How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments

Which tool to use for a specific management task

In an environment without Active Directory, you can use a variety of tools to manage system policy. Tools that you can use include the following:

• Microsoft Systems Management Server (SMS) 2003 to manage software distribution
• Internet Explorer Administration Kit to manage Internet Explorer settings
• System Policy to manage registry-based settings

Additionally, each local computer has its own local Group Policy object, regardless of whether the computer participates in a domain. Although administrators can configure a variety of settings by using the local Group Policy object, System Policy scales more easily to lots of clients. The local Group Policy object is useful if you want to apply certain settings to a small number of Active Directory clients in a Windows NT 4.0-based domain or in other non-Active Directory domains.

For Active Directory client desktops that operate in other environments, such as in Windows NT 4.0, UNIX, Novell, or mixed environments, desktop management capabilities and tools vary. The following table summarizes the differences in desktop management tools and functionality in Active Directory environments and in non–Active Directory environments.
You can also manage Microsoft Windows XP Professional-based desktops on Unix and Novell networks by using standards-based protocols such as TCP/IP, Simple Network Management Protocol (SNMP), Telnet, and Internetwork Packet Exchange (IPX). To enable policy-based administration on Unix and Novell networks, use a local Group Policy object or System Policy.

Configuring System Policies

The Poledit.exe tool

System Policies are created by using the Windows NT 4.0 System Policy Editor tool (Poledit.exe) to create the policy file (Ntconfig.pol).


The Poledit.exe tool is installed with Windows 2000 Server and with Windows 2000 Advanced Server.

You can use the Poledit.exe tool on Windows XP Professional–based computers if you install the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs.

To install the Administrative Tools package on a Windows XP Professional-based computer, open the i386 folder on the applicable Windows 2000 Server CD, and then double-click the Adminpak.msi file. Follow the instructions that appear in the Administrative Tools Setup Wizard.

When you install the Administrative Tools package, the Poledit.exe file and its supporting .adm files (Winnt.adm, Windows.adm, and Common.adm) are installed in the %systemroot%\System folder and in the Inf directory. The Poledit.exe file is not added to the Start menu. However, you can run the tool at the command prompt.

Notes

• The Windows NT 4.0 System Policy Editor or earlier versions of the System Policy Editor cannot read the Unicode-formatted .adm files that are shipped in Windows 2000 or in later versions. You must use the version of System Policy Editor that is included with Windows 2000 or with later versions. This version supports Unicode. Alternatively, if you resave the .adm files as .txt files without Unicode encoding, you can use an older version of the Poledit.exe tool.
• The Poledit.exe tool is not included in the Windows Server 2003 Adminpak.msi file. The Windows 2000 version of the Poledit.exe tool is unavailable for download from a Microsoft Web site.

Administrative Templates

The Poledit.exe tool uses files that are known as Administrative Templates (.adm files) to determine the registry settings that can be modified and the settings that are displayed in the System Policy Editor.

System Policy settings are written to the following locations in the registry:

• HKEY_CURRENT_USER\Software\Policies (preferred location)
  
• HKEY_LOCAL_MACHINE\Software\Policies (preferred location)
  
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
  

An Active Directory client processes System Policy if the user, the computer account, or both accounts are in a Windows NT 4.0 domain. The client looks for the Ntconfig.pol file that is used by Windows NT 4.0 System Policy. By default, the client looks for this file in the Netlogon share of the authenticating Windows NT 4.0 domain controller.

Note A computer account object can exist in a Windows NT 4.0 domain, and a user account object for a user of that computer can exist in an Active Directory domain, or vice versa. However, when you operate in such a mixed environment, users and computers are difficult to manage and may cause unpredictable behavior. For optimal central management, we recommend that you move from a mixed environment to a pure Active Directory environment.

How to specify the path of the policy file

By default, Active Directory clients look for the policy file on the Netlogon share. However, you can change the location of this file. The UpdateMode registry entry forces the computer to retrieve the policy file from a specific location that is expressed as a Universal Naming Convention (UNC) path, regardless of which user logs on.

You can set the UpdateMode entry by using the System Policy Editor and the System.adm file. However, you must have the appropriate permissions to locate and read the policy file. Otherwise, the registry changes that note the new location of the policy file will not take effect. To modify the UpdateMode entry, use one of the following methods. (The methods are listed in order of preference.)

• Method 1: Modify the registry by using the local Group Policy object.
• Method 2: Modify the registry by using Registry Editor on each client, or use the Reg.exe program in a script.
• Method 3: Modify the registry by using the Poledit.exe tool. This method is the least desirable because you designate the location of the Ntconfig.pol file in the file itself.

Method 1: Modify the registry by using the local Group Policy object

1. On the File menu, click Open Registry, and then double-click Local Computer.
2. In the Properties dialog box, expand
   Network, and then expand System policies update to display the remote update option.
3. Click to select the Remote update box.
   
4. In the Update mode list, click to select
   Manual (use specific path).
5. In the Path for manual update box, type the UNC path and the file name for the policy file, and then click
   OK to save your changes.

Method 2: Modify the registry by using Registry Editor on each client, or use the Reg.exe program in a script

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

To make sure that clients can locate the System Policy file, you must configure the following registry keys on the clients:

UpdateMode value
This registry entry determines how the client will search for the Ntconfig.pol file that contains the policies.
Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update
Value name: UpdateMode
Data type: REG_DWORD
Values:
NetworkPath value
The NetworkPath setting is used to identify the location of the Ntconfig.pol file that is used to determine System Policies if the UpdateMode value is 2.

Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update
Value name: NetworkPath
Data type: REG_SZ
Values:

Method 3: Modify the registry by using the Poledit.exe tool

To retrieve the policy file from a specific location, follow these steps:

1. Click Start, click Run, type poledit.exe, and then click
   OK.
2. Click Options, click Policy Template, and then in the Policy Template Optionsdialog box, make sure that System.adm is listed in the Current Policy Template(s)list. If System.adm is not listed, click Add to add this file.
   
3. To open the Default Computer policy, click New Policy on the File menu, and then double-click
   Default Computer in the Policies list.
   

Windows XP Professional-based client behavior

In Windows XP Professional, policy changes are saved locally in the registry the first time that the following events occur:

• A client is modified locally by using the System Policy Editor.
• A client receives a default System Policy file from the Netlogon share of a domain controller.

Thereafter, the Windows XP Professional–based client does not examine a domain controller again to find a policy file. All policy updates use the location that you manually specified. This change is permanent until you change the policy file to reset the option to Automatic.

How to create the policy file (Ntconfig.pol)

1. Remove all #if version and #endif statements from the following .adm files, and then save the files:
   
   • System.adm
   • Inetres.adm
   • Conf.adm
   This step prevents the unintended loading of these files by the Poledit.exe tool.
   
   For example, in the Inetres.adm file, remove these lines:
   
   • #if version <= 2
   • #endif
2. Click Start, click Run, type poledit.exe, and then click
   OK.
3. In the System Policy Editor window, click Policy Template on the Options menu.
4. In the Policy Template Options dialog box, click Add, select one of the .adm files that you modified in step 1, and then click OK.
5. Specify the appropriate policy settings as documented in System Policy Editor Help.
6. Save the file as Ntconfig.pol. Save the file to the Netlogon share of the Windows NT 4.0 domain controller.

How to create an Ntconfig.pol file that is based on Windows XP Professional .adm files

You can create a Ntconfig.pol file that is based on the Windows XP Professional .adm files and then apply these settings to Windows XP Professional–based clients. To do this, use the Poledit.exe tool. You can install Poledit.exe on Windows XP Professional–based clients by installing the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs.

Different environments where System Policies are used

Workgroups and third-party environments

If you do not have a Windows NT 4.0-based domain, you can configure the client to look for the Ntconfig.pol file in a specific location on the local computer or in any SMB share location. For more information about how to specify the path of the policy file, see "How to specify the path of the policy file" section.

Windows NT 4.0 domains

A Windows Active Directory client processes System Policy if either the user account or computer account exists in a Windows NT 4.0 domain. When a user logs on to a Windows Active Directory client in a Windows NT 4.0 domain and the client is running in Automatic mode, the client examines the Netlogon share on the validating domain controller for the Ntconfig.pol file. If the client finds the file, the client downloads and parses the file. The client parses the file for user, group, and computer policy data. Then, the client applies the appropriate settings. If the client does not locate the policy file on its validating domain controller, the client does not look elsewhere. Therefore, make sure that the Ntconfig.pol file is replicated among the domain controllers that perform authentication.