Group Policy and System Policy Settings
System Policy is based on registry settings made by using Poledit.exe, the System Policy Editor tool. Windows NT 4.0 introduced Poledit.exe, which specifies user and computer configurations stored in the Windows NT registry. By using Poledit.exe, administrators can create a System Policy to control the user work environment and to enforce system configuration settings for all computers that run either Windows NT 4.0 Workstation or Windows NT 4.0 Server.
Windows NT 4.0 includes 72 policy settings that:
-
Assign the values only for registry entries based on .adm files.
-
Apply only to users on Windows NT based computers, or Windows 95 based and Windows 98 based computers within a domain.
-
Apply only to controls exercised by user name and membership in security groups.
-
Remain in user profiles only until the specified policy is reversed or until the user edits the registry.
-
Function primarily for customizing desktop environments; they do not perform as well in other circumstances.
-
Lack security.
Beginning with Windows 2000, the Group Policy snap-in replaced the System Policy Editor tool used in Windows NT 4.0. The Group Policy snap-in gives you increased control over configuration settings for groups of computers and users. In Windows XP Professional, as in Windows 2000 and Windows Server 2003, Group Policy settings are your primary means for enabling centralized change and configuration management. A domain administrator can use Group Policy at a Windows 2000 based or Windows Server 2003 based domain controller to create a specific desktop configuration for a particular group of users and computers. You can also create local Group Policy settings for individual workstations to customize environments that differ from the domain environment.
A Windows 2000 domain Group Policy has more than 100 security-related settings and more than 450 registry-based settings that provide a broad range of options for managing the user environment. Windows Server 2003 offers additional options and settings. Group Policy settings are:
-
Defined either locally or in the Windows 2000 or Windows Server 2003 domain.
-
Extended by using MMC or .adm files.
-
Not left in user profiles.
-
Applied to users or computers in a specified Active Directory container (sites, domains, and organizational units).
-
Controlled further by user or computer membership in security groups.
-
Configures many types of security settings.
-
Applies to logon, logoff, startup, and shutdown scripts.
-
Used to install and maintain software (Windows 2000 and Windows Server 2003 domain policies only).
-
Used to redirect folders (such as My Documents and Application Data).
-
Used to perform maintenance on Microsoft Internet Explorer (Windows 2000 and Windows Server 2003 domain policies only).
-
Used to ensure security.
You can use the Group Policy snap-in to edit local Group Policy objects to make the following changes at the local computer:
-
Define security settings for a local computer only, not for a domain or network.
-
Use administrative templates to set more than 450 operating system behaviors.
-
Use scripts to automate computer startup, shutdown, and user logon and logoff processes.
On a stand-alone computer running Windows XP Professional, local Group Policy objects are located at systemroot\System32\GroupPolicy.
For more information about implementing Group Policy within a Windows 2000 domain, see Group Policy in the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit. For more information about implementing Group Policy in a Windows Server 2003 domain, see the Designing a Managed Environment book of the Microsoft Windows Server 2003 Resource Kit.
System Policy and Group Policy Coexistence
You might have instances in which Windows NT System Policy must coexist with Windows 2000 and Windows Server 2003 Group Policy. Two possible scenarios follow:
-
A Windows XP Professional based computer uses local Group Policy together with Windows NT 4.0 System Policy to enable Windows 2000 security settings.
-
A Windows XP Professional based computer is in a Windows NT 4.0 domain that you are in the process of migrating to a Windows 2000 or Windows Server 2003 domain, and user and computer accounts are split between the two domains.
In an environment where Windows NT System Policy coexists with Windows 2000 or Windows Server 2003 Group Policy, the resulting computer and user configuration is determined by the following factors:
-
The location of the user account (Windows NT based or Windows 2000 based or Windows Server 2003 based domain controller).
-
The location of the computer account (Windows NT based or Windows 2000 based or Windows Server 2003 based domain controller).
-
The activity taking place, such as a computer starting up, a user logging on, or the refreshing of a user or system account.
Table 20-3 summarizes the expected behavior of computer and user accounts in an environment where Windows NT System Policy coexists with Windows 2000 or Windows Server 2003 domain Group Policy.
| Environment | Account Object Location | Result at Windows XP Professional based Client |
|---|---|---|
| Windows NT 4.0 domain | Computer: Windows NT 4.0 | At computer startup: Computer local Group Policy (only if changed). Every time the user logs on: Computer System Policy. |
| Windows NT 4.0 domain | Computer refresh | Before Control-Alt-Delete: Computer local Group Policy only. After the user logs on: Computer local Group Policy and computer System Policy. |
| Windows NT 4.0 domain | User: Windows NT 4.0 | When the user logs on: User System Policy. If local Group Policy changes: User local Group Policy and user System Policy. |
| Windows NT 4.0 domain | User refresh | User local Group Policy and user System Policy. |
| Mixed domain (migration) | Computer: Windows NT 4.0 | At computer startup: Computer local Group Policy (only if changed). Every time the user logs on: Computer System Policy. |
| Mixed domain (migration) | Computer refresh | Before Control-Alt-Delete: Computer local Group Policy only. After the user logs on: Computer local Group Policy and computer System Policy. |
| Mixed domain (migration) | User: Windows XP Professional | Group Policy is processed by the local computer. Windows NT 4 does not recognize Group Policy. Thus a user logging on to an Windows NT 4 computer does not get any portion of Group Policy. |
| Mixed domain (migration) | User refresh | User Group Policy. |
| Mixed domain (migration) | Computer: Windows 2000 Server, Windows Server 2003, or Windows XP Professional | During system startup: Group Policy. |
| Mixed domain (migration) | Computer refresh | Computer Group Policy. |
| Mixed domain (migration) | User: Windows NT 4.0 | When the user logs on: User System Policy. If local Group Policy changes: User local Group Policy and user System Policy. |
| Mixed domain (migration) | User refresh | User local Group Policy and user System Policy. |
| Windows 2000 or Windows Server 2003 domain | Computer: Windows XP Professional | Computer Configuration part of Group Policy is processed when the computer starts and at designated intervals thereafter (period is configurable). |
| Windows 2000 or Windows Server 2003 domain | User: Windows XP Professional | User Configuration part of Group Policy is processed when the user logs on. |
| Workgroup | Local | Local Group Policy only. |
In a system environment where local Group Policy on a Windows XP Professional based computer coexists with a Windows NT 4.0 domain System Policy, make sure that the policy settings do not conflict or override each other. For example, in a Windows NT 4.0 domain that has system policies enabled, a Windows XP Professional based computer with local Group Policy enabled enforces both policy settings whenever the computer is restarted immediately after the user logs on.
For more information about implementing Windows 2000 Group Policy on a Windows XP Professional client, see Defining Client Administration and Configuration Standards in the Deployment Planning Guide of the Microsoft Windows 2000 Server Resource Kit. For more information about implementing Windows Server 2003 Group Policy on a Windows XP Professional client, see the Designing a Managed Environment book of the Microsoft Windows Server 2003 Deployment Kit.
Checking Local and Domain Policy Compatibility
Check to see if existing local Group Policy and Windows NT System Policy are compatible. Does configuring Group Policy with Windows NT System Policy or Windows 2000 or Windows Server 2003 domain Group Policy produce unexpected results? For example, if you configure local Group Policy to remove entries from the Start menu, does the domain Group Policy override the entries when the user logs on to the domain? For more information about the coexistence of local Group Policy with domain Group Policy or Windows NT System Policy, see Troubleshooting Group Policy and System Policy later in this chapter.
Group Policy Settings for Network Connections
You can use Group Policy settings or a combination of Group Policy and System Policy settings to control access to the Network Connections folder and the way the folder is used. For example, a Group Policy setting can be applied to make the Advanced Settings menu unavailable in the Network Connections folder. For more information about using Group Policy with Windows 2000 Server, see Windows 2000 Server Help. For more information about using Group Policy with Windows Server 2003, see the Windows Server 2003 Help and Support Center.
The location in the Group Policy snap-in for these settings is shown in Figure 20-5.
Figure 20-5: User Configuration in Group Policy
Descriptions of local Group Policy settings and all setting and registry information that you can apply in Windows XP Professional follow.
Allow configuration of connection sharing
The Allow configuration of connection sharing setting determines whether administrators can enable, disable, and configure the Internet Connection Sharing (ICS) feature of a dial-up connection.
| Note | This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. Also, this setting applies only to users in the Administrators group. |
If you enable this setting or do not configure it, the Sharing tab is displayed in the Properties dialog box for a dial-up connection. On Windows 2000 Server for example, it also displays the Internet Connection Sharing (ICS) page in the Network Connection Wizard. If you disable this setting, the Sharing tab and Internet Connection Sharing wizard page do not appear.
| Warning | Allowing users to enable ICS allows them to create an unauthorized DHCP server on the subnet on which the computer is located. An ICS-enabled computer allocates incorrect IP address configurations to all other DHCP clients on the same subnet and prevents them from communicating with computers on other subnets. |
Prohibiting deletion of remote access connections
The Prohibit deletion of remote access connections setting determines whether users can delete their private dial-up network connections. By default, only administrators can delete connections available to all users. If you enable this setting, users cannot delete their private dial-up connections, and the Delete option is disabled on the context menu for a dial-up connection and on the File menu in Network Connections. If you disable this setting, users can delete any dial-up connection. For information about using Group Policy to manage user desktops, see Managing Desktops in this book.
| Note | The Prohibit deletion of remote access connections setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. Even when the setting in User Configuration is not overridden, that setting applies only to users in the Administrators group. |
Ability to change properties of an all user remote access connection
The Ability to change properties of an all user remote access connection setting determines whether a user can view and change the properties of dial-up connections that are available to all users of the computer. This setting also determines whether the Dial-up Connection Properties dialog box is available to users.
If you enable this setting, users can delete shared dial-up connections. If you do not configure this setting, only administrators can delete shared dial-up connections. If you disable this setting, no one can delete shared dial-up connections. By default, users can still delete their private connections, but you can change the default by using this setting.
Also, if you disable this setting, administrators are restricted from changing properties of all user remote access connections the same as any other user.
The Ability to change properties of an all user remote access connection setting overrides settings that remove or disable parts of the Dial-up Connection Properties dialog box, such as those that hide tabs, remove the check boxes for enabling or disabling components, or that disable the Properties button for components that a connection uses. If you disable this setting, it overrides these subsidiary settings.
Prohibit access to the properties of components of a remote access connection
The Prohibit access to the properties of components of a remote access connection setting determines whether users can connect and disconnect dial-up connections.
If you enable this setting, the Connect and Disconnect options on the File menu for dial-up connections are not available to users in the group.
Ability to enable/disable a LAN connection
The Ability to enable/disable a LAN connection setting determines whether users can enable and disable local area network connections.
If you enable this setting, users in the group can enable and disable LAN connections. If you disable it, even administrators are blocked from enabling and disabling LAN connections.
Prohibit access to properties of a LAN connection
The Prohibit access to properties of a LAN connection setting determines whether users can view and change the properties of a LAN connection. It also determines whether the Local Area Connection Properties dialog box is available to users.
If you enable this setting, users cannot open the Local Area Connection Properties dialog box. If you disable or do not configure this setting, the Local Area Connection Properties dialog box is displayed when users right-click the icon representing a local area connection, and then click Properties. The Properties option is also available on the File menu when users select the connection.
Prohibit changing properties of a private remote access connection
The Prohibit changing properties of a private remote access connection setting determines whether users can view and change the properties of their private dial-up connections.
Private connections are available to one user only. Typically, a user can create a private connection on the Connection Availability page in the Network Connection wizard by clicking Only for myself. You can use the Prohibit changing properties of a private remote access connection setting to make the Dial-up Connection Properties dialog box unavailable to users.
If you enable this setting, users cannot open the Local Area Connection Properties dialog box. If you disable or do not configure this setting, the Local Area Connection Properties dialog box is displayed when users right-click the icon representing a local area connection, and then click Properties. The Properties option is also available on the File menu when users select the connection.
Ability to rename all user remote access connections
The Ability to rename all user remote access connections setting determines whether users can rename the dial-up and local area connections available to all users.
If you enable this setting, the Rename option is enabled. Users can rename connections by clicking the icon representing a connection or by using the File menu. If you disable this setting, the Rename option is disabled. This setting has no effect on administrators.
Prohibit renaming of private remote access connections
The Prohibit renaming of private remote access connections setting determines whether users can rename their private dial-up connections.
Private connections are available only to one user. To create a private connection, on the Connection Availability page in the Network Connection wizard, click Only for myself.
Prohibit adding or removing components for a LAN or remote access connection
The Prohibit adding or removing components for a LAN or remote access connection setting determines whether administrators can add and remove network components.
If you enable this setting, the Install and Uninstall buttons for components of connections in Network Connections are disabled. Also, when this setting is enabled, administrators cannot gain access to network components in the Windows Components wizard. If you disable or do not configure this setting, the Install and Uninstall buttons for components of connections are enabled, and administrators can gain access to network components in the Windows Components wizard.
When this setting is disabled, the Install button opens the dialog boxes used to add network components. Clicking the Uninstall button removes the selected component in the components list (preceding the button). The Install and Uninstall buttons display when administrators right-click a connection, and then click Properties. These buttons are on the General tab for local area connections and on the Networking tab for dial-up connections.
| Tip | When this setting is disabled, the Windows Components wizard permits administrators to add and remove components. To use the wizard, double-click Add or Remove Programs in Control Panel. To go directly to the network components in the Windows Components wizard, click the Advanced menu in Network Connections, and then click Optional Networking Components. |
Prohibit enabling /disabling components of a LAN connection
The Prohibit enabling/disabling components of a LAN connection setting determines whether administrators can enable and disable the components used by local area connections.
If you disable or do not configure this setting, the Properties dialog box for a connection includes a check box for each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component. Enabling this setting dims the check boxes for enabling and disabling components. As a result, administrators cannot enable or disable the components that a connection uses.
Prohibit access to properties of components of a LAN connection
The Prohibit access to properties of components of a LAN connection setting determines whether administrators can change the properties of components used by a local area connection.
This setting determines whether the Properties button for components of a local area connection is enabled. If you enable this setting, the Properties button is disabled. If you disable this setting or do not configure it, the Properties button is enabled.
To find the Properties button, right-click the connection, and then click Properties. You then see a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click Properties.
Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled.
Prohibit access to the Network Connection wizard
The Prohibit access to the Network Connection wizard setting determines whether users can use the Network Connection wizard, which creates new network connections.
If you disable or do not configure this setting, Make New Connection appears in the Network Connections folder. Clicking Make New Connection starts the Network Connection wizard. If you enable this setting, Make New Connection does not appear. As a result, users cannot start the Network Connection wizard.
Prohibit viewing of status for an active connection
The Prohibit viewing of status for an active connection setting determines whether users can view the Status page for an active connection.
Status displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection.
If you disable or do not configure this setting, Status appears when users double-click an active connection. Also, an option to display Status appears on a menu when users right-click the icon for an active connection, and the option appears on the File menu when users select an active connection. If you enable this setting, Status is disabled, and Status does not appear.
Prohibit access to the Dial-up Preferences item on the Advanced menu
The Prohibit access to the Dial-up Preferences item on the Advanced menu setting determines whether Dial-up Preferences on the Advanced menu in Network Connections is enabled.
If you enable this setting, Dial-up Preferences is disabled. If you disable or do not configure this setting, it is enabled. By default, Dial-up Preferences is enabled.
Dial-up Preferences allows users to configure Autodial and callback features.
Prohibit access to the Advanced Settings item on the Advanced menu
The Prohibit access to the Advanced Settings item on the Advanced menu setting determines whether Advanced Settings on the Advanced menu in Network Connections is enabled.
If you enable this setting, Advanced Settings is disabled. If you disable or do not configure this setting, it is enabled. By default, Advanced Settings is enabled.
By enabling Advanced Settings, an administrator can view and change bindings and the order in which the computer accesses connections, network providers, and print providers.
Prohibit use of Internet connection sharing on your DNS domain network
The Prohibit use of Internet connection sharing on your DNS domain network setting determines whether administrators and can enable, disable, and configure the ICS feature of a dial-up connection.
If you enable this setting or do not configure it, the Sharing tab does not appear in the Properties dialog box for a dial-up connection. If you disable this setting, the Sharing tab and the Internet Connection Sharing wizard appear.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
Prohibit TCP/IP advanced configuration
The Prohibit TCP/IP advanced configuration setting determines whether users can use Network Connections to configure TCP/IP, DNS, and WINS settings.
If you enable this setting, the Advanced button on Internet Protocol (TCP/IP) Properties is disabled. As a result, users cannot open Advanced TCP/IP Settings. If you disable this setting, the Advanced button is enabled, and the users can open Advanced TCP/IP Settings and modify IP settings, such as DNS and WINS server information.
| Warning | If the Prohibit access to properties of a LAN connection setting or the Prohibit access to properties of components of a LAN connection setting are enabled, users cannot gain access to the Advanced button. As a result, this setting is ignored. |
If multiple network protocols are installed on your Windows XP Professional based computer, you can determine the binding order of each protocol for each service that uses the protocol.
| Note | Windows Server 2003 Group Policy provides an updated set of configuration settings for Windows XP Professional-based computers. For more information, see the Windows Server 2003 Help and Support Center. |
