background image

94 Microsoft Windows NT Server White Paper

Recent Updates to Policies Since Retail Release

The following changes have been made to System Policies support since the

initial retail release of Windows NT 4.0.

 

When a policy file was to be downloaded, if the validating domain control-

ler name was 13 characters or longer, the policy would not be applied.

This has been resolved in Service Pack 3.

 

NoNetConnectDisconnect

NoTrayContextMenu

NoViewCon-

textMenu

NoFileMenu

, and 

DisableTaskMgr

 were added in Service

Pack 2. For more information on these, see the section, “Registry Keys

Modified by the System Policy Editor Default Templates.”

 

In Service Pack 2 and later, the policy file is no longer cached. This

change was made to increase security. Instead of being cached, the policy

file is downloaded at each logon, written to a temporary file, and applied.

 

When the 

NoViewContextMenu

 policy was introduced, it did not support

the tree view on the left-hand side of Explorer. This was corrected in

Service Pack 3. If this option is turned on, context menus for both the list

view and the tree view are disabled.

 

Manual mode policy path expansion support was added in Service Pack 3.

If you specify a policy path in the 

registry

 (rather than using Automatic

mode), Windows NT now supports paths in the form of

\\someserver\share\

ntconfig.pol.

 

If the administrator created a new policy file and turned on synchronous

logon scripts, saved it to disk, and reloaded the policy file, the policy set-

ting would be lost because the .adm file needed modification in three

different places. This was corrected in Service Pack 3.

 

Changing the location of a user’s 

Start

 menu caused duplicate 

Programs

items. If you used the System Policy Editor to change the 

Custom Start

Menu

 to point to a different directory (even an empty one), the user would

receive the normal 

Programs

 menu item and a 

Programs

 menu item

above it that pointed to the All Users programs directory. This has been

corrected in Service Pack 3.

 

The Microsoft Office 97 Resource Kit contains .adm files that administra-

tors can use when configuring the Office environment for their users. This

is available now from Microsoft.

Summary of Contents for Windows NT 4.0

Page 1: ...Server Operating System White Paper Guide to Microsoft Windows NT 4 0 Profiles and Policies...

Page 2: ...rt of Microsoft and Microsoft cannot guarantee the accuracy of any information presented after the date of publication This White Paper is for informational purposes only MICROSOFT MAKES NO WARRANTIES...

Page 3: ...an individual With the addition of System Policies and the new User Profile structure to Windows NT 4 0 network administrators have a greater ability to control the user environment than they have eve...

Page 4: ......

Page 5: ...files 12 Creating a New Roaming User Profile for Windows NT 4 0 Creating a New Mandatory User Profile for Windows NT 4 0 Making a Roaming Profile Mandatory in Windows NT 4 0 Changing the User s Abilit...

Page 6: ...41 Setting Folder Paths Back to Defaults 42 Creating a System Policy 42 Creating Alternate Folder Paths 44 Setting Up Shortcuts for Server based Profiles 44 Deploying Policies for Windows NT 4 0 Machi...

Page 7: ...xplorer Context Menu Autoexec bat Logon Scripts Task Manager Welcome Tips Default Computer Settings Remote Update Communities Permitted Managers Public Community Traps Run Command Drive Shares Worksta...

Page 8: ...5x Roaming Profile to Windows NT 4 0 Roaming Profile 90 Migrating Windows NT 3 5x Mandatory Profile to Windows NT 4 0 Mandatory Profile 90 Migrating Windows NT 3 5x Mandatory Profile to Windows NT 4 0...

Page 9: ...mind Microsoft and others are working together on several initiatives to lower the total cost of ownership of personal computers TCO and the User One of the major costs highlighted in recent reports...

Page 10: ...a group of users or an individual Policies define the various facets of the desktop environment that a system administrator needs to control such as which applications are available which applications...

Page 11: ...be assigned to a single user or to a group of users Local Profile A local profile is specific to a computer A user who has a local profile on a particular computer can gain access to that profile onl...

Page 12: ...ironments and actions and to enforce system configurations systemroot An environment variable that expands to become the root directory containing Windows NT files The directory name is specified when...

Page 13: ...mputer in the network both roaming and mandatory profiles support this functionality Creating and Administering User Profiles User Profiles can be created and administered in several different ways as...

Page 14: ...gram groups and their properties all program items and their properties and all taskbar settings Printer settings All network printer connections Control Panel All user defined settings made in the Co...

Page 15: ...en operating system versions Windows NT 4 0 file Equivalent Windows 95 file NTuser dat User dat NTuser dat log User da0 NTuser man User man NOTE The Windows 95 User da0 and Windows NT 4 0 Ntuser dat l...

Page 16: ...files What features will you be implementing in User Profiles Optional features include persistent network connections custom icons backgrounds and so on For roaming profiles will users be allowed to...

Page 17: ...permissions on a profile without replacing it To change encoded User Profile information 1 Follow the instructions to manually edit a profile Refer to the section Administering a User Profile Manually...

Page 18: ...encom passes the home directory path and the server based profile is more recent than the local profile on the workstation all directories and files that exist in the user s home directory will be co...

Page 19: ...or using the locally cached version If the cached file is used it can significantly reduce the time it takes to log on to the computer To detect a slow network the oper ating system computes the amou...

Page 20: ...f User Manager included in the Administrative Tools pro gram group Refer to your operating system documentation and online Help for procedures when using these tools Note that for this example the use...

Page 21: ...ain controllers This folder name must be named Default User or the profile will not be downloaded from the server To keep the Default User profile consistent across domain controllers and to ease admi...

Page 22: ...plate user profile created in Step 8 to the directory created in Step 9 b Repeat this for each of the user profile directories that will receive the template user profile NOTES When entering the path...

Page 23: ...on to Save User Profiles and Setting Permissions for User Profiles earlier in this document If your implementation stores user profiles within users home directories make the profile directory a subdi...

Page 24: ...t be accessible for the user to logon For exam ple if the user name is mydomainuser the path to the mandatory profile would be myserver myshare mydomainuser man If you also have a mandatory Windows NT...

Page 25: ...est accounts prior to rollout You can select any group or a specific user when setting the permissions However only the user or group specified will be able to use the profile For this reason it is re...

Page 26: ...e path in User Manager as explained in the previous section Skip this step for users who have ex isting Windows NT 3 5x profiles and who already have the man extension appended to their profile paths...

Page 27: ...receive a specific profile or if a default will be used instead If the user will receive a specific profile from the Windows 95 based computer hosting the profile to be used copy the complete contents...

Page 28: ...you are using for mandatory profiles to the user s home directory From the Windows 95 based machine hosting the mandatory copy the complete contents of the local Profile folder to the folder created...

Page 29: ...te copy or modify the profile type for each of the profiles listed Note that the profiles listed are only for those users who have interactively logged onto the local machine User profiles that have b...

Page 30: ...ser documents Please be aware of any user documents that may be deleted before using this tool The syntax of Delprof exe is as follows delprof q i p c computername d days Where q Runs Delprof exe in q...

Page 31: ...Profile path portion of the user account properties and The User Profile path is accessible at the time of logon Roaming Profile with Use cached profile on slow connec tions If a user selects this opt...

Page 32: ...s a Browse button that enables you to view local and remote drives to select the directory where the profile should be copied In addition the dialog provides a Permitted to Use option that allows you...

Page 33: ...ting a specific directory for each user Within that directory the registry hive NTuser dat and the rest of the profile structure folders are kept If a user is allowed to view context menus or has admi...

Page 34: ...les are binary files that track changes to a profile As changes are made they are recorded in a log file and then written to NTuser xxx If for some rea son the changes cannot be recorded in NTuser xxx...

Page 35: ...settings are written to the new user s di rectory The profile may or may not then be customizable depending upon how the administrator has configured profiles In Windows NT 4 0 administrators have th...

Page 36: ...ta contained in the NTuser dat portion of the profile by loading the hive into the registry To manually customize a User Profile 1 Locate the profile to be modified If the profile is a server based pr...

Page 37: ...e necessary changes and unload the hive this automatically saves the changes The workstation Default User Profile is located in the systemroot Profiles Default User directory To make changes to the Ne...

Page 38: ...NT 4 0 upgrade If the user then moved to a Windows NT 4 0 based computer the user s Windows NT based workstation would recognize that the profile contained Windows NT 3 5x syntax would replace the usr...

Page 39: ...irectory name would be server share domainuser pdm 2 On the Windows NT based computer hosting the profile log on as an ad ministrator and map a drive to the server share where the profile will be stor...

Page 40: ...le structure including the NTuser xxx file and all subdirectories from the directory that stored the workgroup user s profile to the subdirectory created for the temporary user in Step 2 7 From the Co...

Page 41: ...rocess is recorded in the log including informational and error related messages The checked version of the UserEnv dll is the same dynamic link library dll as the retail version except that it contai...

Page 42: ...le GetLocalProfileImage Local profile image filename System Root Profiles Administrator GetLocalProfileImage Expanded local profile image filename D WINNTDfs Profiles Administrator GetLocalProfileImag...

Page 43: ...irst and then the Sys tem Policy is downloaded Any registry settings that you have reconfigured whether these are machine specific changes or are specific to the user logging on are changed before the...

Page 44: ...nows where to look for the NTconfig pol file Policy Replication If you implement a System Policy file for Windows NT users and computers and you intend to use the default behavior of Windows NT be sur...

Page 45: ...unt and the Default User settings are present the administrator will receive the settings of the Default User Administrative accounts are not exempt from policies This should be a key factor to consid...

Page 46: ...s and so forth What other options are available if you simply want to restrict access to a specific icon or file Would modifying NTFS permissions be more effective Will you be controlling computer spe...

Page 47: ...on a Windows NT Workstation You have two options when installing the System Policy Editor on a Windows NT Workstation based computer You can Run the Setup bat file from the Windows NT 4 0 CD ROM Clie...

Page 48: ...sting policy file or create a new one to contain the settings that you want to enforce on a per user per computer or com bined user computer basis When you open the System Policy Editor in registry mo...

Page 49: ...ble to you fall into a tree structure which is determined by the layout of the adm file By navigating through these options you can select a mode that determines the action that will be taken when the...

Page 50: ...specific folders the change overrides the de fault setting established in the adm file For example by default a user s program folder path is USERPROFILE Start Menu Programs If the policy file is not...

Page 51: ...ll be set to Manual mode use the name of your choice 6 If workstations will be set to Automatic mode place the file in the NETLOGON share of each of the domain controllers that will be perform ing aut...

Page 52: ...nd so forth from the folder that you created earlier NOTE This can be done per user for personal program groups and can also be done for other folder settings such as the startup group Start menu and...

Page 53: ...in controllers performing authentication If a Windows NT 4 0 based workstation does not locate the policy file on its validating domain con troller it will not check any others You have another option...

Page 54: ...ts because a policy file is valid only for the platform on which it was created For procedures when installing the System Policy Editor on a Win dows 95 based computer refer to the section Installing...

Page 55: ...specified in the policy file 2 Place the policy file in a secure directory on the stand alone computer or on a network share to which the user has at least Read permissions 3 In the workstation regist...

Page 56: ...be in effect 6 Close the System Policy Editor and remove this tool from the workstation by deleting the Poledit exe file and any adm files used These changes modify the registry entries that control t...

Page 57: ...ThirdCategory END CATEGORY SecondCategory END CATEGORY FirstCategory Be sure to specify the text for the variables you used above In this case in the strings section of the adm file you would need to...

Page 58: ...AG END PART where FLAG is one or more of the following TEXT Displays text only for example PART MyPolicy TEXT END PART NUMERIC Writes the value to the registry with data type REG_DWORD for example PAR...

Page 59: ...ART MyPolicy NUMERIC MIN 100 MAX 999 DEFAULT 55 VALUENAME ValueToBeChanged END PART Use the keywords VALUEOFF and VALUEON to write specific values based on the state of the option for example POLICY M...

Page 60: ...ach of the workstations in a given region or site to use a remote update path and change the remote update mode from the default of Automatic to Manual Clearing the Documents Available List As an alte...

Page 61: ...based 4 0 machine or a Windows 95 based machine with the Dfs client software randomly selects one of these servers and uses that path to generate the custom shared folders for the user If one of the...

Page 62: ...Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies System Registry Value Registry Data Description NoDispCPL REG_DWORD Off 0 or value removed On 1 NoDispBackgroundPage REG_DWORD...

Page 63: ...mpt icon or command prompt the user can start unauthorized applications To further restrict the user s ability to run specific applications refer to the pol icy setting for Run only allowed Windows ap...

Page 64: ...and Printer folders causes the Settings menu to be removed com pletely Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoSetT...

Page 65: ...tion Removes the Network Neighborhood icon from the desktop In addition disables UNC capability from within the Explorer interface including the Start menu s Run command UNC paths configured by the ad...

Page 66: ...Registry Data Description NoWorkgroupContents REG_DWORD Off 0 or value is removed On 1 Desktop Display Category Windows NT Shell Subcategory Restrictions Selection Hide all items on desktop Descripti...

Page 67: ...gistry Value Registry Data Description NoClose REG_DWORD Off 0 or value is removed On 1 Saved Settings Category Windows NT Shell Subcategory Restrictions Selection Don t save settings at Exit Descript...

Page 68: ...e to restrictions in effect on this computer Please contact your system adminis trator Be sure to include Systray exe in the list of allowed applications if this policy is to be enforced Note that use...

Page 69: ...Value Registry Data Description Programs REG_ REG_SZ Off value is removed On text of UNC path to folder Default USERPROFILE Start Menu Programs Custom Desktop Icons Category Windows NT Shell Subcateg...

Page 70: ...er Description Specifies the UNC path the folder is to use when folders files and shortcuts are to start at user logon Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Explorer User She...

Page 71: ...files and shortcuts the user receives as part of the Start menu Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Explorer User Shell Folders Registry Value Registry Data Description St...

Page 72: ...Windows NT Shell Subcategory Restrictions Selection Remove common program groups from Start menu Description Disables the display of common groups when the user selects Programs from the Start menu K...

Page 73: ...EY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoViewContextMenu REG_DWORD Off 0 or value is removed On 1 Network Connections Cate...

Page 74: ...Y_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description LinkResolveIgnoreLinkInfo REG_DWORD Off 0 or value is removed On 1 Autoexec bat Cate...

Page 75: ...anager Category Windows NT System Selection Disable Task Manager Description Enables or disables the user s ability to start Task Man ager to view processes applications running and make changes to th...

Page 76: ...xistence of the policy file NTconfig pol With UpdateMode set to 2 Manual Windows NT reads the string specified in the NetworkPath value and checks that path for the exis tence of the policy file in th...

Page 77: ...tem Subcategory SNMP Selection Permitted managers Key HKEY_LOCAL_MACHINE System CurrentControlSet Services SNMP Parameters PermittedManagers Registry Value Registry Data Description Increment numbers...

Page 78: ...utable text name for example Notepad is Notepad exe which may include parameters Off value is removed from the registry NOTE There may be multiple entries in this subkey Drive Shares Workstation Categ...

Page 79: ...erver Parameters Registry Value Registry Data Description AutoShareServer REG_DWORD NT Server specific Off 0 On 1 Printer Browse Thread Category Windows NT Printers Subcategory Sharing Selection Disab...

Page 80: ...led REG_DWORD Off 0 On 1 Authentication Retries Category Windows NT Remote Access Selection Max number of unsuccessful authentication retries Description Specifies the number of times authentication w...

Page 81: ...AS dial in user Key HKEY_LOCAL_MACHINE System CurrentControlSet Services RemoteAccess Parameters Registry Value Registry Data Description CallbackTime REG_DWORD Off value is removed On time in seconds...

Page 82: ...xist Off value is removed from registry On text of UNC path to folder De fault SystemRoot Profiles All Users Start Menu Programs Shared Desktop Icons Path Category Windows NT Shell Subcategory Custom...

Page 83: ...er Default SystemRoot Profiles All Users Start Menu Shared Startup Folder Path Category Windows NT Shell Subcategory Custom shared folders Selection Custom shared Startup folder Description Specifies...

Page 84: ...Logon Selection Enable shutdown from Authentication dialog box Description Enables or disables the Shut Down button on the logon dialog window Key HKEY_LOCAL_MACHINE Software Microsoft Windows NT Cur...

Page 85: ...on this value takes precedence Key HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion Winlogon Registry Value Registry Data Description RunLogonScriptSync REG_SZ Off 0 or value is removed...

Page 86: ...reases the file system s performance Key HKEY_LOCAL_MACHINE System CurrentControlSet Control FileSystem Registry Value Registry Data Description NtfsDisableLastAccessUpdate REG_DWORD Off 0 or value is...

Page 87: ...tion Specifies the amount of time in milliseconds that Windows NT waits before a slow network is determined Key HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion Winlogon Registry Value...

Page 88: ...80 Microsoft Windows NT Server White Paper Registry Value Registry Data Description Show REG_DWORD Off 0 or value is removed On time in sec onds in hexadecimal Decimal 0 600 default 30...

Page 89: ...presenting drive Z If a bit is set to 0 the autorun feature is enabled on that drive If a bit is set to 1 the autorun feature is disabled on that drive For example if the value of this entry is 0x8 10...

Page 90: ...82 Microsoft Windows NT Server White Paper Registry Value Registry Data Description NoStartBanner REG_DWORD 0 enabled 1 disabled...

Page 91: ...ng User Work Environments part of the Windows NT Server product documentation Kixtart Resource Kit Utility available in the Windows NT Server Resource Kit for version 4 0 For the latest information on...

Page 92: ...charts illustrate how User Profiles operate within the Windows NT 4 0 operating system and give the administrator an at a glance look at the procedures to take and the internal processing that occurs...

Page 93: ...rofiles directory to the NETLOGON share and modify it to meet specific needs When users log on for the first time without a local profile or a server based profile the default user profile from the se...

Page 94: ...e Reconcile both by comparing time stamps Is the central profile newer Load local profile continue to Part 2 No Is profile mandatory Download profile from server continue to Part 2 Ask user preference...

Page 95: ...mand to Load Profile Set USERPROFILE environment variable Check build number for version Load the User Profile Apply System Policy Save settings to Registry Same Process UserDiff Registry changes from...

Page 96: ...ile Return to original flowchart Does profile path end in usr or man Attempt to create the directory and return to original flowchart No Append pds or pdm as appropriate and look again what was found...

Page 97: ...Does Machine Specific Policy exist Read Machine Specific Policy and write Registry entries Yes No Does Default Computer Policy exist End policy process No Read Default Computer Policy and write Regis...

Page 98: ...t currently exists A myuser man file exists in the folder myserver myshare Administrator action None User action None Migrating Windows NT 3 5x Roaming Profile to Windows NT 4 0 Roaming Profile A doma...

Page 99: ...myuser and then allow the user to log on and log off User action When instructed to do so log on to the Windows NT 4 0 based computer and then log off This creates the folder myserver myshare myuser...

Page 100: ...der that contains the user s roaming profile from myuser to myuser man Finally rename the NTuser dat file which is located in the root of the user s profile folder to NTuser man User action None For m...

Page 101: ...n Users and Guests group or who are members of just the Guests group will have their local profiles deleted automatically at logoff Recent Updates to Profiles Since Retail Release In the original reta...

Page 102: ...cted in Service Pack 3 If this option is turned on context menus for both the list view and the tree view are disabled Manual mode policy path expansion support was added in Service Pack 3 If you spec...

Page 103: ...ion When Accessing User Profiles Q146192 How Windows NT Chooses Between Roaming and Local Profiles Q158899 Prompted for Password When Restoring Persistent Connections Q158682 Shortcuts Created Under W...

Page 104: ...t Windows NT Server White Paper Q156432 Windows NT 4 0 Policy Restriction Error at Logon Q155956 Cannot Restore Default Setting for Shutdown Button Q163215 System Policies May Not Work With Third Part...

Reviews: