|
6.961 bytes |
Service Hints & Tips |
Document ID: ROSN-3YU4K2 |
|
This document is provided to IBM and our Business Partners to help sell and/or service IBM products. It is not to be distributed beyond that audience or used for any other purpose. |
Network Station - Using the Windows NT System Policy Editor with Windows Terminal Server
Applicable to: World-Wide
In Windows Terminal Server, it is necessary to lock users out of certain functions to keep them from intentionally or accidentally damaging the system for themselves and other users. The System Policy Editor allows an Administrator to control what functions are available to specific and groups of users. This information is intended only as an introduction to Windows NT System Policy.
How System Policy Works
When a user logs on to Windows Terminal Server, the Netlogon share on the Primary Domain Controller is checked for an NTConfig.pol file. This is the System Policy file that is created with the System Policy Editor. If a policy for the user is present, it is applied. If there is no policy for the specific user, the policy of the highest priority group that the user is a member of is applied. If the user is not a member of any of the groups specified, the default system policy is used.
The Netlogon share must be on the Primary Domain Controller of the domain that the user is logging on to. It is possible to use directory replication between Primary Domain Controllers and Backup Domain Controllers so that the Backups also have the policy files.
To create the NetLogon share, open Windows Explorer, right-click on the directory containing the NTConfig.pol file, and select Sharing. Select Share As and make sure that the share name is NetLogon. Set the permissions to be Everyone Read and Administrator Full Control.
System policy actually goes in a changes the registry for the user at logon. This means that, when removing the system policy file, the changes it made to user's environments do not go away. You would have to establish another system policy that specifically enabled all the things that you had taken away. It will be explained in more detail how to enable, disable, or leave alone settings in the next section.
System policy is domain-oriented. That is, the groups that you use in the System Policy Editor must be global groups for the domain and not local groups on a given system.
Using the System Policy Editor
To open the System Policy Editor, logon as Administrator and Click on Start -> Programs -> Administrative Tools -> System Policy Editor. Click on File -> New Policy to start the creation of a new policy file. There are only two entries to start with: Default Computer and Default User. Changes made to these are taken by all computers and users who are not specifically defined in the system policy.
The following approaches to administering system policy can be taken. One approach is to establish a global group with all the users who you want to limit the desktop (or several groups whom you want to limit the desktop in different ways) but to not include the administrators in this group. Another approach is to change the default user policy as limited, but to define the Administrators to have full access.
Therefore, to add a group, you can click on the icon or select Edit -> Add Group. Select the group from the list. If your groups do not appear, it is because they are not global groups defined for the domain.
Once the group appears in the System Policy Editor window you can now begin to edit the policies for that group by double-clicking on the group. You will see a structure very similar to a directory structure in Windows Explorer with expanding levels.
When you reach a level where you can make a change, you will see that all of the boxes are gray. If you click on the box once it will have a check, and if you click a second time you will see that the box is now clear. If you click a third time it returns to gray. The gray, check, and clear all mean different things. Gray means that the setting will not be changed from its current value. Therefore, if the user currently does not have the Run option on the Start menu, the user still will not have the Run option. If the box is checked. the setting will be made the next time the user logs on. If the Disable Run option box is checked, the next time the user logs on the Run option will be taken out of the Start Menu. If the box is clear for a given setting, the indicated setting will be reversed. For example if the box for Disable Run from Start Menu is cleared, the next time the user boots it will be enabled.
This information is intended only as an introduction to Windows NT System Policy.
|
Search Keywords |
| |
|
Hint Category |
Configuration, System Administration Tools | |
|
Date Created |
01-10-98 | |
|
Last Updated |
22-03-99 | |
|
Revision Date |
20-09-99 | |
|
Brand |
IBM Network Station | |
|
Product Family |
NT Server - Network Station | |
|
Machine Type |
Various | |
|
Model |
| |
|
TypeModel |
| |
|
Retain Tip (if applicable) |
| |
|
Reverse Doclinks |