'; window.popUpWin.document.write(zhtm); window.popUpWin.document.close(); // Johnny Jackson 4/28/98 } //--> Windows 98 Professional Reference -- Ch 7 -- System Policies

Windows 98 Professional Reference

- 7 -
System Policies

Understanding System Policies
Implementing System Policies
Using the System Policy Editor
- Creating Specific User and Computer Policies
- Creating Group Policies
Understanding and Creating Policy
Templates
Base Policies in WINDOWS.ADM

In any business computing environment, you must have certain policies that help you manage the overall system. Information Systems (IS) policies are designed to do many things, including the following:

Ensure the security of data
Ensure the safety (against loss) of data
Minimize the cost to support IS systems
Minimize training requirements for users
Minimize hardware and software costs
Maximize IS efficiency (and, it is hoped, overall company efficiency)

Some of the policies that accomplish these objectives rely on users conscientiously following policies that have been communicated to them, whereas others can be enforced at

various points, such as at network servers, through occasional audits, and by controlling each user's desktop operating system and applications.

This chapter shows you how to use Windows 98's built-in capabilities to create, deploy, and enforce certain IS policies that relate to the desktop operating system. You'll learn how to do the following:

Use the System Policy Editor tool (Policy Editor) to set Windows 98 policies for your users.
Set up each system so that policies are automatically applied at logon.
Set up and maintain Group Policies on a network.
Create your own policies.

By learning and applying the information in this chapter, you can significantly ease the administrative burden of supporting many Windows 98 clients on a network.

Understanding System Policies

In Chapter 5, "Understanding Windows 98 Configuration," you learned a bit about how the Windows 98 Registry works and what it does (more detailed information is found in Chapter 10, "Mastering the Windows 98 Registry"). In order to understand System Policies in Windows 98, you first need to understand how the Registry works, so review the material related to the Registry in Chapter 5 before proceeding with this chapter.

System Policies are actually just forced Registry settings. When a user logs on to a Windows 98 computer, he automatically selects his User Profile during logon, which causes his own personal Registry settings to load. After his User Profile is selected and loaded, any System Policies are then applied on top of their personal Registry settings. In this way, System Policies override any settings that they changed during his last session. With the System Policies that come with Windows 98, you can accomplish many things, including the following:

Hide the Run command from the Start menu.
Hide the local hard disk drives.
Hide the Find command on the Start menu.
Disable File or Printer Sharing.
Force certain desktop settings, like wallpaper.
Enable user-level access control.
Disable password caching.
Set minimum Windows password lengths, and require alphanumeric Windows passwords.
Control various network-specific settings, such as supporting long filenames in different ways on Novell networks.
Hide various Control Panel objects.

NOTE: System Policies can only be used when User Profiles are active.

It is possible for a user to "countermand" any System Policy changes to their Registry after he logs on to Windows 98. However, you can solve this problem by using certain System Policies that deny access to various features in the Control Panel, effectively shutting the user out from making Registry-level changes to his own system. For example, you can remove the Run command from the Start menu, force the user to use a customized (and limited) Start menu, hide his local drive, and so forth, so that he cannot "get into trouble" with his system. Obviously, you must consider user needs and the culture of the company before setting draconian System Policies like these.

System Policies can be set in several ways:

Default settings made for every computer and user
User-specific System Policies
System-specific System Policies
Network group-based policies

Using these different types of System Policies, you have considerable flexibility in what capabilities you enable or disable for different computers, users, and groups of users.

When you use the System Policy Editor for Windows 98, you can choose from a number of standard policy settings. You can also create your own. Custom System Policies let you apply any Registry setting you want as part of the System Policies. You can use this feature to cause Registry-based application settings to remain a particular way, for example.

Implementing System Policies

There are several things you must do in order to begin using System Policies:

Enable User Profiles for Windows 98 at the desktop (usually done during the initial setup of the system).
If Group Policies are needed, install Windows 98 support for them.
Create the CONFIG.POL file with the Policy Editor.
Locate the CONFIG.POL file in the appropriate directory of the network logon server.

The following sections describe these actions.

Enabling User Profiles

System Policies can be used only when User Profiles are enabled on a given machine. User Profiles are, broadly speaking, user-specific settings on a Windows 98 computer, often retrieved from a network server at logon, but otherwise stored in special subdirectories in the \Windows directory. Not only are User Profiles required for System Policies to work at all, but they also enable you to create user-specific System Policy settings.

To enable User Profiles, open the Passwords Control Panel object and move to the User Profiles tab, shown in Figure 7.1. Make sure that the option button indicated in Figure 7.1 is selected, which enables User Profiles. You will then need to shut down and restart Windows 98.

Figure 7.1

Enable User Profiles before using System Policies.

NOTE: You can learn about User Profiles in detail in Chapter 8, "User Profiles."

Enabling Group System Policies

In order to use network group-specific policies, you must install that feature of Windows 98 if it is not already installed. To enable Group Policies, follow these steps:

1. Open the Add/Remove Programs Control Panel object.

2. Move to the Windows Setup tab.

3. Select the System Tools installation topic and click the Details button.

4. Select the Group Policies installation choice, as shown in Figure 7.2.

5. Click OK to close all the Add/Remove Programs dialog boxes. You may be prompted for a Windows 98 CD-ROM as part of this process.

Figure 7.2

Selecting group-based System Policy capabilities.

TIP: You should always install support for Group Policies when setting up new Windows 98 systems. Even if you never use the capability, at least you won't have to visit each desktop to make this change if you do decide to start using Group Policies. See Chapter 23, "Windows 98 in Windows NT Domains," for more information about group security in NT domains. Windows 98 also supports Group Policies in NetWare networks.

Creating the System Policy File

You use a tool called the System Policy Editor (POLEDIT.EXE) to create and maintain your System Policies. In the Policy Editor, you define users, computers, and groups, and then select the policies to apply to each of those categories. After doing this, you save the policy file to a particular directory on the user's logon server, from which location the policy file is automatically downloaded and applied when a user logs on.

In the Policy Editor, you first choose policy templates, which are collections of possible policies that you can use. You can choose to use only a few templates, or to use all of the templates included with Windows 98. Applications might also supply template files that you can use to enforce application-specific policies. You can also create your own policy templates.

WARNING: Keep in mind that System Policies directly modify the Registry of any user that logs on to the network. Creating your own policies should be done with great care, and you should implement them cautiously to avoid problems.

Installing the System Policy Editor

To install the System Policy Editor, locate the \Tools\Admin\Poledit directory on the Windows 98 CD-ROM. Copy the entire contents to a location from where you want to run the Policy Editor. It's a good idea to locate this destination directory on a network server where only Administrator-level accounts can access it.

After selecting which policy templates to use, you then create a new policy file and choose the default policies for users and computers. After doing this, you can create specific users, computers, and groups and assign them policies that are unique from the defaults. Finally, you save the CONFIG.POL file from the System Policy Editor.

Use the following steps to create a sample policy file using the Policy Editor:

1. Open the Policy Editor by running the POLEDIT.EXE program (double-click on it or start it in any other fashion).

2. Choose at least one policy template. Pull down the Options menu and choose Policy Template. You see the dialog box shown in Figure 7.3.

Figure 7.3

Selecting policy templates with the Policy Template Options dialog box.

3. Click the Add button. You see a standard file selection dialog box. Choose the file WINDOWS.ADM from the directory where you copied all of the Policy Editor files. Click OK to close the dialog boxes you opened and return to the Policy Editor.

4. Access the File menu and choose New Policy. A standard policy is then created based on the installed policy templates, with a default user and default computer initialized, as shown in Figure 7.4.

5. Double-click on the Default Computer icon, which shows you the Default Computer Properties dialog box (see Figure 7.5), which somewhat resembles the Windows 98 Registry Editor. Using the plus signs and subfolders, you select each policy in turn and set it as needed. Perform the same actions with the Default User Properties. (Computers and users have different possible policies from which you can choose).

Figure 7.4

Creating a New Policy file starts with a default user and computer.

NOTE: You learn details of using the System Policy Editor in a succeeding section of this chapter called "Using the System Policy Editor."

Figure 7.5

The Default Computer Properties dialog box with a sample policy selected.

After setting all of the policies in the Policy Editor, use its File, Save As command to save a file called CONFIG.POL. This is the policy file, which you apply to the network in the following section.

Applying the Policy File to the Network

The network clients included with Windows 98 for NetWare and Windows NT networks support automatic downloading of the CONFIG.POL file from the user's logon server. For NetWare servers, place the CONFIG.POL file in the SYS:PUBLIC directory of each user's preferred server (to which all users should already have read and file scan rights necessary for them to read the policy file). Also, NetWare 4.x servers must have Bindery Emulation Support turned on. For Windows NT networks, place the file in the \NETLOGON\ directory of the Primary Domain Controller.

Before doing this, however, there are a number of things you will need to consider and test:

As soon as you place the CONFIG.POL file in the necessary directory, any Default User or Default Computer Policies will automatically be applied to any user who logs on afterwards. You should first test your desired System Policies with a few computers and users. Consider deleting the Default User and Default Computer policy settings and instead creating some sample policies for a few specific users and specific computers. This will enable you to test how well your policies are working before deploying them widely.
You may want to test the CONFIG.POL file on the network after hours, when most users aren't present, using some test accounts to ensure that they are working correctly.

TIP: You should create a User account in the System Policy Editor with a username that matches your administrative logon name (such as Admin, Administrator, or Supervisor) that has no System Policy restrictions placed on it. This provides you with a "back door" in case you create System Policies that are too restrictive; your administrative account won't then be restricted.

On Windows NT networks the CONFIG.POL file is automatically downloaded only from the Primary Domain Controller (PDC). If you have a large network, the reading of this file can create logon bottlenecks. You can solve this by enabling a System Policy called Load Balancing. After enabling Load Balancing, you must manually copy the CONFIG.POL file to all of your Backup Domain Controllers (BDCs), and users will then get their CONFIG.POL from any controller they use to log on to the network. This does mean that you must manually keep all of the CONFIG.POL files on the PDC and BDCs in sync, so keep this in mind.
To turn on Load Balancing, make sure that WINDOWS.ADM is one of the selected policy templates. Open a computer policy, and then select the policy path \Windows 98 Network\Update\Remote Update. In the policy that appears, click the Load-Balance checkbox.
On NetWare networks, you must set the Preferred Server setting in the Network Client's properties (right-click on Network Neighborhood and choose Properties, then open the client's settings and set this). The CONFIG.POL file must be stored in each server's SYS:PUBLIC directory that a user has defined as a preferred server. (In other words, if you have three servers that different groups use as their preferred servers, you'll need to make sure that CONFIG.POL is in the SYS:PUBLIC directory for each of those three servers, and that you keep all copies in sync.)
Most important, you'll want to carefully evaluate the impact that your proposed policy settings have on a set of test users, and make sure that you haven't adversely affected their productivity with the policies you've set.

You can also configure System Policies to download from a manual location (a directory that you specify). You might need to do this, for instance, if you are using network client software that doesn't support automatic policy downloading at logon, such as computers using NetWare VLM drivers, or some other type of network client. Unfortunately, you must make this setting manually on each computer that will use System Policies in this scenario. To cause System Policies to be downloaded from a manual location, follow these steps:

1. Start the System Policy Editor on the computer that you want to set to a manual download location.

2. Ensure that the WINDOWS.ADM template is selected in Options, Policy Template.

3. From the File menu, choose Open Registry. This opens the local computer's Registry.

4. Open the Default Computer icon, and then open the /Windows 98 Network/Update/Remote Update/ policy. You'll see the policy setting shown in Figure 7.6.

5. Use the drop-down list to choose the Manual option, and then type the path where you will locate the system policy file (CONFIG.POL).

Figure 7.6

Setting a Manual Download Location.

6. Close the Default Computer properties dialog box and then choose Save from the Policy Editor's File menu. This saves your setting to the local Registry.

After completing the preceding steps on a particular computer, restart the system. The CONFIG.POL file will be read from the location you specified after the system has logged on using the network client it's set up to use.

NOTE: When using a manual download location, make sure to set the same manual download location in the CONFIG.POL file that each user accesses when he actually logs on, to continue to enforce this particular policy.

Using the System Policy Editor

You use the System Policy Editor (POLEDIT.EXE) to create and maintain System Policies. The Policy Editor can work with policies in a variety of ways, enabling you to create new policy (*.POL) files, open existing policy files, open the local computer's Registry for direct policy-based Registry modification, or even open a remote computer's Registry for direct modification.

Before using the Policy Editor, you first have to choose which policy templates you want to use. This is true no matter how you want to use the Policy Editor; policy templates "teach" the Policy Editor which policies to display and edit. Policy templates are files that define the possible choices you can make with the Policy Editor--in other words, the policies from which you can choose. The Policy Editor comes with a number of different template files (*.ADM files) that define policies in different areas, and you can also create your own. Policy template files are ASCII text files that describe each policy, the choices available, and the associated Registry settings that must be applied to enable the policy.

TIP: Applications designed to run in a corporate environment on Windows 9x or Windows NT often include their own policy template files that you can use to customize their behavior. Simply apply their .ADM files to the Policy Editor in the same way as with the templates that come with the Policy Editor.

To choose policy template files in the System Policy Editor, access the Policy Template command from the Editor's Options menu. Using the resulting dialog box, click the Add button to add new templates to the Policy Editor.

In the same directory that contains the Policy Editor you will find a number of policy template files from which you can choose:

CHAT.ADM offers policies that control Microsoft Chat (formerly Comic Chat), one of the tools that comes with Internet Explorer 4 and that is used for IRC chat sessions over the Internet.
COMMON.ADM is a blank policy template file that you can modify to contain your own policies.
CONF.ADM contains policies for Microsoft NetMeeting, an Internet-based group collaboration application.
INETRES.ADM holds policies that can restrict changes to Internet Explorer's settings through the Internet Control Panel.
INETSET.ADM holds policies that can restrict other (non-Control Panel) settings for Internet Explorer.
OE.ADM contains policies for Outlook Express.
PWS.ADM contains policies that can enable or disable running Personal Web Server under Windows 98.
SHELL.ADM has policies that control access to the Windows 98 shell, known as Explorer.
SUBS.ADM has policies that control Internet subscriptions through Internet Explorer 4.
WINDOWS.ADM contains the largest number of possible policies, and controls many fundamental aspects of how Windows 98 operates for users and which features they can access.

When you choose templates for the Policy Editor, you should choose only the templates that apply for your organization. For example, if you never install Microsoft NetMeeting on user desktops, there is no need to apply the CONF.ADM policy template file. While including all of the templates is possible (and in some cases necessary), remember that the CONFIG.POL file that you create will have all of the policies in it that are part of the chosen templates. Including templates that you don't need will slow the processing of the CONFIG.POL file unnecessarily.

TIP: By using the information in the later section "Understanding and Creating Policy Templates," you can remove individual policies from the policy template files that you don't want or need, which further speeds the processing of the CONFIG.POL file for your users.

There are four ways that you can use Policy Editor after you have selected the appropriate template files:

Create an entirely new set of policies, which results in a saved .POL file (typically CONFIG.POL).
Open an existing .POL file for editing.
Open the local computer's Registry, retrieving the current settings that correspond to the defined policies.
Open a remote computer's Registry to make direct changes to the settings that correspond to its defined policies.

To create a new set of policies, choose New Policy from the File menu. To open an existing set of policies, choose Open Policy from the File menu. To retrieve the current computer's Registry, choose Open Registry from the File menu.

If you want to open a remote computer's Registry, use the Connect command in Policy Editor's File menu. Any remote computer that you want to work with in this fashion must have Remote Registry Services installed and running, as does the computer from which you want to make the changes. You can acquire the Remote Registry Services as part of the Windows 98 Resource Kit utilities.

Figure 7.7 shows the Policy Editor open after choosing to create a new set of policies. (Policy Editor works the same way, using any of the four policy modification methods.) As you can see, a Default User and Default Computer are automatically created.

Figure 7.7

Creating new policies in Poliy Editor.

Different policies exist for both users and computers. Open either the Default User or Default Computer icon to view the policies possible. Figure 7.8 shows the Default User open, along with a policy selected.

Figure 7.8

The Default User Properties enables you to modify user-based System Policies.

There are three possible states for each policy:

A checked box means that the policy will be applied as being true (such as the Remove Folders from `Settings' on Start Menu Policy in Figure 7.8).
A grayed box means that the policy will be ignored; any user-chosen settings will not be changed when the policy is applied during logon (see the Remove `Run' Command Policy in Figure 7.8).
A clear box means that the policy will be cleared; if the user has set it himself, the policy will be unselected when he next logs on and the policy file is applied (see the Remove Taskbar from `Settings' on Start Menu Policy in Figure 7.8).

Some policies require only that you select one of the three possible states, while others require additional information. For example, Figure 7.9 shows the Restrict Display Control Panel policy with a number of checkboxes that also must be chosen in the Settings window. Some other policies--for instance ones that cause a particular BMP to load as desktop wallpaper--might require other information, such as a path and filename.

Creating Specific User and Computer Policies

You can create policies for specific users and computers with the Policy Editor. When a policy file is processed during logon, Windows 98 first checks to see if there is a policy for the user logging on; if so, that policy is applied. If there is no specific policy for the user, then the Default User Policy is applied.

To create a specific user policy, open the Edit menu and choose Add User. You see the Add User dialog box shown in Figure 7.10. Type the name of the user that he uses as his logon name (it must match exactly, but is not case-sensitive) and click OK to create the user. You can then open the user's policy settings by double-clicking on the User icon in Policy Editor and set the individual policies as needed.

Figure 7.9

Some policies require additional settings.

Figure 7.10

Using the Add User dialog box in Policy Editor.

You can also create policies for specific computers on the network. Similar to how users are processed, when a Windows 98 computer logs on to the network and processes the policy file, it checks to see if there is a policy defined for the specific computer; if not, the Default Computer Policy is applied. Windows 98 uses the computer name specified in Network Neighborhood's properties dialog box for this purpose. To set a computer's name (or see what it is set to), right-click on Network Neighborhood and choose Properties from the pop-up menu. Then move to the Identification tab as shown in Figure 7.11.

Figure 7.11

The Computer Name field on the Identification tab must match the computer name in Policy Editor.

To create a specific computer policy in Policy Editor, access the Edit menu and choose Add Computer. You see the Add Computer dialog box. Type the name of the computer as it appears on the Identification tab in Network Neighborhood's properties, or click the Browse button to choose from the computers logged on to the network (see Figure 7.12).

Figure 7.12

Use Add Computer to type a computer's name, or use the Browse dialog box to locate it on the network.

TIP: Here's a timesaver: If specific computers and users contain slight modifications of the policies in Default Computer and Default User, set the policies for Default Computer and Default User first. The policies contained in Default Computer and Default User are copied to new specific Computer and User Policies that you create.

Creating Group Policies

If you want to set different policies for different groups of users, and want to avoid having to maintain separate policies for individual users, you can use Group Policies. Group Policies let you set policies for network groups (either Windows NT or NetWare groups can be used). When you have installed support for Group Policies in Windows 98 (see the earlier section "Enabling Group System Policies"), then the processing of the policy file works like this at logon time:

Is there a user-specific policy defined? If so, it is processed and no other user- or group-type policies are processed.
Are there Group Policies defined for groups to which this user belongs? If so, all Group Policies that apply to the user are processed, in an order that you specify, and no other user- or group-type policies are processed.
If there is no user-specific policy and no Group Policies that apply for the user, then the Default User Policy is processed.

The first thing you do to use Group Policies is to create the groups in Policy Editor. From the Edit menu, choose Add Group. In the resulting Add Group dialog box, type the exact name of the group as it exists on the network. After creating all of the groups you want to use, you can then set the policies for each group, and then define their priority in Policy Editor.

You assign a processing priority to groups in Policy Editor. When a user logs on, the policies in each group to which they belong are processed, using the processing priority that you set. Higher-priority Group Policies overwrite lower-priority Group Policies, so the processing priorities that you set are vital to making sure that each group member ends up with the appropriate set of policies.

To set Group Policy processing priority, access the Options menu in Policy Editor and then choose Group Priority. You see the Group Priority dialog box shown in Figure 7.13. Select each group in turn and then use the Move Up and Move Down buttons to position the group relative to the others. Higher-priority groups are processed after lower-priority groups. Generally, less restrictive policy groups should be set to a higher priority than more restrictive policy groups. For example, you would set the policy group for Administrators to be higher than Users. Otherwise the Users Group Policy settings will override the Administrators settings when members of the Administrators group log on.

Figure 7.13

Use the Group Priority dialog box to set the processing priority for Group Policies.

Understanding and Creating Policy
Templates

Windows 98 comes with a number of policy templates that you can use. Often, however, you will need to create your own policies. You do this when you want to apply one or more Registry changes to users or computers as they log on to the network. For example, perhaps there is a particular application that you use on your network, and you want to prevent a particular configuration choice that often causes problems. Since the configuration choice is stored in the Registry, you must create a policy that forces the proper choice each time a user logs on. To do this, follow these steps:

1. Determine the Registry settings that are needed.

2. Create a new policy template that contains the proper Registry settings.

3. Apply the new policy template to the CONFIG.POL file with the Policy Template command.

4. Set the policy for each user, computer, or group that needs it.

Policy template files are in plain ASCII text and are easy to create and modify after you understand how they work (they're a bit like a Registry programming language). You can look at existing policy templates (.ADM files) in the Policy Editor directory for examples of how they work. Figure 7.14 shows a sample policy template file open in Notepad.

Figure 7.14

The WINDOWS.ADM file open in Notepad illustrates how policy templates work.

Policies defined in a template follow this structure:

CLASS class_type
    CATEGORY category_name
    KEYNAME Registry_key
        POLICY policy_name
            KEYNAME Registry_key
            PART part_name part_type
                KEYNAME key_name
                VALUENAME value_name
            END PART
        END POLICY

    END CATEGORY

The following sections detail each of these keywords and show you how they work.

CLASS

You precede all policies with the class type. There are two possible classes in a policy template: USER and MACHINE. The USER class automatically applies all policies following the keyword to HKEY_CURRENT_USER and contains user- and group-type policies. The MACHINE class applies all policies following the keyword to HKEY_LOCAL_MACHINE and contains Computer Policies. There are only two forms of the CLASS keyword, as follows:

CLASS USER
CLASS MACHINE

Simply place the CLASS keyword above all policies for that class. No class-ending keyword is used.

POLICY

The POLICY keyword specifies an actual policy. It is immediately followed by the policy name, which must be surrounded with quotes if it contains spaces. Within each POLICY, you can optionally specify any PARTS (which gather additional information about the policy). POLICY statements cannot be nested, although they can exist at any CATEGORY level.

Within each POLICY (and PART, if needed) you can specify KEYNAME and VALUENAME settings. Each KEYNAME corresponds to a Registry key, while each VALUENAME corresponds to a value setting within the preceding key. For example, here is a simple POLICY statement in pseudocode:

POLICY "My Policy"
    KEYNAME Registry_key_path
    VALUENAME Setting_name
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0

END POLICY

Each POLICY statement must have a corresponding END POLICY statement. Also, note that you can have multiple KEYNAME and VALUENAME statements for each policy (in other words, a single policy can modify as many Registry settings as needed).

PART

PART statements exist within POLICY statements. A PART is an extra choice or setting for the POLICY. For example, if you have a policy that requires a network pathname as an additional parameter if the policy is enabled, you would gather this additional information through the PART statement. Here is a pseudocode example:

POLICY "My Policy"
    PART "Path Name" EDITTEXT
        VALUENAME Setting_name
        MAXLEN 255
        DEFAULT "F:\PUBLIC\filename.ext"
    END PART

END POLICY

In the preceding example, Setting_name is the Registry value that will be filled with whatever is typed into the edit box of the Policy Editor for this policy. The following two statements, MAXLEN and DEFAULT modify the EDITTEXT control for the PART statement.

Each PART statement has a name and a type. The name can be anything you wish, and is used to describe the control. The type is the type of control that you can use. Possible part controls are as follows:

CHECKBOX
NUMERIC
EDITTEXT
COMBOBOX
TEXT
DROPDOWNLIST
LISTBOX

Each different part control type can have additional settings that you can use with it. Table 7.1 shows all of these modifiers.

Table 7.1 Part Control Modifiers

Part Type	Modifier	Description
CHECKBOX	DEFCHECKED	The checkbox is selected (on) by default.
	VALUEON	Overrides the default behavior when the checkbox is selected.
	VALUEOFF	Overrides the default behavior when the checkbox is unselected.
	ACTIONLISTON	Contains a list of actions (Registry changes) if the checkbox is selected.
	ACTIONLISTOFF	Contains a list of actions if the checkbox is unselected.
NUMERIC	DEFAULT x	Sets the default value.
	MIN x	Sets a minimum acceptable value.
	MAX x	Sets a maximum acceptable value.
	SPIN x	Creates a spin control for the numeric value, where x is the increment for each click of the spin control.
	REQUIRED	Causes Policy Editor to require a value.
	TXTCONVERT	Writes the entered or selected numeric value as a string instead of a number (for example, "101" instead of 101).
EDITTEXT	DEFAULT x	Sets the default string.
	MAXLEN x	Sets the maximum length of the entered string.
	REQUIRED	Causes Policy Editor to require a string value.
COMBOBOX	SUGGESTIONS	In addition to accepting all the modifiers of EDITTEXT, you can use the SUGGESTIONS keyword, which lets you build a list for the ComboBox. End the list of suggestions with an END SUGGESTIONS keyword. Also, any suggestions that contain spaces must be surrounded with quotes.
DROP-DOWNLIST	REQUIRED	Causes Policy Editor to require a selection.
	ITEMLIST	Builds a list of selections for the DropDownList box. Each item is specified with a NAME keyword and a VALUE keyword, which correspond to the visible name in the DropDownList box and to the value that will be chosen for each name. Optionally, you can specify an ACTIONLIST after each NAME/VALUE combination. End the list with the END ITEMLIST keyword.
LISTBOX	VALUEPREFIX x	Sets a prefix that will be prepended to each entered value.
	EXPLICITVALUE	Creates a two-column list box into which the user of Policy Editor enters both a value name and corresponding value.
	ADDITIVE	Values entered into the list box will be added to the values already present in the Registry.

Strings and Comments

You can define string substitution in a policy template file to make it easier to read and maintain the file. You define these substitutions by creating a section at the bottom of the file with the keyword [strings]. Within that section, each string is defined as StringName=Actual string value. For instance, the following defines two strings:

[strings]
NW4="Netware 4.x"

WNT="Windows NT Server"

After defining the string substitutions, you access them with the !! operator (two exclamation points) in front of a string name to automatically replace the string name with one defined at the bottom of the policy file. For example, you could use this statement:

CATEGORY !!NW4

In this example, the category will actually display as "NetWare 4.x" in the Policy Editor instead of NW4.

You can (and should) include comments in your policy template files. Simply precede a line with a semicolon (;) and that line will be ignored, such as in the following example:

; This line is a comment and will not be processed

Example Policy Template File

Using the information in the foregoing sections, examine the following policy template file, which is the OE.ADM file that comes with the Windows 98 Policy Editor and contains policies for Outlook Express. It illustrates most of the possible controls, and shows you how a complete policy template file should look after it is complete.

; oe.adm
;
;;;;;;;;;;;;;;;;;;;;;;;;;
CLASS USER ;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;
CATEGORY !!OutlookExpress
    KEYNAME "Software\Microsoft\Outlook Express"
    POLICY !!Zones
        PART !!RestSite CHECKBOX
        VALUENAME "Security Zone"
        VALUEON NUMERIC 4
        VALUEOFF NUMERIC 3
        END PART
    END POLICY
    POLICY !!HTMLMail
        PART !!DisableHTMLinMail CHECKBOX
        KEYNAME "Software\Microsoft\Outlook Express\Mail"
        VALUENAME "Message Send HTML"
        VALUEON NUMERIC 0
        VALUEOFF NUMERIC 1
        END PART
        PART !!DisablePlaininNews CHECKBOX
          KEYNAME "Software\Microsoft\Outlook Express\News"
        VALUENAME "Message Send HTML"
        VALUEON NUMERIC 1
        VALUEOFF NUMERIC 0
        END PART
    END POLICY
END CATEGORY
CATEGORY !!OENav
    KEYNAME "Software\Microsoft\Outlook Express\"
    POLICY !!Navigation
        PART !!OutlookBar CHECKBOX
        VALUENAME "OutBar"
        VALUEON NUMERIC 1
        VALUEOFF NUMERIC 0
        END PART
        PART !!FolderView CHECKBOX
        VALUENAME "Tree"
        VALUEON NUMERIC 0
        VALUEOFF NUMERIC 1
        END PART
        PART !!FolderBar CHECKBOX
        VALUENAME "FolderBar"
        VALUEON NUMERIC 1
        VALUEOFF NUMERIC 0
        END PART
        PART !!TipofDay CHECKBOX
        VALUENAME " of the Day"
        VALUEON NUMERIC 0
        VALUEOFF NUMERIC 1
        END PART
    END POLICY
END CATEGORY
[strings]
OutlookExpress="General Settings"
OENav="View Customization"
ServerSettings="Mail, news, and directory server settings"
Zones="Mail and news security zones"
RestSite="Put mail and news in the Restricted Sites zone (instead of the Internet �zone)"
HTMLMail="HTML mail and news composition settings"
DisableHTMLinMail="Mail: Make plain text message composition the default for mail �messages (instead of HTML mail)"
DisablePlaininNews="News: Make HTML message composition the default for news posts �(instead of plain text)"
Navigation="Folder and Message Navigational Elements"
OutlookBar="Turn on Outlook Bar"
FolderView="Turn off Folder List (tree view of folders)"
FolderBar="Turn on Folder Bar (horizontal line that displays the selected folder's �name)"
TipofDay="Turn off the  of the Day"
IEAK_Title=Outlook Express
IEAK_DescriptionTitle=Outlook Express Policy Settings and Restrictions
IEAK_Description1=Outlook Express provides system policies designed to reduce mail �and news support costs.
IEAK_Description2=Outlook Express uses Internet Explorer 4.0's security zones. �Normally, all user mail is placed in the Internet zone, where users are prompted �before potentially dangerous active content is run. However, you can place 
Outlook �Express mail and news in the Restricted Sites zone. The default settings for the �Restricted Sites zone prohibit running almost all active content (the user will be �protected from the content without any prompts).
IEAK_Description3=By default, Outlook Express composes mail messages in HTML and �news messages in plain text. You are strongly encouraged to retain these settings.
IEAK_Description4=Outlook Express allows you to customize your default view for �consistency with the configuration of other programs familiar to your users.
[IEAK]
Lock=1
Roles=011
NumOfDescLines=4

Base Policies in WINDOWS.ADM

Windows comes with a policy template called WINDOWS.ADM that contains most of the policies that you would ever want to use. Tables 7.2 and 7.3 list all of the policies available with WINDOWS.ADM for your review as you plan the policies you want to implement.

Table 7.2 WINDOWS.ADM Computer Policies

Policy
Windows 98 Network/Access Control
User-level Access Control	Enables user-level access control
Windows 98 Network/Logon
Logon Banner	Displays a custom logon banner
Require Validation from	Requires that the network server validate the user to access
Network for User Access	the local Windows 98 computer
Don't Show Last User at	Doesn't display the last username in the Logon dialog box
Logon
Windows 98 Network/Password
Hide Share Passwords with Asterisks	Hides shared file and printer passwords with asterisks
Disable Password Caching	Turns off password caching; passwords must be typed for each network resource accessed
Minimum Windows Password Length	Requires Windows passwords of a certain length
Preferred Server	Sets preferred server for NetWare networks
Windows 98 Network/Microsoft Client for NetWare Networks
Support Long Filenames	Specifies long filename support for NetWare networks
Disable Automatic NetWare	Disables default passwords for NetWare networks
Login
Preferred Tree	Sets preferred NDS tree for NetWare networks
Windows 98 Network/NetWare Directory Service
Default Name Context	Sets default name context for NetWare networks
Load NetWare DLLs at Startup	Loads NetWare-specific DLLs at startup
Disable Automatic Tree Login	Disables automatic NDS tree logon
Enable Login Confirmation	Causes NDS logons to be confirmed
Don't Show Advanced Login Button	Takes away the ability to choose different NetWare logon types, such as a bindery logon
Default Type of NetWare Login	Sets NetWare logon type to NDS or bindery
Don't Show Servers that aren't NDS Objects	Hides bindery-only servers
Don't Show Peer Workgroups	Hides any peer workgroup servers
Don't Show Server Objects	Hides servers
Don't Show Container Objects	Hides NDS containers
Don't Show Print Queue Objects	Hides print queues
Don't Show Volume Objects	Hides volumes
Windows 98 Network/Microsoft Client for Microsoft Networks
Log On to Windows NT	Forces a logon domain; also can disable password caching
Workgroup	Forces a Workgroup name
Alternate Workgroup	Forces an alternate Workgroup name
Windows 98 Network/File and Printer Sharing for NetWare Networks
Disable SAP Advertising	Disables advertising file and printer sharing from workstations
Windows 98 Network/File and Printer Sharing for Microsoft Networks
Disable File Sharing	Disables file sharing
Disable Print Sharing	Disables printer sharing
Windows 98 Network/Dial-Up Networking
Disable Dial-In	Disables dial-in to clients
Windows 98 Network/Update
Remote Update	Controls how System Policies updated for the client are computer
Windows 98 System/User Profiles
Enable User Profiles	Activates User Profiles
Windows 98 System/Network Paths
Network Path for Windows Setup	Path for the Windows 98 setup files
Network Path for WindowsTour	Path for the Windows 98 Tour files
Windows 98 System/SNMP
Communities	Defines SNMP communities to which the client belongs
Permitted Managers	Defines permitted SNMP managers by IP or IPX address
Traps for `Public' Community	Sets target addresses to which traps will be reported
Internet MIB	Specifies the contact name and location for the Internet SNMP MIB
Windows 98 System/Programs to Run
Run	Defines programs that will be when the user logs on run
Run Once	Lets you define a temporary program to run; you must
	change this policy after the program is run by the logged-on user
Run Services	Defines programs that will be when the system starts run
Windows 98 System/Install Device Drivers
Digital Signature Check	Forces a signature check of being installed; you can drivers choose to permit all drivers or only Microsoft drivers, or to warn when non-Microsoft drivers are installed

Table 7.3 WINDOWS.ADM User and Group Policies

Policy	Description
Windows 98 Network/Sharing
Disable File Sharing Controls	Prevents access to file-sharing controls
Disable Print Sharing Controls	Prevents access to printer-sharing controls
Windows 98 System/Shell/Custom Folders
Custom Program Folder	Defines a custom folder for the Programs folder in the Start menu
Custom Desktop Icons	Defines a path from which desktop icons will be loaded
Hide Start Menu Subfolders	folder is loaded, hides other Program subfolders that otherwise will appear
Custom Startup Folder	Defines a custom Startup folder
Custom Network Neighborhood	Defines a custom Network Neighborhood folder
Custom Start Menu	Defines a custom Start menu folder
Windows 98 System/Shell/Restrictions
Remove Run Command	Removes the Start menu's Run command
Remove Folders from Settings on Start Menu	Removes Settings subfolders
Remove Taskbar from Settings on Start Menu	Removes the Taskbar settings from the Settings folder
Remove Find Command	Removes the Find command from the Start menu
Hide Drives in My Computer	Hides all My Computer drives
Hide Network Neighborhood	Hides the Network Neighborhood object on the desktop
No Entire Network in	Hides the Entire Network entry in Network
Network Neighborhood	Neighborhood
No Workgroup Contents in	Hides any Workgroup-type entries in Network
Network Neighborhood	Neighborhood
Hide All Items on Desktop	Hides all desktop items
Disable Shutdown Command	Removes the Shutdown command from the Start menu
Don't Save Settings at Exit	Prevents any changed settings from being saved
Windows 98 System/Control Panel/Display
Restrict Display Control Panel	Prevents opening of the Control Panel
Windows 98 System/Control Panel/Network
Restrict Network Control Panel	Disables various features of the Network Control Panel (selectable within the policy)
Windows 98 System/Control Panel/Passwords
Restrict Passwords Control	Disables various features of the Passwords Control Panel
Panel	(selectable within the policy)
Windows 98 System/Control Panel/Printers
Restrict Printer Settings	Disables various features of workstation printer management (selectable within the policy)
Windows 98 System/Control Panel/System
Restrict System Control Panel	Disables various features of the System Control Panel (selectable within the policy)
Windows 98 System/Desktop Display
Wallpaper	Defines a specific wallpaper file
Color Scheme	Defines a specific color scheme
Windows 98 System/Restrictions
Disable Registry Editing Tools	Disables Registry Editor and Policy Editor from being run
Only Run Allowed Windows	Defines allowed applications within the policy
Applications
Disable MS-DOS Prompt	Prevents access to the MS-DOS prompt
Disable Single-Mode MS-DOS Applications	Prevents MS-DOS mode