Continuing from part one, Jerry Honeycutt offers more advice on using system policies on your Windows desktops and explores alternatives.
Deploying system policy
If you're configuring system policy for Windows NT 4.0 client computers, you're done. Windows NT 4.0 loads Ntconfig.pol from the NETLOGON share. If you're configuring system policy for Windows 98 or Windows Millennium Edition clients, you must configure the clients to use policy. First, you must install the policy feature. The easiest way is to copy the file Grouppol.dll from the product CD in ToolsReskitNetadminPoledit folder to the WindowsSystem folder. Then, import the file Grouppol.reg into the registry from the same location. This file is in the same folder as Grouppol.dll. You can perform both steps silently from users' logon scripts. Place both files in a network share; use the copy command to copy Grouppol.dll to Windows System; then, use the command regedit /s servershareGrouppol.reg to import the settings.
After you've installed the policy feature, you must enable user-level access control. In Control Panel, double-click Network. On the Access Control tab, click User-Level Access Control -> Obtain List Of Users And Groups From and type the name of the domain from which you want the computer to obtain user and group information. Make sure you select Windows NT domain as the authenticator type if you're prompted.
Almost finished. The last step is to enable user profiles in Windows 98 and Windows Millennium Edition. In Control Panel, double-click Passwords. On the User Profiles tab, click Users Can Customize Their Preferences. Select Include Desktop Icons And My Network Places Contents In User Settings and Include Start Menu And Program Groups In User Settings. After selecting these settings, you might have to restart the computer.
Using system policies with Windows NT 4.0 isn't difficult, because you don't have to touch the desktops in order to implement them. If you didn't think about policy management before deploying Windows 98 or Windows Millennium Edition, implementing system policy after the fact is difficult and that's probably why more companies aren't using them. You have to touch the desktops.
An alternative is products that support policies in heterogeneous environments. One such product that I recommend is Profile Maker from AutoProf. Profile Maker supports the exact same policies as System Policy Editor (it loads the same policy templates), but it doesn't require you to touch the desktops in order to implement them. It also supports more advanced filtering than System Policy Editor, which only supports filtering by users, groups and computers. Profile Maker can also filter policies based on more than a dozen variables, including whether or not the client computer is a laptop, has a minimum amount of memory, and so on.
Use policy to get control of your environment. By using policy, you can take control of your company's security. You can deploy settings that work in your environment. And you can make users more productive by deploying settings that they can't configure by themselves and preventing them from changing settings that might lead to trouble.
If you don't have the benefit of either, use system policy. While system policy does have a few drawbacks (tattoos and application only at logon), it's a better compromise than wishful thinking. And if you didn't plan ahead and configure your Windows 98 and Windows Millennium Edition client computers to process policy, you might consider a third-product that better supports heterogeneous environments, such as AutoProf from Profile Maker.
About the author: Jerry Honeycutt is a well-known author, speaker and columnist who specializes in desktop deployment and management and has toured cities throughout the world teaching IT professionals how to deploy the business desktop. Jerry is also SearchWin2000.com's resident expert for its Desktop Administration Ask the Experts category.
Best Web Links: User Settings and Permissions
Find out how to optimize your Windows user settings for the best productivity and security with this handpicked selection of articles, tips and advice from around the Web.
Best Web Links: Desktop Deployment and Migration
Need some help upgrading those PCs? Check out this collection of articles and links to get the advice you need to do it right -- the first time.
Desktop Administrator Technical Tips
Browse through this collection of member-submitted and expert tips to find out the latest tips and tricks that your peers are using to manage their Windows desktops.
This was first published in September 2003