The Microsoft System Policies for Windows XP

Windows XP Professional supplies several tools for setting policies. The System Policy Editor, which is used to set policy in Windows NT 4, is still included, and may be used, but it is definitely not recommended. Now you use the Active Directory Users and Computers to manage policy. Changes made to policy are made to the registry, either immediately or when a given user or member of an organizational unit logs on, or when the computer starts. Policy is a registry issue, and a complex one at that. Warning Wait a minute-I know I changed that registry entry! With policies, it is possible to "hack," or change, the registry and have the change go nowhere fast. That's right: the policy will be reapplied automatically, wiping out whatever changes you have made to the registry, all without even telling you it is happening! If you ever find your changes mysteriously disappearing, round up the usual suspects, and make sure that policy is high on the suspect list! You can edit policy in a number of different ways:

System Policy Editor This utility, which is becoming obsolete, is retained for compatibility with Windows NT 4. Neither Microsoft nor I recommend that you use the System Policy Editor. Microsoft Management Console (MMC) This program is used to manage many facets of Windows XP. The MMC is able to load whatever functionality you need through the use of a custom extension called a snap-in. With Windows XP Professional, Microsoft provides about 40 different snap-ins to use with the MMC. Windows XP Home Edition provides about 20 different snap-ins to use with the MMC. Active Directory Users and Computers This administrative tool (select Start → Programs → Administrative Tools) allows management of computers, users, groups, domain controllers, and policy. Actually, this is the MMC, using a snap-in to do Active Directory. When you choose to edit policies, the MMC is used with the policy snap-in. Active Directory Site and Services This administrative tool (select Start → Programs → Administrative Tools) allows management of sites (an Active Directory organizational level) and services. Note Each of these Windows XP administrative tools actually uses the MMC as a common interface. And each in turn uses the MMC to edit policy. It's not uncommon to have many copies of the MMC open at the same time. Each of these tools requires that you select certain objects to enable editing of group policies. The next section describes how to use each policy-editing tool.

System Policy Editor

The System Policy Editor is obsolete, retained only for compatibility with NT 4. Neither Microsoft nor I recommend that you use the System Policy Editor if you can possibly avoid using it. To start the System Policy Editor, from the Start menu's Run command, enter poledit and click OK. See "The Microsoft System Policy Editor for Windows NT 4" later in this tutorial for information on how to use the Microsoft System Policy Editor.

Microsoft Management Console (MMC)

The MMC is a "universal" management tool that Microsoft has created to manage Windows XP (Home Edition and Professional). Using the MMC is easy, and since the MMC presents a standardized appearance and operating methods, it will become the preferred tool to use for management. To start the MMC, from the Start menu's Run command, enter MMC and click OK. Once started, the MMC is able to load whatever functionality is needed. Group Policy not yet installed in the MMC? That's easy to fix; just follow these simple steps: 1. Start the MMC. In addition to using the Run command as described above, you can also type MMC at a command prompt. 2. In the File menu, select Add/Remove Snap-In .

3. In the Add/Remove Snap-In dialog box, select the Standalone tab. Make sure that Console Root is displayed in the Snap-Ins Added To list box, and then click Add. The Add Standalone Snap-In dialog box opens. 4. In the Add Standalone Snap-In dialog box, select Group Policy.Scroll through the list as necessary. Click the Add button to start the Group Policy Wizard.

5. In the Select Group Policy Object window, select Local Computer for the Group Policy Object. Then click Finish.

6. Click Close in the Add Standalone Snap-In dialog box, and click OK in the Add/Remove Snap-In dialog box. Using the MMC to manage group policy is easy! First, it is trivial to create an MMC console file that is configured to display a given GPO policy object. Just follow these steps: 1. Open the administrative tool Active Directory Users and Computers. 2. Right-click the organizational unit that uses the policy to be edited to display its context menu. If you're creating a new policy, select the organizational unit that will use the policy once it is created. If creating policy for a domain, select the domain.

3. Select Properties from the context menu, or select Properties from the Action menu. In, I selected the Browser Title and then displayed the properties.

4. In the Properties dialog box for the object (display this by double-clicking on the object-Browser Title in this example), make changes as desired. Notice that each object's Properties dialog box is different, and that most have substantial prompting to allow you to easily change the object. 5. Now for the hard part. To create an MMC configuration file (these files have an extension of .msc), select File → Save As. Enter a new filename when prompted (I used the name Group Policies.msc). Click Save to save this file. You can save the .msc file in Administrative Tools, on the Desktop, or on any drive you'd like. Well, now you have created your policy MMC configuration file; next is what to do with it. (Actually, you have probably saved a bunch of MMC configuration files-one for each group policy object.) My recommendation is to create a folder to hold these files, maybe called Policy. Then create a second folder under Administrative Tools, again called Policy. Then place shortcuts to each of the MMC configuration files in this folder. This will give you oneclick access to each group policy object.

Active Directory Users and Computers

The Active Directory Users and Computers administrative MMC tool allows you to manage computers, users, groups, domain controllers, and policy. To view the Group Policies properties tab, select a computer domain or an organizational unit, and then select Properties in either the context menu or the Action menu.

Setting Policy for a User

To set policy for a given user, you need the user, an organizational unit to assign the user to, and a policy to apply to the organizational unit. For example, I have students, and some students are seniors (and seniors are much more responsible than freshmen!). This creates two levels of organization. Your organization may have more (or fewer) levels of organization, but the process is similar. In this example, I'll set policy for one student, Marie Theplama, who is a senior. If I haven't yet set up any policies, then to apply the global policy object to Marie Theplama, I must do the following:

1. I first create an organizational unit called Students.

2. I display the properties for the Students organizational unit, and click the Group Policy tab.

3. I click the New button to create a new policy. The policy is created, and I am placed into rename mode to name the new global policy object.

4. I select the new global policy object and click the Edit button to change whatever policies are applicable.

5. I repeat steps 1 through 3 to create another organizational unit under Students named Seniors.

6. After creating Seniors, I select Properties, and on the Group Policy tab I click New to create a New Group Policy Object.

7. I select the new global policy object and click the Edit button to change whatever policies are applicable so that seniors have appropriate privileges and policies.

8. I then create Freshmen, Sophomores, and Juniors organizational units and global policy objects in the same manner.

9. I create a user for Marie Theplama. She's a senior; nothing else is special about her. I create her user under the organizational unit Seniors. Setting Policy for a Computer To set policy for a given computer, the process is very similar to the process for users, above. You need to create a computer record, an organizational unit to assign the computer to, and a policy to apply to the organizational unit. Here at DarkStar, computers are named after famous science fiction characters. One computer is called Pixel (who is a cat that can walk through walls); another computer is named Lazarus. Just like for users, computers need their own organizational unit. For this example, I'll use Students for the computers that will be accessible to and used by students. Note A computer's organizational unit is no different than an organizational unit for a user; in fact the same organizational unit could be used for both if appropriate. I create a computer under Students for Lazarus. Once created, as a computer, I can set a description, assign membership into security groups and organizational units, and specify the computer's location and who is responsible for this computer. I can assign membership to the Students organizational unit, any other applicable organizational units, and security groups. Just like with users, you have a lot of latitude when configuring computers. While users are typically assigned to organizational units based on the administrative hierarchy of the organization, computers are often assigned based on physical location, or how they are to be used.

The Microsoft System Policy Editor for Windows NT 4

The System Policy Editor is a tool that allows users to set policy. Even though it is intended for Windows NT 4, it comes as "standard equipment" in Windows XP. As I mentioned earlier in this tutorial, I don't recommend that you use the System Policy Editor to set policy in Windows XP. Microsoft included it only for compatibility with Windows NT. That said, if you do work with Windows NT systems, read on. Many of the changes made by the System Policy Editor are to the registry, so although the System Policy Editor is not thought of as a registry tool, I'll document it here anyway. Actually, modifying the Windows NT 4 registry using the System Policy Editor is a wise move-it will validate your changes, preventing you from doing something that may have seemed logical to you, but actually is not.

With the System Policy Editor, the Local Computer entry should display eight items, all applicable to a Windows NT system. For a Local User, the Properties dialog box should have six items. In both cases, the items displayed are unique; there is no overlap. You can use the System Policy Editor for Windows 95/98/Me clients, enabling some remote administration of these machines. However, the System Policy Editor has not been well tested on these three platforms.