System Policies Overview

System policies offer you a powerful mechanism for increasing control and manageability of computers across the network. You do not need to use a 32-bit, protected-mode client to use system policies. (If you want to define user settings, however, you must enable user profiles.) With system policies, you can do the following:

• Restrict access to Control Panel options
• Restrict what users can do from the desktop
• Customize parts of the desktop
• Configure network settings

For example, you can preset a user's environment so that the MS-DOS prompt or unapproved applications are not available. You can choose from the set of system policies offered by Windows 95 or create custom system policies.

Note

You should make some decisions about the default set of system policies before installing Windows 95. For information, see Part 1, "Deployment Planning Guide."

The system policy entries you set through System Policy Editor are reflected in the policy file (CONFIG.POL), which overwrites default USER.DAT and SYSTEM.DAT settings in the Registry when the user logs on. Policy entries change Registry settings in the following way:

• Desktop settings modify the Hkey_Current_User key in the Registry, which defines the contents of USER.DAT. All policy settings affecting USER.DAT are defined for a specific user or for the default user.
• Logon and network access settings modify the Hkey_Local_Machine key in the Registry, which defines the contents of SYSTEM.DAT. All policy settings affecting SYSTEM.DAT are defined for a specific computer or for the default computer.

The following figure shows how these settings are interrelated.

To use System Policy Editor, you must install the following files from ADMIN\APPTOOLS\POLEDIT: ADMIN.ADM, POLEDIT.EXE, and POLEDIT.INF. ADMIN.ADM is placed in the INF subdirectory of the Windows directory, and it provides the template to use with System Policy Editor for creating a CONFIG.POL file. CONFIG.POL must be placed in a secure network location. Any custom templates that you create will use the .ADM filename extension.

If you want to use group policies, GROUPPOL.DLL must be placed in the SYSTEM subdirectory of the Windows directory on each client computer. In addition, you must make some changes to the Registry on each computer to use GROUPPOL.DLL. For more information, see "System Policy Editor" later in this chapter.

Important

System policies are based on the content of the Registry and cannot be edited with a text editor. To define and manage system policies, you must use System Policy Editor and other supporting tools.

You can, however, use a text editor to edit the template files used by System Policy Editor, as described in "System Policy Templates" later in this chapter.

How Do System Policies Work?

When the user logs on, Windows 95 checks the user's configuration information for the location of the policy file. Windows 95 then downloads the policies and copies the information into the Registry by using the following process:

1. If user profiles are enabled, Windows 95 checks for a user policy file that matches the user name. If it finds one, Windows 95 applies the user-specific policy. If Windows 95 does not find a user policy file, it applies the Default User policy file.

   If support for group policies is installed on the computer, then Windows 95 checks whether the user is registered as a member of any groups. If so, group policies are downloaded starting with the lowest priority group and ending with the highest priority group. Group policies are processed for all groups the user belongs to. The group with the highest priority is processed last so that the settings in that group's policy file supersede those in lower priority groups. Group policies are not applied if there is a policy file for a specific user.Then, all settings are copied into the USER.DAT portion of the Registry.

2. Windows 95 checks for a computer policy file to match the computer name. If one exists, Windows 95 applies the computer-specific policies to the user's desktop environment. If a policy file for that computer name doesn't exist, Windows 95 applies the default computer policies. This data is then copied into the SYSTEM.DAT portion of the Registry.

By default, Windows 95 automatically attempts to download computer and user policies from the NETLOGON directory on a Windows NT server or the PUBLIC directory on a NetWare server. This default location can be overridden in a policy file setting. If no server is present, Windows 95 uses the settings currently on the computer.