![]() ![]() ![]() ![]() ![]() |
Troubleshooting and Configuring the Windows NT/95 Registry
-31-Managing Domain Computers with System Policy EditorIt has never been easier to manage hundreds of computers. System Policy Editor allows you to configure settings for individual computers or for every computer in your entire network. System Policy Editor focuses primarily on performance and security. In this section, you will look at all of the possible settings in System Policy Editor in COMMON.ADM and WINNT.ADM. After that, you will look at the conflict between named computers and the default computer's settings. Then comes the best part: You will learn about what settings you should use. The settings are listed with the categories, policies, and parts for each separated by a forward slash, like this: Network/System Policies Update/Remote Update.
For every item in System Policy Editor, there are three possible settings (see Figure 31.1): Ignore, Activate, and Deactivate. Figure 31.1. Three types of entries in System Policy Editor.
If the check box is checked, as the Permitted managers check box appears in Figure 31.1, the setting is activated and the necessary keys and/or values are added if required. If the check box is cleared, as the Traps for Public community check box appears in Figure 31.1, the setting is deactivated regardless of the previous setting. Keys and/or values may be added to force the settings to an off position.
Computer Policies in COMMON.ADMComputer-related policies in COMMON.ADM are relatively few because the underlying functions of Windows NT and Windows 95 are very different. Many more of the computer-related items are in the named template files for NT and 95. Network/System Policies Update/Remote UpdateThe ability to set a specific location and policy filename is critical in three different cases:
Windows NT looks in the NETLOGON share for NTCONFIG.POL. Windows 95, on the other hand, looks in NETLOGON for CONFIG.POL. If the policy file will have a different name or be in a different location, you can change the location where Windows NT looks and the filename for which it searches.
The Remote Update setting is a little deceptive, in that it says Manual in the Update mode. There is nothing manual about the update. The Registry is automatically updated at logon, but it just uses a different path. Enter the path as shown in Figure 31.2. Figure 31.2. Setting a location for NTCONFIG.POL.
Figure 31.3. Enabling load balancing for better performance.
System/SNMP/CommunitiesSNMP (Simple Network Management Protocol) is used to get and set status information about a host on a TCP/IP network, including data about the user, the physical location of the host computer, and different services running on the host. (See Figure 31.4.) Figure 31.4. SNMP options in COMMON.ADM.
This setting allows you to list the additional communities to which you want the server to belong. You may list as many as you want. System/SNMP/Permitted ManagersYou can list all the managers in your system who can both change settings and generate errors for SNMP items. Valid entries include IP addresses of systems and host names. System/SNMP/Traps for Public CommunityA trap in SNMP is a block of data that indicates the failure of a request across the TCP/IP network, usually because of authentication. This can occur when the correct community name is not listed, when the host name does not match the IP address, or in other situations in which there is a failure to communicate. Add the names of traps to use for testing authentication across the TCP/IP network. System/Run/RunThe Run function is used to set items to be run at startup. It's better to use the Run function than to use the Startup group because the Run function requires a Registry change for the user to disable it. Most users are not able to make those changes, so the likelihood of the application running as intended is much higher. The value name (as shown in Figure 31.5) is just text information. The only time you see the value name is if the program remains in memory. In that case, the value name text is displayed in the Taskbar. The actual program is the value. After the policy is in place, the Registry for that system is updated, as shown in Figure 31.6.
Figure 31.5. Adding items to be run at startup. Figure 31.6. Items entered in the System Policy Editor Run function update the Registry.
Computer Policies in WINNT.ADMThe policies in WINNT.ADM are much more specific than those in COMMON.ADM. Some of the policies in WINNT.ADM are very similar to those in WINDOWS.ADM; the main difference between the two is the location of the Registry entry. Windows NT Network/Sharing/Create Hidden Drives Shares (Workstation or Server)By default, NT creates hidden shares (also called administrative shares) for all fixed disk drives on all NT systems. (See Figure 31.7.) These shares are accessible (without a password) only by Administrator from the machine he has logged on to. Other users can access them with the correct password using Map Network Drive (seen in Figure 31.8), typing in the name of the share (\\SERVER1\C$, for instance). Figure 31.7. Changing administrative share status. Figure 31.8. Using an administrative share to gain access to a nonshared resource.
After the correct password is supplied, the root directory and all subdirectories and files are accessible even if they have not been shared in the normal way. The default for NT is always to create these shares. This entry is used in System Policy Editor to disable the creation of these shares. That requires you to clear the check box.
Windows NT Printers/Disable Browse Thread on this ComputerBy enabling this setting at a specific system, that computer's printer shares no longer appear in the browse list in Connect Network Printer. The printers may still be accessed, but the name of the printer must be entered in order to do so. (See Figure 31.9.) Figure 31.9. Removing the printer name from other browse lists.
Windows NT Printers/Scheduler PrioritySet this printer's priority above or below normal with this setting. When set above normal, print jobs have a higher priority in combination with foreground and background application threads. Each thread gets a priority between 1 and 14. The higher the number, the sooner the thread gets processed. Boosting this number gets print jobs done faster, but application performance may suffer. (See Figure 31.10.) Figure 31.10. Priority scheduling for print processes.
Windows NT Printers/Beep for Error EnabledWhat an annoying thought: Every time there is an error, even a simple timeout error, the system beeps at you. In that case, you might not want the system to beep at you for print errors. On the other hand, if you are not sitting at the location of the print queue, you might not know there is a problem. Your user would wonder why the print job didn't work, and send another, and another, and another, assuming that he must have done something wrong in the way it was sent. Figure 31.11 shows the setting to turn the error beep on. Figure 31.11. Turn on the error beeping at an unmanned print server.
Windows NT Remote Access/Max Number of Unsuccessful Authentication RetriesThis is one of the best ways to keep hackers out of your network. If they don't type the password correctly in the specified number of tries, they will be disconnected. This setting is made at the RAS server only. (See Figure 31.12.) Figure 31.12. How many times will it take to get it right?
Windows NT Remote Access/Max Time Limit for AuthenticationWhen set at the RAS Server, this setting determines how long the user can wait before entering a password and attempting a logon. It can be a valuable security item because a user who knows his password is more likely to enter it quickly than one who is guessing. The default time is 20 (seconds), but don't set it below 7, or your user may not be able to respond in time. (See Figure 31.13.) Figure 31.13. Setting the maximum time for user input at logon.
Windows NT Remote Access/Wait Interval for CallbackOne security option is to have the server call the client back. If the user is not at the correct number, he won't be able to connect. Callback can be set up on a user-by-user basis in User Manager for Domains. This is set only on the RAS Server, and the default setting of 2 (seconds) is usually sufficient except when the delay in resetting the modem after disconnection is too long. In that case, increase this number. (See Figure 31.14.) The autodisconnect is critical for freeing incoming telephone lines. If there is no activity across the lines for 20 minutes, RAS hangs up. Change this value to increase or decrease this amount of time. In a high-demand environment, you may want to decrease it. (See Figure 31.15.) Figure 31.14. How long should I wait before calling back? Figure 31.15. If there is no active traffic, end the connection.
|
ADM File | Policy |
WINNT.ADM | Windows NT Network/Sharing/Create hidden drive shares |
WINNT.ADM | Windows NT Printers/Disable browse thread on this computer |
WINNT.ADM | Windows NT Remote Access/Max number of unsuccessful authentication retries |
WINNT.ADM | Windows NT Remote Access/Max time limit for authentication |
WINNT.ADM | Windows NT System/Logon/Enable shutdown from Authentication dialog box |
WINNT.ADM | Windows NT System/Logon/Do not display last logged-on user name |
WINNT.ADM | Windows NT System/File System/Do not create 8.3 filenames for long file names |
ADM File | Policy |
WINNT.ADM | Windows NT Printers/Scheduler priority |
WINNT.ADM | Windows NT System/Logon/Run logon scripts synchronously |
WINNT.ADM | Windows NT System/File System/Do not create 8.3 filenames for long filenames |
WINNT.ADM | Windows NT System/File System/Do not update last access time |
WINNT.ADM | Windows NT User Profiles/Timeout for dialog boxes |
System Policy Editor creates two policies by default. One policy is created for the Default Computer, and another is created for the default user. (See Figure 31.31.)
Figure 31.31. System Policy Editor creates two default policies.
Setting system policies can be done either for all computers or for individual computers.
To name a specific computer and associate a policy with it, select Edit | Add Computer.
Type or browse for the NetBIOS name of the computer, and click OK. (See Figure 31.32.)
Figure 31.32. Choosing a computer for a specific policy.
If your computer isn't specifically named, you get the settings associated with the
Default Computer. With a policy in place for the named computer, as shown in Figure
31.33, any policy specified will overwrite the Registry. Any policy settings for
the named computer cannot affect any other systems, but the Default Computer policy
may still affect the named one if there is no setting in the named computer policy.
Figure 31.33. WS2 can have specific policies associated with it.
When policies are written into the Registry, the active policies (whether the policy is activated or deactivated) from the Default Computer are written first. (See Figure 31.34.) Then, active policies at each named computer get written.
Figure
31.34. Default Computer
policies get written to the Registry first, followed
by named computer policies.
Default Computer policies get written to the Registry first, followed by named computer
policies.This is particularly important when the policies are in conflict with each
other. If the policy of the named computer is set to activate or deactivate, it makes
no difference what the setting is at the Default Computer. As an example, in Figure
31.35, the computer named WS2 is set to create hidden drive shares. As shown in Figure
31.36, the Default Computer is set not to create them. The policy for WS2 is the
one that will take effect.
Figure 31.35. WS2 policy.
Figure 31.36. Default Computer policy, which is overridden by the WS2 policy.
In another instance, the policy associated with WS2 is ignored, and the policy associated
with Default Computer is implemented. In Figure 31.37, the policy for WS2 is set
to ignore the NT Printer setting. As shown in Figure 31.38, the Default Computer
has the policy set to disable the browse thread. Because the WS2 policy is set to
use whatever is already there, it also disables the browse thread.
Figure 31.37. WS2 policy.Figure 31.38. Default Computer policy, which is not overridden by the WS2 policy in this case.
You can set any or all of these settings for individual computers or for every computer in your network. By choosing to use these settings, you can manage the computers in your network from a single NT server, and the policies can affect any computer in the network.
©Copyright, Macmillan Computer Publishing. All rights reserved.