Active Directory are applied. To gain the same effect as using the UpdateMode entry, you can use a GPO Loopback policy.

For additional information about using a GPO Loopback policy, click the following article number to view the article in the Microsoft Knowledge Base:
260370 How to apply Group Policy objects to Terminal Services servers

For additional information about how to use System Policy settings in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
318753 How to create a System Policy setting in Windows 2000

↑ Back to the top


Keywords: KB192794, kbinfo

↑ Back to the top

Article Info
Article ID : 192794
Revision : 7
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 702