Microsoft

Use Windows NT's System Policy Editor to keep users from changing settings

While Windows NT users can typically modify their background, desktop, Start menu, and other preferences, sometimes administrators need to prevent them from making such changes. Find out how you can use NT's System Policy Editor to create a policy to prevent users from changing settings.

Windows NT users can typically change their background, desktop, Start menu, and other preferences whenever they want. However, administrators sometimes need to prevent users from changing these settings, such as on public kiosk and library computers.

In these cases, administrators can lock down the computers by using policies. Windows NT's utility for managing policies is the System Policy Editor (Poledit.exe). System Policy Editor is a graphical tool included with Windows NT 4.0 Server, but you can also install it on Windows NT 4.0 Workstation computers. (Check the \Clients\Svrtools\Winnt folder on the installation CD.)

After running this utility, you have two options: Either create a new policy, or use an existing one. If you choose to create a new policy, you'll see two icons in the working area of System Policy Editor: Default Computer and Default User.

Default Computer represents the settings that the tool will apply to all computers if you don't specify otherwise. Default User is similar to Default Computer, except that the settings apply to users.

Double-clicking one of these icons opens a dialog box that displays these settings, which apply to all users and computers. To specify different settings for some groups of users, go to Edit | Add Group, and select the user group. A new icon will then appear, and you'll be able to change the settings.

In order for the policy to work on your computer, you must save it in the Ntconfig.pol file. Be aware that this particular name is vital; if you choose another name, the tool won't apply the policy to your system.

If you have a domain, you must save the policy in the Netlogon share on the primary domain controller (PDC). If you're unsure of the location of the share, enter net share at the command prompt on the PDC, and it will return the exact path to the Netlogon share on your server. Computers connected to the domain will automatically download the file and apply the settings.

But what if you don't have a domain, but you want to set the policy on the local computer? You can save the file in any folder, but you'll have to modify two registry values. Open the Registry Editor by going to Start | Run and entering regedt32.exe, and navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update

Change the value of UpdateMode to 2, and modify the NetworkPath value to the path of the file (e.g., c:\winnt\ntconfig.pol). If the key doesn't exist, create it manually, and give it a data type of REG_SZ (string value).

For more information about Windows NT's System Policy Editor, check out the Microsoft Knowledge Base article Q161334.

Note: Editing the registry is risky, so be sure you have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox