Team LiB   Previous Section   Next Section

6.5 What's in the Standard Policy Templates

The three primary policy templates used with Win95 and NT installations define what policy settings are available to you when building policies. Each template file contains settings that apply to HKLM and HKCU; however, in the following sections these entries are separated depending on the root key they affect.

6.5.1 WINNT.ADM

The WINNT.ADM policy template defines policy settings that are specific to Windows 2000 and NT. Some entries in this template have counterparts in the Windows 95 template file. Table 6.1 shows the WINNT.ADM entries that apply to computer policies, while Table 6.2 shows the settings that apply to user and group policies.

6.5.2 COMMON.ADM

COMMON.ADM contains policy settings that are common to Windows 2000, NT, 95, and 98. Table 6.3 shows the entries that apply to computer policies, while Table 6.4 shows the settings that apply to user and group policies.

6.5.3 WINDOWS.ADM

The WINDOWS.ADM policy template defines policy settings that are specific to Windows 95/98. When you use System Policy Editor to edit policies for Win9x machines, this template is used to determine which policies and parts you may apply. Because the items in this policy are all Win9x-specific, I've elected not to cover them here.

Table 6.1. HKLM Entries in WINNT.ADM

Category

Policy

Registry Key/Value

What It Does

Value

Windows NT Network\Sharing

Create hidden drive shares (workstation)

System\CurrentControlSet\ Services\LanManServer\ Parameters\ AutoShareWks

Creates drive$ and ADMIN$ shares on workstation

Default on (shares are created)
 

Create hidden drive shares (server)

System\CurrentControlSet\ Services\LanManServer\ Parameters\AutoShareServer

Creates drive$ and ADMIN$ shares on server

Default on (shares are created)

Windows NT Printers

Disable browse thread on this computer

System\CurrentControlSet\ Control\Print\ DisableServerThread

Controls whether printer shares advertise themselves

Default off (shares are advertised)
 

Scheduler priority

System\CurrentControlSet\ Control\Print\ SchedulerThreadPriority

Adjusts priority of printer scheduling thread up or down

Default 0 (leave at normal priority); +1 (raise priority); -1 (lower priority)
 

Beep for error enabled

System\CurrentControlSet\ Control\Print\BeepEnabled

Beeps every 10 seconds when a remote print job error occurs

Default off (keep quiet and don't beep); on (beep)

Windows NT Remote Access Service

Maximum number of unsuccessful authentication retries

System\CurrentControlSet\Services\ RemoteAccess\Parameters\ AuthenticateRetries

Sets the number of times a remote system can try to authenticate itself

0-10; default 2
 

Maximum time limit for authentication

System\CurrentControlSet\ Services\RemoteAccess\ Parameters\AuthenticateTime

Sets the number of seconds allowed before an authentication times out

20-600; default 120
 

Wait interval for callback

System\CurrentControlSet\ Services\RemoteAccess\ Parameters\CallbackTime

Sets the number of minutes to wait for a callback

2-12; default 2
 

Auto disconnect

System\CurrentControlSet\ Services\RemoteAccess\ Parameters\AutoDisconnect

Disconnects after X minutes of inactivity

0-65536; default 20

Windows NT Shell

Custom shared Programs folder

Software\Microsoft\Windows\ CurrentVersion\Explorer\ User Shell Folders\Common Programs

Sets the path to common Programs folder for all users on this machine

Any path; can use environment variables to point to path
 

Custom shared desktop icons

Software\Microsoft\Windows\ CurrentVersion\Explorer\ User Shell Folders\Common Desktop

Sets the path to common desktop icons for all users on this machine

Any path; can use environment variables to point to path
 

Custom shared Start menu

Software\Microsoft\Windows\ CurrentVersion\Explorer\ User Shell Folders\Common Start Menu

Sets the path to common Start menu folder for all users on this machine

Any path; can use environment variables to point to path
 

Custom shared Startup folder

Software\Microsoft\Windows\ CurrentVersion\Explorer\ User Shell Folders\Common Startup

Sets the path to common startup items folder for all users on this machine

Any path; can use environment variables to point to path

Windows NT System\Logon

Logon banner

Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\ LegalNoticeText

Sets the text to display in logon dialog

Default "Do not attempt to log on unless you are an authorized user."
 

Logon caption

Software\Microsoft\ Windows NT\CurrentVersion\ Winlogon\LegalNoticeCaption

Sets the caption to display for logon banner message

Default "Important Notice:"
 

Enable shutdown from Authentication dialog box

Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\ ShutdownWithoutLogon

Displays "Shutdown" button in logon dialog so you can shut down without logging in

On or off; default on for NTW and off for NTS
 

Do not display last logged on username

Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\ DontDisplayLastUserName

Hides name of previously logged in users

Off or on; default off
 

Run logon scripts synchronously

Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\ RunLogonScriptSync

Runs logon scripts before desktop and start menu appear

Off or on; default off

Windows NT System\File System

Do not create 8.3 filenames for long filenames

System\CurrentControlSet\ Control\FileSystem\ NtfsDisable8dot3NameCreation

Suppresses creating 8.3 names

Off or on; default off (create names)
 

Allow extended characters in 8.3 filenames

System\CurrentControlSet\ Control\FileSystem\ NtfsAllowExtendedCharacterIn8dot3Name

Allows extended characters to be used in short filenames, even though some machines may not display them properly

Off or on; default off (don't allow)
 

Do not update last access time

System\CurrentControlSet\ Control\FileSystem\ NtfsDisableLastAccessUpdate

Doesn't update NTFS "last access time" field on files that are read but not modified

Off or on; default off (do update it)

Windows NT User Profiles

Delete cached copies of roaming profiles

Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\ DeleteRoamingCache

Throws away cached profiles when users log out

Off or on; default off
 

Automatically detect slow network connections

Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\ SlowLinkDetectEnabled

Automatically times network links to see whether they're slow

Off or on; default on
 

Slow network connection timeout

Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\ SlowLinkTimeOut

Sets the number of milliseconds to wait before timing out on a slow link

1-20000; default 2000
 

Timeout for dialog boxes

Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\ ProfileDlgTimeOut

Sets the number of seconds to wait before canceling a dialog box

0-600; default 30

Table 6.2. HKCU Entries in WINNT.ADM

Category

Policy

Registry Key/Value

What It Does

Value

Shell\Custom Folders

Custom Programs folder

Software\Microsoft\Windows\ CurrentVersion\Explorer\ User Shell Folders\Programs

Specifies a custom "Programs" folder to be used in Explorer and the taskbar

Defaults to %userprofile%\Start Menu\Programs; may be any local or UNC path
 

Custom Desktop folder

Software\Microsoft\Windows\ CurrentVersion\Explorer\ User Shell Folders\Desktop

Specifies a path to a custom set of desktop icons and items

Defaults to%userprofile%\Desktop; may be any local or UNC path
 

Hide Start menu subfolders

Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\NoStartMenuSubFolders

Hides the standard Start menu folders; should be set when you specify custom desktop or programs folders

By default, value doesn't exist; when it exists, 1 hides the folders and leaves them alone
 

Custom Startup folder

Software\Microsoft\Windows\ CurrentVersion\Explorer\ User Shell Folders\Startup

Specifies location of custom Startup folder

Defaults to %userprofile%\Start Menu\Programs\Startup; can be any local or UNC path
 

Custom Network Neighborhood

Software\Microsoft\Windows\ CurrentVersion\Explorer\ User Shell Folders\NetHood

Specifies location of custom items for Network Neighborhood

Defaults to %userprofile%\NetHood; can be any local or UNC path

Shell\Restrictions

Use approved shell extensions only

Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\ EnforceShellExtensionSecurity

Restricts which Explorer extensions may be loaded and run to those included in this list

Doesn't exist by default; you must manually add any shell extensions you want to approve
 

Hide common program groups in Start menu

Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\ NoCommonGroups

Forces Explorer not to display any shared program groups

Doesn't exist by default; when value exists, 1 means hide groups, and means show them

System

Parse autoexec.bat

Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\ ParseAutoexec

When on, NT parses autoexec.bat when the user logs on

REG_SZ; default value of 1 forces parse; means don't parse
 

Run logon scripts synchronously

Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\ RunLogonScriptSync

When on, NT doesn't start the shell until the user's logon script has completed

REG_DWORD; when value is missing or set to 0, scripts are run in parallel with the shell startup; when value is 1, script executes before shell; identical to "Run logon scripts synchronously" under HKLM; that value overrides this one

Table 6.3. HKLM Entries in COMMON.ADM

Category

Policy

Registry Key/Value

What It Does

Value

Network Update

Remote update mode

System\CurrentControlSet\ Control\Update\UpdateMode

Controls whether system policies are automatically updated or not (see Section 6.4.2.1)
0: (default) don't update
1: update automatically from DC
2: update manually from NetworkPath
 

Path for manual update

System\CurrentControlSet\ Control\Update\ NetworkPath

Specifies UNC path from which to update policies at logon

Empty by default; may be any legal UNC path
 

Display error messages

System\CurrentControlSet\Control\Update\Verbose

Toggles display of policy update error messages

When value exists, error messages are displayed
 

Load balancing

System\CurrentControlSet\Control\Update\LoadBalance

Toggles load balancing of policy updates from multiple domain controllers

When value exists, load balancing occurs

System\SNMP

Communities

System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

Displays a list of communities to which SNMP traps are sent

Empty by default; otherwise, list of communities as individual values
 

Permitted managers

System\CurrentControlSet\ Services\SNMP\Parameters\ PermittedManagers

Displays a list of entities permitted to manage SNMP

Empty by default; otherwise, list of managing entities as individual values
 

Traps for Public community

System\CurrentControlSet\ Services\SNMP\ Parameters\TrapConfiguration\Public

Displays a list of traps that may be sent to Public community

Empty by default; otherwise, list of traps as individual values

System\Run

Run

Software\Microsoft\Windows\ CurrentVersion\Run

Displays a list of items to run at startup

Defaults to systray.exe ; otherwise, list of things to run after shell starts

Table 6.4. HKCU Entries in COMMON.ADM

Category

Policy

Registry Key/Value

What It Does

Value

Control Panel\ Display

Disable Display icon

Software\Microsoft\Windows\ CurrentVersion\Policies\ System\NoDispCpl

Prevents user from opening Display control panel

REG_DWORD: 1 restricts control panel, 0 doesn't
 

Hide Background tab

Software\Microsoft\Windows\ CurrentVersion\Policies\ System\NoDispBackgroundPage

Hides Background tab of Display control panel

REG_DWORD: 1 hides Background tab, 0 doesn't
 

Hide Screen Saver tab

Software\Microsoft\Windows\ CurrentVersion\Policies\ System\NoDispScrSavPage

Hides Screen Saver tab of Display control panel so users can't change screen savers

REG_DWORD: 1 hides Screen Saver tab, 0 doesn't
 

Hide Appearance tab

Software\Microsoft\Windows\ CurrentVersion\Policies\ System\NoDispAppearancePage

Hides Appearance tab of Display control panel

REG_DWORD: 1 hides Appearance tab, 0 doesn't
 

Hide Settings tab

Software\Microsoft\Windows\ CurrentVersion\Policies\ System\NoDispSettings

Hides Settings tab of Display control panel so users can't adjust display resolution or color depth

REG_DWORD: 1 hides Settings tab, 0 doesn't

Desktop\Wallpaper

Wallpaper Name

Control Panel\Desktop\Wallpaper

Controls background image used as wallpaper

REG_SZ; contains full path to specified wallpaper file
 

Tile wallpaper

Control Panel\Desktop\TileWallpaper

Controls whether wallpaper is tiled or not

REG_DWORD: 0 means no tiling, 1 means tiling

Desktop\Color Scheme

Color scheme

Control Panel\Appearance\Current

Contains color settings for currently selected decor scheme

Depends on selected color scheme

Shell\Restrictions

Remove Run command from Start menu

Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\NoRun

Hides Run command on Start menu so users can't run arbitrary programs

REG_DWORD: 1 hides the command, 0 doesn't
 

Remove folders from Settings on Start menu

Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\NoSetFolders

Hides Settings folders on Start menu

REG_DWORD: 1 hides the folders, 0 doesn't
 

Remove Taskbar from Settings on Start menu

Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\NoSetTaskbar

Only hides Taskbar setting folder on Start menu

REG_DWORD: 1 hides the Taskbar folder, 0 doesn't
 

Remove Find command from Start menu

Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\NoFind

Removes Find command from Start menu

REG_DWORD: 1 hides the command, 0 doesn't
 

Hide drives in My Computer

Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\NoDrives

Hides some drives in My Computer

REG_DWORD bit mask; see Section 10.3.6 in Chapter 10
 

Hide Network Neighborhood

Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\NoNetHood

Hides Network Neighborhood icon

REG_DWORD: 1 hides the `hood, 0 doesn't
 

No Entire Network in Network Neighborhood

Software\Microsoft\Windows\ CurrentVersion\Policies\ Network\ NoEntireNetwork

Leaves Network Neighborhood, but removes "Entire Network" icon

REG_DWORD: 1 hides the icon, 0 doesn't
 

No workgroup contents in Network Neighborhood

Software\Microsoft\Windows\ CurrentVersion\Policies\ Network\ NoWorkgroupContents

Doesn't show contents of local workgroup in Network Neighborhood

REG_DWORD: 1 hides the workgroup, 0 doesn't
 

Hide all items on desktop

Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\NoDesktop

Blanks out the desktop

REG_DWORD: 1 hides the desktop, 0 doesn't
 

Disable Shut Down command

Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\NoClose

Stops users from shutting down their machines

REG_DWORD: 1 removes the Shut Down command, 0 doesn't
 

Don't save settings at exit

Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\NoSaveSettings

Forces the shell to ignore any environment changes the user makes

REG_DWORD: 0 allows changes to be saved, 1 doesn't

System\Restrictions

Disable Registry editing tools

Software\Microsoft\Windows\ CurrentVersion\Policies\ System\DisableRegistryTools

Tells compliant Registry editors not to run

REG_DWORD: 1 specifies that editing should be disallowed, 0 allows it
 

Run only allowed Windows applications

Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\RestrictRun

Specifies list of which Windows applications may be executed

When RestrictRun exists, its values specify which applications may be run

    Team LiB   Previous Section   Next Section