Team LiB   Previous Section   Next Section

6.6 Picking the Right Policies

Which policies are appropriate for you? It depends on how your network's built, who uses it, and what they should--and shouldn't--be able to do. As you can tell from the preceding tables, the built-in policy templates offer a pretty wide range of capabilities, and you can roll your own templates to give you centralized control over almost anything whose behavior is controlled by Registry entries.

The following sections suggest which policies might be appropriate for various situations; you can pick and choose to build a set of policies that's right for you.

6.6.1 Policies for Anybody

Most administrators who use policies do so to prevent users from doing things they shouldn't. First on the list is probably preventing users from running unapproved applications, which you can do with the "Run only approved Windows applications" and "Remove Run command from Start menu" policies. In addition, you might want to consider using the floplock program from the Resource Kit to prevent user access to the floppy drives.

Most administrators hate to spend time fixing things like display resolution settings. Consequently, you may be interested in the Control Panel\Display policy category, since it allows you to prevent users from changing display settings.

6.6.2 Policies for a Lab Network

Many schools and universities have lab networks that students can use to do their classwork. Many companies have something similar: test labs, training classrooms, and so on. These environments share a central feature: a varying group of users have access to the machines, and they should probably be prevented from changing many of the things they might otherwise be able or tempted to modify.

In addition to restricting which applications may be run, most labs need to protect the desktop from changes. This prevents students from using their own wallpaper, changing the desktop colors to neon green with fuschia accents, or otherwise leaving a mess for the next user. The "Control Panel\Display" and "Desktop" policies are great for this.

For labs that share a network segment with production machines, you may also find it useful to restrict what users can see over the network. The "Shell\Restrictions" category offers several ways to prevent casual network browsing, including hiding the Network Neighborhood altogether.

For performance reasons, you should use the options in "Windows NT User Profiles" to control how profiles get transferred and whether slow connections are automatically flagged as such.

6.6.3 Policies for an "Ordinary" Office

Anything goes! The policies you set for machines in an ordinary office environment varies by user, machine, and group; what's appropriate for HR may not be appropriate for engineering, and vice versa. In general, the most frequently used policy components in office networks tend to be those dealing with custom Start menu folders and security settings, such as those found in "Windows NT System\Logon."

In some cases, it may be necessary or desirable to restrict display and desktop changes too, especially on public machines.
    Team LiB   Previous Section   Next Section