Experienced Windows NT administrators are familiar with system policies. Windows NT provided a tool called the ’system policy editor’, or Poledit.exe, that let you define groups of registry settings to apply certain change control and security restrictions for Windows computers.

System Policy Editor, or Poledit.exe, let you create a policy file that you would distribute to clients, either locally or from a server (most commonly through the NETLOGON share), to control the user’s working environment. The settings were incorporated into the registry at logon, defining the working environment and the system restrictions for the computer and the user. User settings in the policy file were applied to the HKEY_CURRENT_USER branch of the registry, and computer settings were applied to the HKEY_LOCAL_MACHINE branch.

Windows NT System Policies also provided for group policies, which also defined registry settings that Windows NT incorporated into the HKEY_CURRENT_USER branch of the registry at logon. Windows NT group policies had priority numbers assigned to them, and they applied according to that priority.

By contrast, group policies in Windows Server 2003 provide a much broader scope of control over the user environment and restrictions, and they use a completely different mechanism for application. Rather than come from a policy file, the group policy objects are stored in Active Directory and apply to the user’s configuration at the startup, logon, logoff, and shutdown.

As you’ll see in the next installment of this article, Windows Server 2003 group policies offer considerably more control over the user and computer environment than Windows NT system policies did, and they provide much greater flexibility in terms of application, administration, and security.