|
Server enforced System Policies (POLEDIT)
System administrators, which have to take care about a large
network configuration, are confronted with some challenges:
This requires, that the System administrator(s)
impose some limitations
on the users. This could be done by installing and using POLEDIT on
each
PC to define the restrictions, which would be a big workload.
This workload can be avoided by using "System
Policies", which are
supported by Windows95/98 and Windows NT:
On the network server, a file (called "CONFIG.POL") is stored with UPDATE
information (containing the restriction), which is loaded into
the local Registry during the Network Login process (updating the
Registry),
For full details, see the Windows95/98
Resource Kit Information):

The update of the local registry is done during the Network Logon
to a Novell-Netware server or to a Windows-NT Domain server:

To enable the "Microsoft Network Client for Microsoft
Networks" to locate this file on a Windows NT-Domain Server,
it MUST be stored in:
\\<primaryDomainController>\NETLOGON\CONFIG.POL
To enable the "Microsoft Network Client for Netware
Networks" to locate this file on a Novell-Netware server, it
MUST be stored in:
\\<preferredServer>\SYS\PUBLIC\CONFIG.POL
To create the file CONFIG.POL, use a
Windows95/98 system and install/run POLEDIT, then select from the
menu: File / New File:

It displays the 2 parts of the Registry:
- USER.DAT as "Local user"
- SYSTEM.DAT as "Local Computer"
In this example, we double-click on "Local Computer":

To enforce the Login to the Network, open the key: "Network",
then "Logon" and put a checkmark on:
"Require Validation by Network for Windows Access"

When creating POL-files for downloading to a local Registry,
there are now THREE possible states of a Check-Box:
 |
Grayed:
On downloading to a Local
Registry, the current value
will NOT be changed |
 |
Not Checked:
On downloading to a Local
Registry, the value in the
Local Registry will be
unchecked (overwriting
the previous value) |
 |
Checked:
On downloading to a Local
Registry, the value in the
Local Registry will be
checked (overwriting
the previous value)
In this example: activate
a Login Banner message |
You could also apply limitation on the user to configure his
display:
- no fancy Background pictures
- no fancy Screen Savers
- no changing of colors and font size

Be carefully with "Disabling Registry editing
tools":
it will prevent the user to use REGEDIT or POLEDIT to
view/modify his
registry, but now the ONLY possibility to edit the
registry is the download
as a System Policy from the network server ! |
Once all changes are made, you need to save the information by
selecting from the menu: File / Save As..:

In this example, I store it directly onto a Network drive:

On a WindowsNT Server, the Network-resource "NETLOGON"
is equivalent to the directory: \WINNT\SYSTEM32\REPL\IMPORT\SCRIPTS.
copy the file CONFIG.POL to this directory (it
must be visible from a Windows95/98 client, when browsing the
network-resource NETLOGON):

The transfer of the information inside CONFIG.POL will happen
during the next Network-Login (so for this example: the next Login is NOT yet
protected against selecting the button "Cancel", but
then all following Logins).
Deleting the CONFIG.POL will NOT undo the
changes downloaded to the Registries on the local system. To
revert changes, you will either have to edit the local Registry
with POLEDIT or you need to create a CONFIG.POL with an inverted
selection.
|