Windows NT 4.0 System Policy Capabilities

With Windows NT 4.0, administrators are able to develop some control of the desktop through careful planning and execution. For the most part this is limited to restricting the capabilities in the Windows NT 4.0 product. The current capabilities of a Windows NT 4.0 System Policy implementation include the ability to control the items that show up on the desktop and which applications are available to the user. Administrators are also able to have user-specific desktop configuration information follow users.

With Windows NT 4.0 and Service Pack 4 or later, administrators are able to control the size of the user profile. This capability adds some additional complexity to administration and the end user. If the user profile size is limited, the user is not able to log off until they reduce the size of the user profile to under the defined limit. This can be tricky and frustrating to the user.

If the user exceeds the user profile limit, an error icon appears on the system tray. If the user opens the error icon, it shows a list of files that are in the profile. This can be used by the end user to delete files that are in the profile so that they can reduce the size and then log off properly. The tricky part is that it only shows the files that are greater than 2KB in size. Files that are smaller than 2KB do not show up, and therefore, might be tricky to find. For example, when using Internet Explorer 4.0, the user can have many small files, the user might become frustrated if the profile file list shows no fields and they continue to receive a message saying the profile is too large for them to log off. These capabilities were implemented in a few basic ways. The administrator could implement mandatory profiles by creating a profile and requiring that this profile be implemented if the user logs into the domain. This type of implementation is employed in environments that require a consistent look and feel or strict control of the desktop to prevent unauthorized use of the system. An example of a mandatory profile implementation is a kiosk based on Windows NT 4.0.

Roaming profiles is another implementation of the capabilities enabled by Windows NT 4.0 profiles. Roaming profiles give the user the ability to keep their personal desktop from a variety of workstations. For example, if a user keeps their working documents on their desktop when they log off, the configuration information including the documents is saved to a network share. This becomes extremely valuable if the user works from a variety of machines or if a desktop machine has a critical malfunction.

A typical use of roaming profiles is to increase availability. With roaming profiles, if a desktop system becomes disabled, the user's profile can be recovered. With roaming profiles, a base desktop system is built; and when the user logs into the network, the profile information is applied to the new system. Business examples of this are a roaming supervisor, or any individual that travels from site to site or shares a PC with others.

Another example of using roaming profiles is in a student computer lab on a university campus. In this example, users do not have a workstation permanently assigned to them. They must use whatever machine is available.

Policies in Windows NT 4.0 also play a role with profiles in specifying which features of a desktop environment are enabled or disabled. Using the System Policy Editor, a Windows NT 4.0 administrator is able to specify exactly what applications and files a user can access. An administrator might want to eliminate whether a group of users has the ability to run applications using the Run selection from the Start menu. This can prevent use of unauthorized applications.

The typical experience with Windows NT 4.0 system policies and profiles is that it provides control of the desktop environment. There are tools available to help control the computing environment, but administrators were crying out for additional functionality that included enabling and managing the desktop rather than the more draconian desktop lockdown capabilities of the Windows NT 4.0 policies and profiles.

Windows 2000 group policies provide similar functionality to Windows NT 4.0's capabilities. In addition, Windows 2000 group policies provide the user with the ability to apply policies on more than a domain basis. With Active Directory, the administrator is able to apply group policies to sites, domains, and OUs. OUs can have multiple levels permitting additional levels to apply group policies.