Manage Learn to apply best practices and optimize your operations.

Using policies to manage Windows desktops, part 1

Learn how to take advantage of system policies to manage your desktops.

Too many organizations aren't using the full power of Windows to manage their desktops. Rather than controlling their settings, they toss the operating system into their environment and then hope for the best. Wishful thinking at its worst.

Without policy, bad things happen. Security breaks down, since you can't mandate security configurations; users get frustrated because they can't configure their computers properly; and users frequently change settings that they shouldn't or break their computers because they don't understand what they're doing. Policy prevents these problems.

Policy enables you to configure settings and prevent users from changing them. Configure security settings, for example, and users can't deviate from them. Disable portions of the Windows user interface to prevent users from changing those settings. Policy is the way to configure settings that are, well, a matter of corporate policy. It's also the way to provide great customer service by setting up users' computers to work properly in their environments and preventing human error -- both of which make users happy.

Environments with Active Directory and Windows 2000 or Windows XP client computers can use group policy. Click here for more information about group policy. Many organizations haven't yet deployed Active Directory, though, so group policy is out of the question. Regardless, system policy is still an option.

Editing system policy

System policy is the only Windows-based policy feature for environments that don't use Active Directory. It's also the only Windows-based policy feature for managing computers running Windows NT 4.0, Windows Millennium Edition and Windows 98.

To edit system policy, you use System Policy Editor (Poledit.exe). To configure system policy for Windows NT 4.0 clients, use the version of Poledit.exe that comes with Windows NT 4.0 or Windows Server 2003. To configure system policy for Windows Millennium Edition or Windows 98, use the version of Poledit.exe that comes with either version of Windows. You must first install System Policy Editor using Add/Remove Programs, though. The Windows NT-based and the Windows 98-based versions of Poledit.exe product policy files aren't interchangeable, so don't try creating system policy for Windows 98 with the version of Poledit.exe that comes with Windows Server 2003.

After running System Policy Editor, create a new policy by clicking File -> New Policy. You'll see two icons: Default Computer and Default User. Since these two policy settings apply to all computers and all users, you shouldn't edit them. Instead, create new policies based on group membership. To do that, you click Edit -> Add Group. Doing so gives you more granular control and prevents you from making changes that outright prevent access to a computer or features. After you've added a group to system policy, double-click the group to edit it. Editing a group in System Policy Editor is similar to editing group policy.

You should be aware of two nasty drawbacks of system policy that group policy doesn't have:

  • System policy makes permanent changes to the registry. Tongue and cheek, these are called tattoos. Whereas removing a group policy object from a user or computer automatically restores the original settings, removing system policy does not. You must manually restore the original settings.

  • System policy doesn't apply periodically. Group policy applies every 90 minutes by default. System policy only applies when the computer starts and when the user logs onto it. So, when using system policy, you're at the mercy of users who just lock their keyboards at the end of the day instead of logging off of their computers.
  • After editing system policy, you must save it to a policy file. Click File -> Save As. For computers running Windows 98 or Windows Millennium Edition, save the file as Config.pol in the NETLOGON share: ServerNETLOGONconfig.pol. Server is the name of the domain controller authenticating the account. For computers running Windows NT 4.0, save the file as Ntconfig.pol in the same location: ServerNETLOGONNtconfig.pol.

    Click here to continue to part two to learn how to deploy system policies and about third-party alternatives.

    Dig Deeper on Windows legacy operating systems

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.