test

Solstice NFS Client 3.2 User's Guide for Microsoft Windows 95 and Windows NT

System Policies

The Windows NT or Windows 95 client computer can download and set Windows system policies from the authentication server. The authentication server is one that is running the pcnfsd daemon, which verifies that users are authorized to log in to the network.

System administrators can use system policies to manage clients by:

On Windows 95, you can download system policies for specific users, groups, specific computers, or for all users. On Windows NT, you can download system policies for specific users, specific computers, or for all users. But you cannot download group policies from an NFS server.

Creating System Policy Files

To create a system policy file on Windows NT, use the System Policy Editor on a computer running Windows NT Workstation or Windows NT Server. The System Policy Editor is available only on Windows NT server, but you can copy the editor from a Windows NT Server to a workstation and then run the editor on the workstation.

The system policy entries you set are stored in a binary file with the .POL extension. You should save this file with the name ntconfig.POL. The Windows NT Workstation software reads and interprets the ntconfig.POL policy file by overriding any conflicting information in that workstation's Registry.

To create a system policy file on Windows 95, use the Windows 95 System Policy Editor. The system policy entries you set are stored in a binary file with the .POL extension. You should save this file with the name config.POL on a server running the pcnfsd daemon. When the user logs in, Windows 95 overwrites the default USER.DAT and SYSTEM.DAT settings in the Registry with the policy settings in the config.POL file.

To apply system policies to a network that uses both Windows 95 and Windows NT, run the System Policy Editor once from each platform to produce two different system policy files.

How System Policies Work

When the user logs in to a client, the client passes the location of the system policy file to Microsoft Windows:

Microsoft Windows then downloads system policies for computers and users from the /opt/MSPolicy directory on the authentication server. Windows NT and Windows 95 follow these rules for updating user information with system policy files:

  1. If user profiles are enabled, Windows checks for a user policy file that matches the user name. If it finds one, it applies the user-specific policy. If it does not find a user policy file, it applies the default user policy file. On Windows NT, user profiles are always enabled.

  2. Group policies are not applied if there is a policy file for a specific user. If Windows support for group policies is installed on a client running Windows 95, Windows checks whether the user is registered as a member of any secondary UNIX groups. If so, group policies are downloaded, starting with the lowest priority group and ending with the highest priority group. Group policies are processed for all groups to which the user belongs. The group with the highest priority is processed last so the settings in that group's policy file supersede those in lower priority groups. The client on Windows NT does not download or process group policies.

  3. All settings are then copied into the USER.DAT portion of the Registry.

  4. Microsoft Windows checks for a computer policy file to match the computer name. If one exists, Microsoft Windows applies the computer-specific policies to the user's desktop environment. If a policy file for that computer name does not exist, Microsoft Windows applies the default computer policy.

  5. This data is then copied into the SYSTEM.DAT portion of the Registry.

How System Policies Differ From Mandatory User Profiles

System policies and mandatory user profiles differ in the following ways.

System Policies 

Mandatory User Profiles 

Settings can be user-specific or computer-specific. 

Settings can only be user-specific. 

You can selectively determine a subset of user settings to control. Users may control the remaining settings. 

You always control every user-specific setting. 

To Set Up System Policy Files

Set up system policy files on each authentication server on the network.

  1. Set up the authentication server.

    See the instructions in "To Set Up an Authentication Server".

  2. (Optional) On a client running Windows NT, create a Windows NT policy file and copy it to the /opt/MSPolicy directory on the authentication server.

    See the instructions in "To Create a System Policy File on Windows NT".

  3. (Optional) On a client running Microsoft Windows 95, create a Microsoft Windows 95 policy file and copy it to the /opt/MSPolicy directory on the authentication server.

    See the instructions in "To Create System Policies for Users or Computers on Windows 95".

To Create a System Policy File on Windows NT

The NT version of the System Policy Editor (poledit.exe) is included with the NT Server software, but not with the NT Workstation software. You can use the System Policy Editor on an NT workstation by copying the editor (poledit.exe) on an NT server to the \winnt\system32 folder on an NT workstation, and copying the files common.adm, windows.adm, and winnt.adm to the \winnt\inf folder on the NT Workstation.

For detailed information on installing the System Policy Editor and creating system policy files in Windows NT, refer to the Microsoft Windows NT Server Resource Kit, published by Microsoft Press.

  1. On an NT server, click Start, point to Programs, point to Administrative Tools (Common), and then select System Policy Editor.

    The System Policy Editor dialog box opens.

  2. Click File and then select New Policy.

  3. Depending on which policies you are creating:

    • Double-click the Default User icon to define the default settings for user-specific policies.

    • Double-click the Default Computer icon to define the settings for computer-specific policies.

  4. In the Policies tab, select the policies you want to put in place and then click OK.

  5. Click File and then select Save.

  6. Type ntconfig for the name of the policy and then click Save.

    The system policy file is saved with the .POL extension.

  7. Copy the system policy file you created from the workstation to the /opt/MSPolicy directory on an authentication server.

    You can use the Network Neighborhood to browse for the server, and then drag the system policy files from the workstation (usually in \winnt\system32\)to the /opt/MSPolicy directory on the authentication server.

To Install System Policy Editor on Windows 95

  1. Click Start, point to Settings, and then click Control Panel.

  2. Double-click Add/Remove Programs.

  3. Click the Windows Setup tab, and then click Have Disk.

  4. In the Install From Disk dialog box, click Browse and specify the admin\apptools\poledit folder on the Microsoft Windows 95 compact disk. Click OK, and then click OK again.

  5. Make sure System Policy Editor is checked.

  6. To use group policies, make sure Group Policies is checked.

    Windows 95 Setup will copy GROUP.DLL in the Microsoft Windows SYSTEM directory on the client computer and make the required Registry changes.

  7. Click Install.

To Create System Policies for Users or Computers on Windows 95

To use System Policy Editor, you must install the following files from the admin\apptools\poledit folder on the Windows 95 distribution media: admin.adm, poledit.exe, and poledit.inf. For instructions on installing System Policy Editor, see "To Install System Policy Editor on Windows 95".

  1. In System Policy Editor, click the File menu, and then click New File.

  2. Depending on which policies you are creating:

    • Double-click the Default User icon to define the default settings for user-specific policies.

    • Double-click the Default Computer icon to define the settings for computer-specific policies.

  3. Select the policies you want to put in place.

  4. Click File and then select Save.

  5. Type config for the name of the policy and then click Save.

    The system policy file is saved with the .POL extension.

  6. Copy the system policy file you created from the workstation to the /opt/MSPolicy directory on an authentication server. You can use the Network Neighborhood to browse for the server, and then drag the system policy files from the PC (usually in \WINDOWS\Profiles\username\Desktop\)to the /opt/MSPolicy directory on the server.

To Create Group Policies on Windows 95

  1. In System Policy Editor, click the Edit menu, and then click Add Group.

  2. Type the UNIX group ID number for the group you want to add, and click OK.

    For example, if the group named staff has the UNIX ID 10, then you must type 10 when asked for the name of the group.

  3. Click or clear policies by clicking the policy name.