Server Operating System ® White Paper Guide to Microsoft® Windows NT® 4.
© 1997 Microsoft Corporation. All rights reserved. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only.
Abstract This guide provides information and procedures for implementing Microsoft® Windows NT® 4.0 Profiles and Policies on client workstations and servers. A Microsoft Windows NT 4.0 User Profile describes the Windows NT configuration for a specific user, including the user’s environment and preference settings. A System Policy is a set of registry settings that together define the computer resources available to a group of users or an individual.
CONTENTS Introduction ......................................................................................... TCO and the User Profiles, Policies, and the Zero Administration Kit What are User Profiles and System Policies? Before You Begin Key Terminology Technical Notes Establishing User Profiles – An Overview ..........................................
Upgrading Windows NT 3.5x Mandatory Profiles to Windows NT 4.0 Mandatory Profiles Extracting a User Profile for Use on Another Domain or Machine Creating Profiles Without User-Specific Connections Troubleshooting User Profiles with the UserEnv.log File 30 31 32 33 System Policy – An Introduction....................................................... 35 System Policy Files Policy Replication How Policies Are Applied Additional Implementation Considerations 35 36 36 37 The System Policy Editor ...........
Start Menu Shut Down Command Saved Settings Registry Editing Tools Windows Applications Restrictions Custom Programs Custom Desktop Icons Start Menu Subfolders Custom Startup Folder Custom Network Neighborhood Custom Start Menu Shell Extensions Explorer File Menu Start Menu Common Program Groups Taskbar Context Menus Explorer Context Menu Network Connections Explorer Context Menu Autoexec.
Extended Characters in 8.3 File Names Read Only Files – Last Access Time Cached Roaming Profiles Slow Network Detection Slow Network Timeout Dialog Box Timeout 77 78 78 79 79 79 Registry Entries Not Included in the System Policy Editor............ 81 Autorun 81 Start Banner 81 For More Information......................................................................... 83 Appendix A –Flowcharts....................................................................
INTRODUCTION Not too many years ago, information technology professionals faced a serious challenge in controlling the mounting costs of mainframe use. It seemed that everyone— clerks, writers, developers, and systems administrators— all had terminals and were using the system for everything from numbers crunching to typing letters. Networks became bogged down, and IT professionals were given the task of getting “nonessential operations”off the mainframe.
bilities of Windows NT 4.0, and as such these techniques can readily be adapted to accommodate a corporation’s specific computing requirements. In the near future, you will see additional TCO-reducing features appear in Microsoft Windows® 98, Windows NT 5.0, and Microsoft Systems Management Server. Central to these features is the idea of centralized desktop control. This is accomplished through User Profiles and System Policies— the subject of this paper.
Key Terminology Directory Replication The copying of a master set of directories from a server (called the export server) to specified servers or workstations (called import computers) in the same or other domains. Replication simplifies the task of maintaining identical sets of directories and files on multiple computers, because only a single master copy of the data is maintained. Files are replicated when they are added to an export directory and each time a change is saved to one of the exported files.
from any computer. A user who has a roaming profile can log on to any computer for which that profile is valid and access the profile. (Note that a profile is only valid on the platform for which it was created— for example, a Windows NT 4.0 profile cannot be used on a Windows 95 computer.) Roaming User A roaming user is a user who logs on to the network from different computers at different times. This type of user may use a kiosk or may share a bank of computers with other users.
ESTABLISHING USER PROFILES – AN OVERVIEW A Microsoft Windows NT 4.0 User Profile describes the Windows NT configuration for a specific user, including the user’s environment and preference settings. A User Profile can be local, roaming, or mandatory. A local profile is specific to a given computer. A user who creates a local profile on a particular computer can gain access to that profile only while logged on to that computer.
settings, and portions of the registry can be saved as files, called hives. These hives can then be reloaded for use as necessary. User Profiles take advantage of the hive feature to provide roaming profile functionality. The User Profile registry hive is the NTuser.dat in file form, and is mapped to the HKEY_CURRENT_USER portion of the registry when the user logs on.The NTuser.dat hive maintains the user’s environment preferences when the user is logged on.
Windows NT 4.0 and Windows 95 User Profile Differences Profiles are very similar in behavior to Windows NT 4.0 Profiles, but there are some differences. Unlike Windows NT 4.0, Windows 95 downloads and writes User Profiles to the user’s home directory. When the Windows 95 user first logs on, the UNC path specified in the user account’s home directory path is checked for the Windows 95 User Profile. You can modify this behavior, however. See the Windows 95 Resource Kit for more information.
home directory (or other specified directory if the location has been modified) on the server for the User Profile. If a profile exists in both locations, the newer of the two is used. If the User Profile exists on the server, but does not exist on the local machine, the profile on the server is downloaded and used. If the User Profile only exists on the local machine, that copy is used.
NOTE: Directories containing roaming User Profiles need at least Add and Read permissions for profiles to be read correctly. If you use Add permissions only, when Windows NT checks for the existence of the profile it will fail because it looks for the path first, and if Read rights are not given, the check will fail. Permissions are also important on a client machine where the user is logging on interactively.
client needs is the correct path. Note that storing profiles on a Windows NT 4.0 Server makes it easier for the administrator to open a user’s NTuser.dat file to make any necessary modifications. You can also store User Profiles on Novell Servers provided that the client is configured correctly and can access the profile path. If a client is not receiving a User Profile at logon, use the Start menu Run command to check the profile path.
3. Delete the network connection and reconnect. Working Around Slow Network Links Slow Net (which is configured in System Policy) was designed to offer a user faster access to his or her User Profile if the system detects a slower network speed, such as a modem line connection. Instead of automatically downloading a profile that may be several hundred kilobytes to several megabytes large, Slow Net gives the user the option of either downloading the profile or using the locally cached version.
CREATING AND MAINTAINING USER PROFILES Creating a New Roaming User Profile for Windows NT 4.0 To create a new roaming User Profile, you must first determine where the user’s profile will be stored. You then must create a user account (if one doesn’t already exist), and specify a User Profile path. Finally, you must specify whether a given user will use a specific profile or can use a default profile. These procedures are described below. To create a new roaming user profile: 1. 2. 3. 4. 5. 6. 7.
8. 9. Place the template profile in the appropriate location for the type of profile distribution that will be used. (The template profile, including customizations, is stored initially in %systemroot%\Profiles\TemplateUser.) • If the template profile will be distributed manually to multiple users: a) Create a directory where the template profile will be stored for distribution to each user account created.
10. Copy the profile appropriate to your implementation. • To copy an existing user’s profile to another user: a) From the Windows NT-based machine hosting the profile to be used, log on as an administrator. b) From the Control Panel, click System. On the User Profiles page, select the profile to be copied and use the Copy To option to enter the path of the directory you created in Step 9. c) Modify the permissions to reflect the proper account.
Once the above steps are completed, the user receives the appropriate profile as follows: • If the user is to receive the Default User profile from a Windows NT 4.0based workstation, the workstation’s default profile is used when the user first logs on. When the user logs off, the profile is automatically written to the local cache and to the server-based profile.
6. 7. 8. 9. 10. 11. 12. 13. 16 Microsoft Windows NT Server White Paper called TemplateUser. Using the template account (TemplateUser), log on to the local machine or domain. A new directory with the same name as the user name created in Step 2 will be created in the %systemroot%\Profiles directory when you first log on. For example, if the user name is TemplateUser, the resulting directory name will be %systemroot%\Profiles\TemplateUser.
NOTES: • When entering the path to the target directory, you can use universal naming convention (UNC) names. However, if you are going to use the Browse function to locate the target directory for the profile, it is important that you first map a drive to the \\server\share where the profile will be stored. • The mydomainuser name shown in Step 2 does not have to be the user’s name. Many user accounts or groups can be configured to point to the same profile.
Be cautious if you use the Explorer interface to make these changes. If you have the “Hide file extensions for known file types”option enabled (this is the default), be sure to check the properties to be sure that there are not two extensions. For example, say you want to make a profile mandatory and you use Explorer to rename the NTuser.dat file name to NTuser.man. Because of the Hide extensions default, Explorer saves the file as type .man, but does not display the .man extension.
Creating a New Roaming User Profile for a Windows 95 User If you have Windows 95 users in your domain, you can create roaming user profiles for them as well. To create a roaming user profile for a Windows 95 user 1. 2. 3. 4. 5. On the client Windows 95-based computer, start Control Panel, and select Passwords. From the User Profiles property page, enable the option that allows users to have individual profiles, and set the Primary Network Logon to Client for Microsoft Networks.
Creating a New Mandatory User Profile for Windows 95 If you have Windows 95 users in your domain, you can create new mandatory user profiles. To create a mandatory user profile for a Windows 95 user: 1. 2. 3. 4. 5. On the client Windows 95-based computer, start Control Panel, and select Passwords. From the User Profiles property page, enable the option that allows users to have individual profiles, and set the Primary Network Logon to Client for Microsoft Networks. Reboot the client machine.
System Policy Editor, provides even greater functionality than Windows NT 3.5x delivered. Some of the features of System Properties are described next. NOTE: In Windows NT 3.5x, you used the User Profile Editor to modify User Profile properties. In Windows NT 4.0, this tool has been replaced by a combination of the User Profile structure and System Policies. User Profile Editor is not included in the Windows NT 4.0 package.
button. This deletes the User Profile on the local machine, but it does not delete the associated User Account. Note that sometimes the phrase “Account Deleted”is present in the list of profiles. These are accounts that were deleted from the User Account Database, but whose profiles still exist on the local computer. If you need to delete profiles on remote computers, the Delprof.exe utility available in the Windows NT Server Resource Kit, version 4.0, provides this functionality. Windows NT 4.
the User Profile (local or roaming) is read when he or she logs on. (Note that the user can do this interactively while logged on.) Users do not need administrative privileges to change which profile is used if the profile is not a mandatory profile. Valid profile types are: • Local Profile— A local profile is maintained on the local computer. This option allows the user to specify that the once “roaming”profile is now “local”to this machine.
3. will open to the profile directory used by that account. If you don’t know when the user last logged on, look for the NTuser.dat file with a time and date stamp that matches the Modified date displayed in the User Profiles property page. Copying Profiles Use the User Profiles Copy To button to copy existing profiles from the local machine to another profile directory on the same machine or to a remote server where server-based User Profiles are stored.
Viewing the Contents of the Profiles Directory on a Local Computer All locally cached versions of User Profiles are stored in the profiles subdirectory of the Windows NT root directory. The profiles subdirectory maintains each user’s profile separately by generating a specific directory for each user. Within that directory, the registry hive, NTuser.dat, and the rest of the profile structure folders are kept.
You may notice that in a given user’s profile directory, there are more files and directories than those listed in the example above. This may be due to the files and directories created by the user. For example, when the user logs on, if the server-based profile is found to be more recent than the one on the local computer, the entire contents of the User Profile path is copied to the client workstation and is then written back to the server when the user logs off.
at remote workstations. The All Users profile is workstation-specific and contains the common groups for just that computer. If you want to specify programs, shortcuts, or directories to be used by everyone who logs on to a specific workstation, you should place these in the All Users profile directory.
multiple users with the account name John Smith log on to the computer, the first John Smith is assigned a folder named JohnSmith. Subsequent users with the same name are assigned folders named JohnSmith with a numerical suffix appended, for example JohnSmith.000, JohnSmith.001, and so forth.
6. 7. 8. process. For this reason, we recommend that you use the user name. Click Enter. This adds the profile registry hive as a subkey to HKEY_USERS, as shown in the illustration below. Edit the existing values as necessary. After completing the changes, highlight the root of the user’s profile registry key, and from the Registry menu, select Unload Hive. This saves the changes to the user’s profile. (When you first selected Load Hive, the key was mapped to the file selected in the Open dialog.
Upgrading Windows NT 3.5x Server-based Profiles to Windows NT 4.0 Roaming Profiles When you upgrade Windows NT 3.5x roaming profiles (.usr profiles), you do not need to change anything in the profile path configured in the user account. When the user logs on to a Windows NT 4.0-based machine and the profile is found to be a Windows NT 3.5x profile, a process automatically looks for the equivalent Windows NT 4.0 profile. If the profile isn’t found, a conversion process creates a new Windows NT 4.
When you upgrade a Windows NT 3.5x mandatory profile, the profile path does not need to be modified. However, you will need to create a new mandatory profile with the same desired settings. To create the mandatory profile, you can remove the mandatory extension from the old profile and force a conversion, or you can create the new profile from a template. Both procedures are explained below. To create a mandatory profile from the old profile: 1. 2. 3. 4. 5. 6. Replace the .
If a profile has permissions that differ from those needed by the user (for example, if the profile was created for a user on a different domain), the profile permissions must be changed to function correctly. As an example, suppose you have a Windows NT-based workstation that you would like to have join the domain, but you want the user to be able to retain his or her profile settings. The Windows NT-based workstation is currently a part of the WORKER workgroup and will be joining the domain BIGDOMAIN.
nection, those credentials are also stored here. Note that this includes only the domain and user account name; the password is not included. When the user receives this profile and logs on, Windows NT attempts to reconnect the drive, but the alternate credentials are sent rather than those of the logged on user.. Note that if the UserName value contains a blank string, the credentials of the logged on user are sent (which is the desired behavior in this case).
Sample Log ========================================================= LoadUserProfile. : Entering, hToken = <0xac>, lpProfileInfo = 0x12f4f4 LoadUserProfile: lpProfileInfo->dwFlags = <0x2> LoadUserProfile: lpProfileInfo->lpUserName = LoadUserProfile: NULL central profile path LoadUserProfile: lpProfileInfo->lpDefaultPath = <\\DfsES\netlogon\Default User> LoadUserProfile: lpProfileInfo->lpServerName = <\\DfsES> LoadUserProfile: lpProfileInfo->lpPolicyPath = <\\DfsES\netlogon\ntconfig.
SYSTEM POLICY – AN INTRODUCTION A System Policy is a set of registry settings that defines the computer resources available to an individual or to a group of users. Policies define the various facets of the desktop environment that a system administrator needs to control, such as which applications are available, which applications appear on the user’s desktop, which applications and options appear in the Start menu, who can change their desktops and who cannot, and so forth.
this change must be made individually to each workstation. When a user of a Windows NT 4.0-based workstation logs on, if the Windows NT 4.0-based machine is working in Automatic mode (which is the default), the workstation checks the NETLOGON share on the validating domain controller (DC) for the NTconfig.pol file. If the workstation finds the file, it downloads it, parses it for the user, group, and computer policy data, and applies it if appropriate.
e applied to the HKEY_CURRENT_USER key in the registry. NOTE: If a setting is ignored (gray) in the group settings, but the same setting is marked as enabled or disabled in the Default User settings, the Default User setting are used. The Default User settings take precedence over only those settings that are ignored in the group settings. • If the policy file includes settings for the specific computer name, these are applied to the HKEY_LOCAL_MACHINE registry key.
• What type of restrictions do you want to impose on users? • Will users be allowed to access locally installed common group applications, or will these be overridden by administrator-defined program groups, desktop icons, Start menu programs, and so forth? • What other options are available if you simply want to restrict access to a specific icon or file? Would modifying NTFS permissions be more effective? • Will you be controlling computer-specific settings only, and not user settings? If after considerin
THE SYSTEM POLICY EDITOR The System Policy Editor is a graphical tool that allows you to easily update the registry settings to implement a System Policy. The System Policy Editor is included with Windows NT Server 4.0, but you can install it on Windows NT Workstation-based machines and on Windows 95-based machines as well. Note that a policy file is valid only for the platform on which it was created. For example, if you run Poledit.
4. Browse to locate the directory x:\Admin\Apptools\Poledit\ (where x is drive A through Z) on the Windows 95 compact disc. 5. Select both Group Policies and the System Policy Editor, and then click OK to Install. It is important that you run the setup program as described above. Undesirable results will occur if you merely copy the Policy Editor and related files to the Windows 95-based computer. To install the System Policy Editor from a Windows NT 4.0 Server: 1. 2. 3. Copy the Poledit.
Your Own Custom .Adm File,”later in this document. NOTE: The option to Add or Remove will be grayed out if there is a policy file currently open. Close the file in use and then change the template configuration. Configuring Policy Settings The configuration options available to you fall into a tree structure, which is determined by the layout of the .adm file. By navigating through these options, you can select a mode that determines the action that will be taken when the policy file is applied.
• If the box is cleared, the policy is not implemented, and if the settings were previously implemented, they are removed from the registry. • If the box is grayed, the setting is ignored and unchanged from the last time the user logged on. Windows NT does not modify this setting. The grayed state ensures that Windows NT provides quick processing at system startup because it does not need to process each entry every time a user logs on.
2. 3. tem Policy Editor. From the File menu, click New Policy. The Default Computer and Default User icons will be displayed. Click the user, computer, or group to be modified. NOTES: If you need to add a user, group, or computer, you can copy and paste the settings without having to manually go through each of the entries and make selections.
Creating Alternate Folder Paths You may need to create shared folders for groups of users who need a common set of tools and shortcuts. Windows NT 4.0 System Policies allows you to create such shared folders. To create shared folders and alternate folder paths: 1. 2. 3. 4. 5. On a specific server, create a folder that contains shortcuts to network applications or to locally installed programs.
3. 4. \Policies \Explorer Add the following DWORD value by clicking Edit, New, DWORD value: LinkResolveIgnoreLinkInfo Once entered, double-click this value and set the Value data to 1. Deploying Policies for Windows NT 4.0 Machines By default, a Windows NT 4.0-based workstation checks the NETLOGON share of the validating domain controller for the user’s logon domain. It is therefore critically important that replication of the NTconfig.
3. 4. In the Update mode box, select Manual (use specific path). In the Path for manual update box, type the UNC path and file name for the policy file. 5. Click OK to save your changes. The first time the workstation is modified locally via the System Policy Editor or receives a default System Policy file from the NETLOGON share of a domain controller, this location is written to the registry. Thereafter, all future policy updates use the location you specified manually.
Modifying Policy Settings on Stand-Alone Workstations If you need to modify settings of a Windows NT 4.0-based workstation user who is not a member of the domain and thus will not be able to use the policy file located on the domain, you have three options available to you: • You can create a policy file for stand-alone workstations where users log on locally, or • You can change policy settings remotely, or • You can change policy settings locally. Procedures for each option are described next.
3. 4. 5. user for whom the changes will apply. If the user is not currently logged on, click Cancel. (The user must be logged on for the changes to take effect.) If the user is logged on, click OK. The icons Local Computer and Local User will be displayed. Modify these just as you would modify a normal policy file. Save your changes. The next time the user logs on, the changes made to the computer and the user settings will be in effect on the remote machine. To change policy settings locally: 1.
3. 4. 5. 6. 7. These are the only two classes that are valid within the System Policy Editor. The System Policy Editor checks the syntax of each .adm file when the files are loaded, and displays a message if any errors are found. Choose the CLASS in which you want your custom entries to appear. Create categories by using the keyword CATEGORY followed by a space and !!variable. The System Policy Editor requires that anything preceded by !! must have a string defined in the [strings] section of the .
option is selected within the lower pane of the System Policy Editor (see the discussion of PART and the code example below). If not specified otherwise, the value will be written in the following format when any administratory checks or unchecks the option: Checked: REG_DWORD with a value of 1 Unchecked: Removes the value completely Other options can specify what the user selects from and what gets written to the registry.
type REG_EXPAND_SZ, for example: PART !!MyPolicy EDITTEXT EXPANDABLETEXT VALUENAME ValueToBeChanged END PART • MAXLEN— Specifies the maximum length of text, for example: PART !!MyPolicy EDITTEXT VALUENAME ValueToBeChanged MAXLEN 4 END PART • DEFAULT— Specifies the default value for text or numeric data, for example: PART !!MyPolicy EDITTEXT DEFAULT !!MySampleText VALUENAME ValueToBeChanged END PART or PART !!MyPolicy NUMERIC DEFAULT 5 VALUENAME ValueToBeChanged END PART • MIN and MAX— These specify the lowe
each time the System Policy Editor starts.) Configuring System Policies Based on Geographic Location You may choose to enforce certain environment settings based upon geographic site location or vicinity. At least two methods are available to do this. • Generate a System Policy that contains settings for specific computers. In each of the machine-specific settings, configure the Remote Update path to a specific regional server that will be maintaining the regional System Policy file.
will refer the client to multiple servers for the same path. For example, on a Dfs server, the administrator has defined that users connecting to the UNC path \\Dfsserver\Dfsshare\Customfolder, will be returned a response with three different servers, \\Server1\Customerfolder, \\Server2\Customerfolder, and \\Server3\Customerfolder, all of which contain the same data. The client machine, which can be either a Windows NT-based 4.
REGISTRY KEYS MODIFIED BY THE SYSTEM POLICY EDITOR DEFAULT TEMPLATES The following outlines the locations and values for registry entries that are written to a Windows NT-based workstation or server when you use the System Policy Editor to modify a policy. Knowing the location of these registry settings may help you to resolve problems. Default User Settings The following data is specific to the options found in the Default User portion of the System Policy Editor.
Color Scheme Category: Selection: Key: Desktop Color scheme HKEY_CURRENT_USER \Control Panel \Appearance Registry Value Registry Data Description Current REG_SZ Off = value is removed; On = text of color scheme name Start Menu Run Command Category: Subcategory: Selection: Description: Windows NT Shell Restrictions Remove Run command from Start menu Removes the user’s ability to start applications or processes from the Start menu by removing the option completely.
\Windows \CurrentVersion \Policies \Explorer Registry Value Registry Data Description NoSetFolders REG_DWORD Off = 0 or value is removed; On = 1 Settings Taskbar Category: Subcategory: Selection: Description: Key: Windows NT Shell Restrictions Remove Taskbar from settings on Start menu Removes the Taskbar option from settings on the Start menu. Removing the Taskbar, Control Panel, and Printer folders causes the Settings menu to be removed completely.
My Computer Drive Icons Category: Subcategory: Selection: Description: Key: Windows NT Shell Restrictions Hide drives in My Computer Removes the icons for the drives in My Computer.
\Windows \CurrentVersion \Policies \Network Registry Value Registry Data Description NoEntireNetwork REG_DWORD Off = 0 or value is removed; On = 1 Network Neighborhood Workgroup Contents Category: Subcategory: Selection: Key: Windows NT Shell Restrictions No workgroup contents in Network Neighborhood HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \Network Registry Value Registry Data Description NoWorkgroupContents REG_DWORD Off = 0 or value is removed; On = 1 Deskt
Subcategory: Selection: Description: Key: Restrictions Disable Shut Down command Disables the Shut Down option on the Start menu. Note that this does not disable the user’s ability to shut down the computer using the CTRL-ALT-DEL sequence. If you want to remove the user’s ability to use CTRL-ALT-DEL, remove the user’s name from the “Shut down the system” user right in User Manager.
\Windows \CurrentVersion \Policies \System Registry Value Registry Data Description DisableRegistryTools REG_DWORD Off = 0 or value is removed; On = 1 Windows Applications Restrictions Category: Subcategory: Selection: Description: Key: Registry Value Registry Data Description RestrictRun REG_DWORD Off = 0 or value is removed; On = 1 Key: HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \Explorer \RestrictRun Registry Value Registry Data Description Number Increm
Custom Programs Category: Subcategory: Selection: Description: Key: Windows NT Shell Custom Folders Custom Program folder Specifies the UNC path for the folder to use when displaying folders, files, and shortcuts available when the user selects Programs from the Start menu. The user’s profile Programs is an additional selection.
Subcategory: Selection: Description: Custom Folders Hide Start menu subfolders Hides subfolders, such as the user’s Programs folder, if a custom Programs folder exists.
\CurrentVersion \Explorer \User Shell Folders Registry Value Registry Data Description NetHood REG_SZ Off = value is removed; On = text of UNC path to folder. Default = %USERPROFILE%\NetHood Custom Start Menu Category: Subcategory: Selection: Description: Windows NT Shell Custom Folders Custom Start menu Specifies the UNC path the folder is to use when displaying the folders, files, and shortcuts the user receives as part of the Start menu.
Explorer File Menu Category: Subcategory: Selection: Description: Key: Windows NT Shell Restrictions Remove File menu from Explorer Removes the File option from Explorer’s toolbar. (This option was added in Service Pack 2.
\Microsoft \Windows \CurrentVersion \Policies \Explorer Registry Value Registry Data Description NoTrayContextMenu REG_DWORD Off = 0 or value is removed; On = 1 Explorer Context Menu Category: Subcategory: Selection: Description: Key: Windows NT Shell Restrictions Disable Explorer’s default context menu Removes the context menu that would normally appear when the user right clicks on the desktop or in the Explorer right results pane. (This option was added in Service Pack 2.
\Explorer Registry Value Registry Data Description NoNetConnectDisconnect REG_DWORD Off = 0 or value is removed; On = 1 Explorer Context Menu Category: Subcategory: Selection: Description: Key: Windows NT Shell Restrictions Disable link file tracking When enabled, link file tracking uses the configured path shown in properties for the shortcut to an application instead of the absolute path. This option disables link file tracking. (This option was added in Service Pack 2.
Key: complete or not. If the value is 0, the logon script is run during the startup of the shell and allows items in the Startup group to start. If the value is 1, the logon script completes before the shell or any items in the Startup group are started. If this value is also set in the Computer section, the Computer section value takes precedence.
\Explorer \Tips Registry Value Registry Data Description Show REG_DWORD Off = 0; On = 1 Default Computer Settings The following data is specific to the options found in the Default Computer portion of the System Policy Editor. Remote Update Category: Subcategory: Selection: Description: Key: Network System Policies update Remote update Controls how policies are applied to a Windows NT 4.0based machine.
\CurrentControlSet \Services \SNMP \Parameters \ValidCommunities Registry Value Registry Data Description Increment numbers REG_SZ On = text of Valid Community #x; Off = value beginning with 1 is removed from registry NOTE: There may be multiple entries in this subkey.
Registry Value Registry Data Description Increment numbers REG_SZ On = text of Trap Configuration #x; Off = beginning with 1 value is removed from registry NOTE: There may be multiple entries in this subkey. Run Command Category: Subcategory: Selection: Description: Key: System Run Run Allows one or more applications to be run when the user logs on interactively.
Drive Shares – Server Category: Subcategory: Selection: Description: Windows NT Network Sharing Create hidden drive shares (server) When enabled, creates the administrative shares for physical drives. These shares were created automatically under Windows NT 3.51. This policy setting gives administrators the ability to control this feature. This setting is specific to Windows NT Server.
\Print Registry Value Registry Data Description SchedulerThreadPriority REG_DWORD Above normal = 1; Normal = 0, Less than normal = ffffffff Error Beep Category: Subcategory: Selection: Description: Key: Windows NT Printers Sharing Beep for error enabled Enables beeping (every 10 seconds) when a remote job error occurs on a print server.
\System \CurrentControlSet \Services \RemoteAccess \Parameters Registry Value Registry Data Description AuthenticateTime REG_DWORD Off = value is removed , On = time in seconds in hexadecimal. Decimal = 20-600; default = 120. RAS Call-back Interval Category: Selection: Description: Key: Windows NT Remote Access Wait interval for callback Specifies the time in seconds that Windows NT will wait before initiating the callback from a RAS dial-in user.
Shared Programs Folder Path Category: Subcategory: Selection: Description: Key: Windows NT Shell Custom shared folders Custom shared Programs folder Specifies the UNC path for the folder to use when displaying folders, files, and shortcuts below the division line (common groups) when the user selects Programs from the Start menu.
Subcategory: Selection: Description: Key: Custom shared folders Custom shared Start menu Specifies the UNC path the folder is to use when displaying the folders, files, and shortcuts the user receives as part of the Start menu. HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \Explorer \User Shell Folders Registry Value Registry Data Description Common Start REG_EXPAND_SZ Off = value is removed from registry, Menu (Note: REG_SZ can be On = text of UNC path to folder.
Description: Before the user logs on, displays a custom dialog box with text.
Registry Value Registry Data Description DontDisplayLastUserName REG_SZ Off = 0; On = 1 Logon Scripts Category: Subcategory: Selection: Description: Key: Windows NT System Logon Run logon scripts synchronously Determines whether the shell waits for the logon script to complete or not. If the value is 0, the logon script is run during the startup of the shell and allows items in the Startup group to start.
Key: HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \FileSystem Registry Value Registry Data Description NtfsAllowExtendedCharacterIn8dot3Name REG_DWORD Off = 0 or value is removed; On = 1 Read Only Files – Last Access Time Category: Subcategory: Selection: Description: Key: Windows NT System File system Do not update last access time For files that are only to be read, specifies do not update the last access time. (This increases the file system’s performance.
Slow Network Detection Category: Selection: Description: Key: Windows NT User Profiles Automatically detect slow network connections Enables or disables detection of a slow network. HKEY_LOCAL_MACHINE \Software \Microsoft \Windows NT \CurrentVersion \Winlogon Registry Value Registry Data Description SlowLinkDetectEnabled REG_DWORD Off = 0; On = No value (empty) or 1. Default = On.
Registry Value Registry Data Description Show REG_DWORD Off = 0 or value is removed; On = time in seconds in hexadecimal. Decimal = 0-600; default = 30.
REGISTRY ENTRIES NOT INCLUDED IN THE SYSTEM POLICY EDITOR The following section describes the locations and values for useful registry entries that are available in the operating system, but not available in the System Policy Editor. Autorun Category: Subcategory: Description: Key: Windows NT Shell Removable media Determines whether the Autorun feature is enabled on each drive connected to the system. When Autorun is enabled, media is started automatically when it is inserted in the drive.
82 Microsoft Windows NT Server White Paper Registry Value Registry Data Description NoStartBanner REG_DWORD 0 = enabled; 1= disabled.
FOR MORE INFORMATION For more information when configuring your network, refer to the following: • Windows NT Server Concepts and Planning Guide − Chapter 3, “Managing User Work Environments”(part of the Windows NT Server product documentation). • Kixtart Resource Kit Utility available in the Windows NT Server Resource Kit for version 4.0. For the latest information on Windows NT Server, check out our World Wide Web site at http://www.microsoft.
APPENDIX A – FLOWCHARTS 84 Microsoft Windows NT Server White Paper User Profile Flowcharts These flowcharts illustrate how User Profiles operate within the Windows NT 4.0 operating system, and give the administrator an at-a-glance look at the procedures to take and the internal processing that occurs when User Profiles are implemented under Windows NT 4.0.
No Will the user be mandated to receive the profile for logon? Begin Profile Process: Does the user already have a profile from Windows NT 3.5x? Yes Is the profile .usr or .man? Configure the user profile path for the account with: \\server\share\.man Yes No Configure the user profile path for the account with: \\server\share\ (no extension used) Create a directory for the Windows NT 4.0 profile with the .man extension in the share where profiles are stored.
Workstation boots, computer account is validated, and user enters logon credentials Receive data from Domain Controller about User Account Does the user account contain a User Profile path? No No Flag as not available Yes Yes Is the server copy available? See flowchart "Accessing Serverbased Profile" Yes Does user override by having selected Local? Set the Ignore Central internal flag Determine if local copy of profile is available Central not available; local is available Flag profile as mandatory or
(Continued) from Command to Load Profile Load the User Profile Set USERPROFILE environment variable Check build number for version Different? Same? Process UserDiff Registry changes (from major version change) Apply System Policy Save settings to Registry Flowchart 3.
Call made to check server profile Check for .man extension in profile path Yes No Flag as mandatory Start timer, check the existence of the profile path, and after completion, stop timer Determine type and version of profile Directory File Nothing Access denied error Does profile path end in .usr or .man? Windows NT 3.5x profile found. Generate Windows NT 4.
System Policy Flowchart This flowchart illustrates how System Policy is applied in the Windows NT 4.0 operating system, and gives the administrator an at-a-glance look at the internal processing that occurs when policies are implemented under Windows NT 4.0.
APPENDIX B IMPLEMENTING USER PROFILES The following are typical user profile scenarios that you may encounter in the future or may have already encountered. Each of these scenarios includes a brief description of the situation, the current status of the profiles on the server, actions that you need to take to administer the profile properly, any required user action, references to sections of this guide that have more detailed information, and any applicable usage notes. Existing Windows NT 3.
• Administrator action: Create a folder with the name myuser.pdm in the existing folder \\myserver\myshare, and then place the desired mandatory profile into the new folder. • User action: None. • Notes: Once this procedure is performed, the Windows NT 3.5x profile is still available to the user should he or she ever log on to a Windows NT 3.5x-based computer again. The Windows NT 4.0 User Profile is maintained separately. The administrator can remove the Windows NT 3.
the extension .man. For example, use \\myserver\myshare\myuser.man. Then manually create the myuser.man folder manually in the \\myserver\myshare directory. Places the mandatory profile for the user in this new folder. • User action: None. • For more information: See the section “Creating a New Mandatory User Profile for Windows NT 4.0.” Updating and Changing a Roaming Profile to a Mandatory Profile A domain user has an existing Windows NT 4.0 roaming User Profile that was not upgraded from Windows NT 3.
APPENDIX C – USAGE NOTES Important Information for Administrators Regarding User Logons and User Logoffs • Changes that you make to server-based profiles can be lost if you do not modify the last modification date/time stamp. When a locally cached version of a profile is compared with the server-based profile, only the time/date stamp of the NTuser.xxx file is compared. If the stamps are the same, the local copy is used.
Recent Updates to Policies Since Retail Release The following changes have been made to System Policies support since the initial retail release of Windows NT 4.0. • When a policy file was to be downloaded, if the validating domain controller name was 13 characters or longer, the policy would not be applied. This has been resolved in Service Pack 3. • NoNetConnectDisconnect, NoTrayContextMenu, NoViewContextMenu, NoFileMenu, and DisableTaskMgr were added in Service Pack 2.
APPENDIX D – RELATED KNOWLEDGE BASE ARTICLES The articles below can be referenced either on TechNet or by using the Microsoft Knowledge Base on Microsoft’s Web site: http://www.microsoft.com/kb/. Profiles Q141714 How to Use %LOGONSERVER% to Distribute User Profiles Q154120 Debugging User Profiles and System Policies in Windows NT 4.
96 Microsoft Windows NT Server White Paper Q156432 Windows NT 4.
