Deploying Registry-Based Policy | Microsoft Windows Registry Guide, Second Edition

Deploying Registry-Based Policy

Whether you create an administrative template or one provided by an application such as Office 2003 Editions, you must load it in the Administrative Templates extension in order to use it. You load template files into each GPO in which you want to use them. Because we're talking about the local GPO in this chapter, you only have to load template files once. If you used a template with Active Directory, you'd have to load it in each GPO in which you wanted to use it.

Here's how to load a template into the local GPO:

In the Group Policy Editor, under Computer Configuration or User Configuration, right-click Administrative Templates, and then click Add/Remove Templates.
In the Add/Remove Templates dialog box, click Add.
In the Policy Templates dialog box, type the path and file name of the administrative template that you want to load into the local GPO.

Windows Group Policy Improvements

Windows includes improved policy management, enabling IT professionals to adjust, manage, or simply turn off features that they don't want users to access. IT professionals can deploy any of the policy settings in Windows from Active Directory, too, without fear of altering their existing Windows 2000 configurations. Here's a brief list of the improvements that you find in Windows:

Windows XP and Windows Server 2003 support most Windows 2000 policies.
Windows XP and Windows Server 2003 add many new policy settings, which Windows 2000 ignores.
Group Policy Editor uses a Web view to display useful information about policies for IT professionals to use in assessing and verifying settings.
Group Policy Editor includes integrated help that makes learning and tracking down policies easier.
Windows XP and Windows Server 2003 don't wait for the network to fully initialize before presenting the desktop, using cached credentials in the meantime, and allowing users to get to work faster. The operating system applies policies in the background when the network is ready.

These improvements are big advantages. However, you'll be happy to know that the overall process doesn't change much. You generally use the same tools in the same ways to configure and manage user settings. If you're already familiar with Windows 2000 Group Policy, you're equally familiar with Windows XP and Windows Server 2003 Group Policy.

Windows 2000 Server-Based Networks

The Windows XP policy templates are fully compatible with Microsoft Windows 2000 Server and its version of Active Directory. Windows Server 2003 includes the Windows XP administrative templates by default. You have to load them in each GPO in which you want to use them; the steps for doing that are the same as those you learned in the previous sections.

NOTE
You must update the administrative templates after deploying a Windows service pack. You can use the techniques described in this section to update existing administrative templates to the latest service pack.

You can avoid having to load the Windows XP administrative templates in each GPO by copying them to %SystemRoot%\Inf on the server. On a computer running Windows XP, just copy all the files with the .adm extension from %SystemRoot%\Inf to the same folder on the server. The server operating system automatically updates each GPO when you open it for editing. If you're uncomfortable with replacing your Windows 2000 administrative templates, you should continue loading the Windows XP templates into GPOs where you want to use them. I've replaced my Windows 2000 administrative templates with Windows XP administrative templates, however, and haven't had any problems.

Consider these best practices when using Windows XP administrative templates in Windows 2000 Server:

In a mixed environment, use Windows XP template files to administer your GPOs. Windows 2000 ignores Windows XP–specific settings.
Apply the same policy settings to both Windows XP and Windows 2000 to give roaming users a consistent experience.
Test interoperability of the various settings before deployment.
Configure policy settings only on client machines using GPOs. Do not try to create these registry values by using other methods.

Windows NT–Based Networks and Other Networks

Like Group Policy, System Policy configures and manages settings for groups of computers and groups of users. I assume you're familiar with System Policy Editor if you're facing this issue. Table 7-2 describes the differences between the two technologies. The policy file that System Policy Editor creates, usually Ntconfig.pol, contains the registry settings for all the users, groups, and computers that use those settings. To deploy this file on a network, put it in the NETLOGON share of the domain controller. Unlike in Group Policy, separate policy files aren't necessary.

Table 7-2 Group Policy Compared to System Policy
	Group Policy	System Policy
Tool	Group Policy Editor	System Policy Editor
Number of settings	620 registry-based settings	72 registry-based settings
Applied to	Users and computers in a specific Active Directory container, such as sites, domains, and organizational units (OUs)	Users and computers in a domain
Security	Secure	Not secure
Extensions	Microsoft Management Console (MMC) and administrative templates	Administrative templates
Persistence	Does not make permanent changes to the registry	Makes permanent changes to the registry, which you must manually remove
Usage	Implementing registry-based policy settings Configuring security settings Applying logon, logoff, startup, and shutdown scripts Deploying and maintaining software Optimizing and maintaining Internet Explorer	Implementing registry-based policy settings

Windows behaves differently depending on what kind of server authenticates the user and computer accounts. If an Active Directory–based server authenticates the account, Windows looks for Group Policy, not System Policy. If a Windows NT–based server authenticates the account, Windows looks for System Policy. (It uses the file Ntconfig.pol in the NETLOGON share.) You can use this to your advantage when you haven't deployed Active Directory but you still want to configure policies.

To configure System Policies, use System Policy Editor. You load the Windows policy templates into System Policy Editor before using them. Using System Policy, you can configure and deliver all the registry-based policies that these templates define. Note that Windows doesn't provide System Policy Editor, but Windows 2000 Server does. Also, you will find System Policy Editor in the Microsoft Office 2003 Editions Resource Kit, which you learn about in Chapter 17, “Deploying Office 2003 Settings.” You create the Ntconfig.pol file, and drop it in the NETLOGON share. If Windows authenticates the account using that Windows NT–based server, it downloads and parses the policies from the Ntconfig.pol file it finds in the NETLOGON share.

If you're not using Active Directory or a Windows NT domain, you can still configure System Policy. You configure Windows to look for the Ntconfig.pol file in any share by specifying a path to the policy file. You must make this change on each individual computer, however, which makes it a labor-intensive process unless you configure it on your disk images. Set the UpdateMode REG_DWORD value to 0x02, which changes Windows from automatic (0x01) to manual mode (0x02). (Set this value to 0x00 to turn off system policy.) Then set the REG_SZ value NetworkPath to the UNC path and name of the policy file that you want to use. These values are in the key HKLM\SYSTEM\ CurrentControlSet\Control\Update. You might have to create them.