Creating System Policies

This section describes procedures for creating system policies.

To take advantage of automatic downloading, discussed earlier, create a policy file that contains user, computer, and group entries to reside in the Netlogon share of a Windows NT server or the Public directory of a NetWare server. Based on the client selected, Windows 98 automatically looks in one of these locations to download your newly created system policy.

To view or edit default system policies

In System Policy Editor, click the File menu, and then click New File.
Double-click Default User to define the default settings for user-specific policies.
– Or –
Double-click Default Computer to define the settings for computer-specific policies.
Select the policies you want to put in place.

Creating Policies for Individual Users or Computers

This section describes how to create a system policy for a user or computer.

Tip

To reduce the management load, minimize the number of user and computer entries in system policy files. Consider first creating one standard system policy for all users by editing default settings, and then creating settings for individuals on an exception basis.

To create system policies for a new user or computer

In System Policy Editor, click the Edit menu, and then click Add User or Add Computer.
Type the name of the user or computer you want to add. System Policy Editor adds an icon for each user or computer you add.
Tip
You can easily copy policy values to the new user or computer from an existing user or computer by copying and pasting them. Highlight an existing user or computer, and on the Edit menu, click Copy. Then highlight the new user or computer, and on the Edit menu, click Paste.

To edit existing system policies

In System Policy Editor, double-click the icon for the user or computer policies you want to edit.
Select or clear individual policies by clicking the policy name.

Creating Policies for Groups

Group policies are supported for both Windows NT and NetWare networks. Creating policies for groups is similar to creating policies for users or computers.

You must first make sure that Grouppol.dll, which supports group policies, has been successfully installed on each client computer. For more information, see "Installing System Policy Editor" earlier in this chapter.

You cannot create new groups by using System Policy Editor; you can use only existing groups on the NetWare or Windows NT network. To create a new group, use the tools provided with your network administrative software.

To create system policies for groups

In System Policy Editor, click the Edit menu, and then click Add Group.
Type the name of the group you want to add, and then click OK.
– Or –
If user-level security is enabled, click Browse, click the name of the group you want, and then click OK.
Select or clear policies by clicking the policy name.

Group policies are downloaded starting with the lowest-priority group and ending with the highest-priority group. All groups are processed. The group with the highest priority is processed last so that any of the settings in that group’s policy file supersede those in lower-priority groups. You can use one policy file for each group, even if some of the client computers in the group do not have support installed for group policies. Client computers that are not configured for using group policies will ignore group policy files.

Important

If a policy exists for a specific named user, group policies are not applied to that user.

To set priority levels for groups

In System Policy Editor, click the File menu, and then click Open File.
Locate the Config.pol file, and then click Open.
On the Options menu, click Group Priority.
In the Group Priority dialog box, click on a group name, and then use Move Up and Move Down to move it into its relative priority.

Creating NetWare Directory Services System Policies

Microsoft Service for NetWare Directory Services supports system policies on a Novell Directory Services (NDS) network. When your users log on, Windows looks for the policy file in the location you specify.

Note

The first time system policies are implemented on an NDS tree, the tree’s schema database, which defines the objects in the tree, is modified. This happens because the schema provides templates for each NDS object type, and adding system policies is a modification of some templates. To modify the schema, you must have Supervisor rights to the [Root] on the NDS tree. Subsequent implementations of system policies, however, can be done by administrators who do not have Supervisor rights to the [Root] on the NDS tree.

If you plan to implement user or group system policies, you must enable user profiles on your network. Also, for group policies, at least one NetWare version 4.1 server on the network must have bindery emulation enabled. Make sure the group and all the users in the group are in the bindery context for the server.

To set the system policies in a new or existing policy file

In System Policy Editor, click the Options menu, and then click Template.
Click Open Template, and then type the path for Filename.adm.
If you have already implemented system policies on your network, open the current policy file.
– Or –
If you have not implemented system policies on your network, on the File menu, click New.
Set the policies, and then save them as Config.pol. (If a policy file with a different name already exists on your network, type the name of that policy file instead.) The new settings will be merged into the existing policy file.

To specify the location of the policy file

In Network Neighborhood, find the organization or organizational unit object for which you have created the policy file.
Right-click the icon for the organization or organizational unit object, and then click Properties.
Click the NDS Administration Settings tab.
Note
To gain access to the NDS Administration Settings tab, you must be a trustee for the volume object. You must also have the Supervisor object and Supervisor property correct for the volume.
Type the path and name of the system policy file.

Any container (Organization or Organizational Unit) can have its own policy file. When a user logs on to NDS, the Service for NetWare Directory Services looks in the parent container of the logon container, and so on up to the root.

The advantage of this is that you can put a policy file in the root and have it apply to every object in the tree, or you can have individual system policy files in any container below the root.

Managing Custom Folders for Use with System Policies

You can define five system policies to create a custom desktop. These policies use custom folders, created by the administrator, that contain the specific settings for the customized desktop. Table 8.4 summarizes the policies used to create a custom desktop.

Table 8.4 System policies used to create a custom desktop

Policy	Description

Custom Programs Folder	Shortcuts that appear in the Programs group on the Start menu.
Custom Network Neighborhood	Shortcuts to resources that appear in Network Neighborhood, including shortcuts to shared printers and files and to Dial-Up Networking connections.
Custom Desktop Icons	Shortcuts that appear on the desktop.
Custom Start Menu	Shortcuts and other options that appear on the Start menu, as defined by using the Taskbar Properties dialog box.
Custom Startup Folder	Programs or batch files that appear in the Startup group on the Start menu.

Before you create a custom desktop by using system policies, you must define custom folders.

To define custom folders for use with policy files

Create and place the custom folders in a central location where users can gain access. You can use any valid folder names for the folders you create. Windows 98 uses the path defined for the related policy to find the folder.
Note
To prevent accidental removal or unauthorized changes, place custom folders in directories where users are restricted to read-only access.
Place the custom set of files and shortcuts you want in each folder.
- You can place any kind of files in the custom folders.
- For shortcuts, make sure that the path specified in the Target box in Shortcut properties is a UNC name, rather than a mapped directory. Otherwise, the users who will access resources using these shortcuts must have the same drives mapped in their logon scripts.

Caution

Do not place folders in the custom Network Neighborhood. Windows 98 does not support this feature, and unpredictable results can occur.

To create a custom desktop using system policies

In System Policy Editor, open the System Policy file.
In the System Policy file, set the related policies.
In the Path to get Program items from box, type the path to the folder’s location.
If you selected the Custom Programs Folder or Custom Desktop Icons policies, also select the Hide Start Menu subfolders policy check box to enable it. Otherwise, multiple Programs entries will appear on the user’s Start menu — one for the location of the Custom Programs Folder and one for the default location.

If the custom folders will not be stored in the directories where Windows 98 automatically looks for them, you must specify another location when you specify the Custom Folders policies. For example, you might want to create these folders where the system policy files are located on the server.

The following list shows the default locations for custom folders.

Custom Programs Folders:
c:\windows\profiles\username\start menu\programs
Custom Desktop Icons:
c:\windows\profiles\username\desktop
Custom Startup Folder:
c:\windows\profiles\username\start menu\programs\startup
Custom Network Neighborhood:
c:\windows\profiles\username\nethood
Custom Start Menu:
c:\windows\profiles\username\start menu

NetWare Directory Services System Policies

Table 8.5 summarizes the new system policies provided by Microsoft Service for NetWare Directory Services.

Table 8.5 New system policies provided by Microsoft Service for NetWare Directory Services

Option	Description

Default Name Context	Sets the default context.
Preferred Tree	Sets the default NDS tree.
Disable automatic tree logon	Causes you to be prompted to log on to the NDS tree when starting Windows 98, even if your NDS password is the same as your Windows password.
Enable logon confirmation	Causes a confirmation dialog box to appear after you log on.
Default type of NetWare logon	Specifies whether you log on as a bindery user (for example, by using logon /b) or an NDS user by default.
Don’t show Advanced logon button	Hides the Advanced button on the logon dialog box. The Advanced button enables you to choose a different tree or context when you log on.
Don’t allow browsing outside the default context	Hides Directory Services containers outside the default context.
Don’t show volume objects	Hides NDS volume objects from the directory tree in Network Neighborhood.
Don’t show server objects	Hides NDS server objects from the directory tree in Network Neighborhood.
Don’t show servers that aren’t NDS objects	Hides all servers that are not objects in the Directory Tree (for example, bindery servers and peer servers).
Don’t show printer objects	Hides NDS printer objects in Network Neighborhood.
Don’t show print queue objects	Hides NDS queue objects in Network Neighborhood.
Don’t show container objects	Hides NDS organizations and organizational units in Network Neighborhood.
Don’t show peer workgroups	Hides Windows 98 workgroups within Network Neighborhood.
Load NetWare DLLs at startup	Automatically loads Novell-supplied NetWare dynamic-link libraries (DLLs) required by some NDS applications.