JSI Tip 10040. How do I implement system policies for Windows XP, Windows 2000, and Windows Server 2003 client computers in non-Active Directory environments?

Microsoft Knowledge Base Article 910203 contains the following summary and introduction:


This article discusses how to implement system policies for Microsoft Windows XP-based, Microsoft Windows 2000-based, and Microsoft Windows Server 2003-based client computers in non-Active Directory directory service environments.


Before the implementation of Group Policy settings and Active Directory in Windows 2000, computer and user policy settings were implemented as Microsoft Windows NT "System Policies."

Windows NT System Policies had the following limitations that Active Directory Group Policy settings do not have:

The policies persist in a user's profile until the specified policy is reversed or until you change the applicable registry setting. This behavior is frequently referred to as "tattooing" the registry.
The policies are not secure.
The policies cannot be refreshed without a restart.

Group Policy includes the functionality of Windows NT 4.0 System Policies. Group Policy also provides additional policy settings for scripts, software installation and maintenance, security settings, Microsoft Internet Explorer maintenance, and folder redirection. The following table compares Group Policy and Windows NT 4.0 System Policy.

Comparison Group Policy Windows NT 4.0 System Policy
Tool used Microsoft Management Console (MMC) Group Policy snap-in System Policy Editor (Poledit.exe)

Number of settings More than 150 security-related settings and more than 620 registry-based settings 72 settings

Applied to Users or computers in a specified Active Directory container (site, domain, or OU) or local computers and users Domains or local computers and users

Security Secure Not secure

Extensible by MMC or .adm files .adm files

Persistence Does not leave settings in the user profiles when the effective policy is changed Persistent in user profiles until the specified policy is reversed or until you change the registry

Defined by User or computer membership in security groups User membership in security groups

Primary uses Implement registry-based settings to control the desktop and user. Configure many types of security settings. Apply logon, logoff, startup, and shutdown scripts. Implement IntelliMirror software installation and maintenance. Implement IntelliMirror data and settings management. Optimize and maintain Internet Explorer. Implement registry-based settings that govern the behavior of applications and operating system components, such as the Start menu.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.