Server enforced System Policies (POLEDIT)

by Johannes Helmig [Published on 9 Oct. 1999 / Last Updated on 9 Oct. 1999]

System administrators, which have to take care about a large network configuration, are confronted with some challenges:

- workload to keep the connected systems running, despite the
attempts of the users to reconfigure (="screw-up") the configuration
of their systems
-security concerns, ensure that the network is secure against any
illegal dial-in/connection from the outside
(Example: no permission for "File and printer sharing",
enforce use of Usernames and passwords for Windows startup)

This requires, that the System administrator(s) impose some limitations
on the users. This could be done by installing and using POLEDIT on each
PC to define the restrictions, which would be a big workload.


This workload can be avoided by using "System Policies", which are
supported by Windows95/98 and Windows NT:
On the network server, a file (called "CONFIG.POL") is stored with UPDATE information (containing the restriction), which is loaded into the local Registry during the Network Login process (updating the Registry),
For full details, see the Windows95/98 Resource Kit Information):


The update of the local registry is done during the Network Logon
to a Novell-Netware server or to a Windows-NT Domain server:


To enable the "Microsoft Network Client for Microsoft Networks" to locate this file on a Windows NT-Domain Server, it MUST be stored in:
\\<primaryDomainController>\NETLOGON\CONFIG.POL

To enable the "Microsoft Network Client for Netware Networks" to locate this file on a Novell-Netware server, it MUST be stored in:
\\<preferredServer>\SYS\PUBLIC\CONFIG.POL


To create the file CONFIG.POL, use a Windows95/98 system and install/run POLEDIT, then select from the menu: File / New File:

It displays the 2 parts of the Registry:
- USER.DAT as "Local user"
- SYSTEM.DAT as "Local Computer"
In this example, we double-click on "Local Computer":

To enforce the Login to the Network, open the key: "Network",
then "Logon" and put a checkmark on:
"Require Validation by Network for Windows Access"


When creating POL-files for downloading to a local Registry, there are now THREE possible states of a Check-Box:

Grayed:
On downloading to a Local
Registry, the current value
will NOT be changed
Not Checked:
On downloading to a Local
Registry, the value in the
Local Registry will be
unchecked (overwriting
the previous value)
Checked:
On downloading to a Local
Registry, the value in the
Local Registry will be
checked (overwriting
the previous value)
In this example: activate
a Login Banner message


You could also apply limitation on the user to configure his display:
- no fancy Background pictures
- no fancy Screen Savers
- no changing of colors and font size

Be carefully with "Disabling Registry editing tools":
it will prevent the user to use REGEDIT or POLEDIT to view/modify his
registry, but now the ONLY possibility to edit the registry is the download
as a System Policy from the network server !


Once all changes are made, you need to save the information by selecting from the menu: File / Save As..:

In this example, I store it directly onto a Network drive:


On a WindowsNT Server, the Network-resource "NETLOGON" is equivalent to the directory: \WINNT\SYSTEM32\REPL\IMPORT\SCRIPTS.
copy the file CONFIG.POL to this directory (it must be visible from a Windows95/98 client, when browsing the network-resource NETLOGON):


The transfer of the information inside CONFIG.POL will happen during the next Network-Login (so for this example: the next Login is NOT yet protected against selecting the button "Cancel", but then all following Logins).


Deleting the CONFIG.POL will NOT undo the changes downloaded to the Registries on the local system. To revert changes, you will either have to edit the local Registry with POLEDIT or you need to create a CONFIG.POL with an inverted selection.

See Also

Featured Links