Computer/User Node Policy Path Full Policy Name Supported on Help/Explain Text Registry Settings
MACHINE Administrative Templates\System Restrict potentially unsafe HTML Help functions to specified folders At least Internet Explorer 6 Service Pack 1 With this policy, you can restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders.  Alternatively, you can disable these commands on the entire system.  It is strongly recommended that only folders requiring administrative privileges be added to this policy.  The Shortcut command is used to add a link to a Help topic, and runs executables that are external to the Help file. The WinHelp command is used to add a link to a Help topic, and runs a WinHLP32.exe Help (.hlp) file.  When this policy is disabled, or not configured, these commands are fully functional for all Help files.    When this policy is enabled, the commands will function only for .chm files in the specified folders and their subfolders.   To restrict the commands to one or more folders, enable the policy and enter the desired folders in the text box on the settings tab of the Policy Properties dialog box. Use a semicolon to separate folders. For example, to restrict the commands to only .chm files in the %windir%\help folder and D:\somefolder, add the following string to the edit box: %windir%\help;D:\somefolder.  To disallow the Shortcut and WinHelp commands on the entire local system, enable the policy and leave the text box on the settings tab of the Policy Properties dialog box blank.  Note: An environment variable may be used, (for example, %windir%), so long as it is defined on the system. For example, %programfiles% is not defined on some early versions of Windows.  Note: Only folders on the local computer can be specified in this policy. You cannot use this policy to enable the Shortcut and WinHelp commands for .chm files that are stored on mapped drives or accessed using UNC paths.  For additional options, see the Restrict these programs from being launched from Help policy. HKLM\Software\Policies\Microsoft\Windows\System!HelpQualifiedRootDir
MACHINE Administrative Templates\System Do not display Manage Your Server page at logon At least Microsoft Windows Server 2003 Specifies whether to turn off the automatic display of the Manage Your Server page.   If the status is set to Enabled, the Manage Your Server page does not appear each time an administrator logs on to the server.   If the status is set to Disabled or Not Configured, the Manage Your Server page does appear each time an administrator logs on to the server. However, if the administrator has selected the “Don’t display this page at logon” check box at the bottom of the Manage Your Server page, the page will not appear.   Regardless of this setting's status, the Manage Your Server page is still available from the Start menu. HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\MYS!DisableShowAtLogon
MACHINE Administrative Templates\System Display Shutdown Event Tracker At least Microsoft Windows XP Professional or Windows Server 2003 family The Shutdown Event Tracker can be displayed when you shut down a workstation or server.  This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer.  If you enable this setting and choose Always from the drop-down menu, the Shutdown Event Tracker is displayed when you shut down.  If you enable this setting and choose Server Only from the drop-down menu, the Shutdown Event Tracker is displayed when you shut down a Windows Server 2003 family computer.  If you enable this setting and choose Workstation Only from the drop-down menu, the Shutdown Event Tracker is displayed when you shut down a Windows XP Professional workstation.  If you disable this setting, the Shutdown Event Tracker is not displayed when you shut down.  If you do not configure this setting, the default behavior for the Shutdown Event Tracker occurs.  Note: By default, the Shutdown Event Tracker is not displayed on Windows XP Professional and is displayed by default on the Windows Server 2003 family. HKLM\Software\Policies\Microsoft\Windows NT\Reliability!ShutdownReasonOn, HKLM\Software\Policies\Microsoft\Windows NT\Reliability!ShutdownReasonUI
MACHINE Administrative Templates\System Activate Shutdown Event Tracker System State Data feature At least Microsoft Windows Server 2003 Defines when the Shutdown Event Tracker System State Data feature is activated.  The system state data file contains information about the basic system state as well as the state of all running processes.  If you enable this setting, the System State Data feature is activated when the user indicates that the shutdown or restart is unplanned.  If you disable this setting, the System State Data feature is never activated.  If you do not configure this setting, the default behavior for the System State Data feature occurs.  Note: By default, the System State Data feature is always enabled on the Windows Server 2003 family. HKLM\Software\Policies\Microsoft\Windows NT\Reliability!SnapShot
MACHINE Administrative Templates\System Enable Persistent Time Stamp At least Microsoft Windows Server 2003 The Persistent System Timestamp allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval.  If you enable this setting, the Persistent System Timestamp will be refreshed according to the Timestamp Interval.  If you disable this setting, the Persistent System Timestamp will be turned off and the timing of unexpected shutdowns will not be detected.  If you do not configure this setting, the default behavior will occur.  Note: By default, the Persistent System Timestamp is refreshed every 60 seconds on the Windows Server 2003 family.  This feature may interfere with power configuration settings that turn off hard disks after a period of inactivity.  These power settings may be accessed in the Power Options Control Panel. HKLM\Software\Policies\Microsoft\Windows NT\Reliability!TimeStampEnabled, HKLM\Software\Policies\Microsoft\Windows NT\Reliability!TimeStampInterval
MACHINE Administrative Templates\System Specify Windows installation file location At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate location for Windows installation files.  To enable this setting, and enter the fully qualified path to the new location in the Windows Setup file path box.  If you disable this setting or do not configure it, the Windows Setup source path will be the location used during the last time Windows Setup was run on the system.   HKLM\Software\Policies\Microsoft\Windows NT\Setup!SourcePath
MACHINE Administrative Templates\System Specify Windows Service Pack installation file location At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate location for Windows Service Pack installation files.  To enable this setting, enter the fully qualified path to the new location in the Windows Service Pack Setup file path box.  If you disable this setting or do not configure it, the Windows Service Pack Setup source path will be the location used during the last time Windows Service Pack Setup was run on the system.   HKLM\Software\Policies\Microsoft\Windows NT\Setup!ServicePackSourcePath
MACHINE Administrative Templates\System Remove Boot / Shutdown / Logon / Logoff status messages At least Microsoft Windows 2000 Suppresses system status messages.  If you enable this setting, the system does not display a message reminding users to wait while their system starts or shuts down, or while users log on or off. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableStatusMessages
MACHINE Administrative Templates\System Verbose vs normal status messages At least Microsoft Windows 2000 Directs the system to display highly detailed status messages.  If you enable this setting, the system displays status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system.  This setting is designed for sophisticated users that require this information.  Note: This setting is ignored if the Remove Boot / Shutdown / Logon / Logoff status messages setting is enabled. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!VerboseStatus
MACHINE Administrative Templates\System Restrict these programs from being launched from Help At least Microsoft Windows XP Professional or Windows Server 2003 family Allows you to restrict programs from being run from online Help.  If you enable this setting, you can prevent programs that you specify from being allowed to be run from Help. When you enable this setting, enter the list of the programs you want to restrict. Enter the file name of the executable for each application, separated by commas.  If you disable or do not configure this setting, users will be able to run applications from online Help.  Note: You can also restrict users from running applications by using the Software Restriction settings available in Computer Configuration\Security Settings.  Note: This setting is available under Computer Configuration and User Comfiguration. If both are set, the list of programs specified in each of these will be restricted. HKLM\Software\Policies\Microsoft\Windows\System!DisableInHelp
MACHINE Administrative Templates\System Turn off Autoplay At least Microsoft Windows 2000 Turns off the Autoplay feature.  Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.  By default, Autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.  If you enable this setting, you can also disable Autoplay on CD-ROM drives or disable Autoplay on all drives.  This setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.  Note: This setting appears in both the Computer Configuration and User Configuration folders. If the settings conflict, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Note: This setting does not prevent Autoplay for music CDs. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDriveTypeAutoRun
MACHINE Administrative Templates\System Do not automatically encrypt files moved to encrypted folders At least Microsoft Windows 2000 Prevents Windows Explorer from encrypting files that are moved to an encrypted folder.  If you disable this setting or do not configure it, Windows Explorer automatically encrypts files that are moved to an encrypted folder.  This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, Windows Explorer encrypts those files automatically. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoEncryptOnMove
MACHINE Administrative Templates\System Download missing COM components At least Microsoft Windows 2000 Directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.  Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM. These programs cannot perform all of their functions unless Windows has internally registered the required components.  If you enable this setting and a component registration is missing, the system searches for it in Active Directory and if it is found, downloads it. The resulting searches might make some programs start or run slowly.  If you disable this setting or do not configure it, the program continues without the registration. As a result, the program might not perform all of its functions, or it might stop.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in  User Configuration. HKLM\Software\Policies\Microsoft\Windows\App Management!COMClassStore
MACHINE Administrative Templates\System Allow Distributed Link Tracking clients to use domain resources At least Microsoft Windows Server 2003 Specifies that Distributed Link Tracking clients in this domain may use the Distributed LInk Tracking (DLT) server, which runs on domain controllers.  The DLT client enables programs to track linked  files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on  another computer.   The DLT client can more reliably track links when allowed to use the DLT server.  This policy should not be set unless the DLT server is running on all domain controllers in the domain. HKLM\Software\Policies\Microsoft\Windows\System!DLT_AllowDomainMode
MACHINE Administrative Templates\System Do not turn off system power after a Windows system shutdown has occurred. At least Microsoft Windows XP Professional with SP1 or Windows Server 2003 family This setting allows you to configure whether power is automatically turned off when Windows shutdown completes.  This setting does not effect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces.  Applications such as UPS software may rely on Windows shutdown behavior.  This setting is only applicable when Windows shutdown is initiated by software programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutdown().  If you enable this setting, the computer system will be safely shutdown, and remain in a powered state, ready for power to be safely removed. If you disable or do not configure this setting, the computer system will safely shutdown to a fully powered-off state. HKLM\Software\Policies\Microsoft\Windows NT!DontPowerOffAfterShutdown
MACHINE Administrative Templates\System\User Profiles Do not check for user ownership of Roaming Profile Folders At least Microsoft Windows 2000 Service Pack 4, Microsoft Windows XP Professional Service Pack 1 or Microsoft Windows Server 2003 family This setting disables the more secure default setting for the user’s roaming user profile folder.  Once an administrator has configured a users' roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator.  For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating systems, the default file permissions for the newly generated profile are full control access for the user and no file access for the administrators group. No checks are made for the correct permissions if the profile folder already exists. For Windows Server 2003 family, Windows 2000 Professional SP4 and Windows XP SP1, the default behavior is to check the folder for the correct permissions if the profile folder already exists, and not copy files to or from the roaming folder if the permissions are not correct.  By configuring this setting, you can alter this behavior.  If you enable this setting Windows will not check the permissions for the folder in the case where the folder exists.  If you disable or do not configure this setting AND the roaming profile folder exists AND the user or administrators group not the owner of the folder, Windows will NOT copy files to or from the roaming folder. The user will be shown an error message and an entry will be written to the event log. The user’s cached profile will be used, or a temporary profile issued if no cached profile exists.   Note: The setting must be configured on the client computer not the server for it to have any effect because the client computer sets the file share permissions for the roaming profile at creation time.  Note: The behavior when this setting is enabled is exactly the same behavior as in Windows 2000 Professional pre-SP4 and Windows XP Professional HKLM\Software\Policies\Microsoft\Windows\System!CompatibleRUPSecurity
MACHINE Administrative Templates\System\User Profiles Delete cached copies of roaming profiles At least Microsoft Windows 2000 Determines whether the system saves a copy of a user’s roaming profile on the local computer's hard drive when the user logs off.  This setting, and related settings in this folder, together describe a strategy for managing user profiles residing on remote servers. In particular, they tell the system how to respond when a remote profile is slow to load.  Roaming profiles reside on a network server. By default, when users with roaming profiles log off, the system also saves a copy of their roaming profile on the hard drive of the computer they are using in case the server that stores the roaming profile is unavailable when the user logs on again. The local copy is also used when the remote copy of the roaming user profile is slow to load.  If you enable this setting, any local copies of the user’s roaming profile are deleted when the user logs off. The roaming profile still remains on the network server that stores it.  Important: Do not enable this setting if you are using the slow link detection feature of Windows 2000 Professional and Windows XP Professional. To respond to a slow link, the system requires a local copy of the user’s roaming profile. HKLM\Software\Policies\Microsoft\Windows\System!DeleteRoamingCache
MACHINE Administrative Templates\System\User Profiles Do not detect slow network connections At least Microsoft Windows 2000 Disables the slow link detection feature.  Slow link detection measures the speed of the connection between a user's computer and the remote server that stores the roaming user profile. When the system detects a slow link, the related settings in this folder tell the system how to respond.  If you enable this setting, the system does not detect slow connections or recognize any connections as being slow. As a result, the system does not respond to slow connections to user profiles, and it ignores the settings that tell the system how to respond to a slow connection.  If you disable this setting or do not configure it, slow link detection is enabled. The system measures the speed of the connection between the user's computer and profile server. If the connection is slow (as defined by the Slow network connection timeout for user profiles setting), the system applies the other settings set in this folder to determine how to proceed. By default, when the connection is slow, the system loads the local copy of the user profile. HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkDetectEnabled
MACHINE Administrative Templates\System\User Profiles Slow network connection timeout for user profiles At least Microsoft Windows 2000 Defines a slow connection for roaming user profiles.  If the server on which the user's roaming user profile resides takes longer to respond than the thresholds set by this setting allow, then the system considers the connection to the profile to be slow.  This setting and related settings in this folder together define the system's response when roaming user profiles are slow to load.  This setting establishes thresholds for two tests. For computers connected to IP networks, the system measures the rate at which the remote server returns data in response to an IP ping message. To set a threshold for this test, in the Connection speed box, type a decimal number between 0 and 4,294,967,200, representing the minimum acceptable transfer rate in kilobits per second. By default, if the server returns fewer than 500 kilobits of data per second, it is considered to be slow.  For non-IP computers, the system measures the responsiveness of the remote server's file system. To set a threshold for this test, in the Time box, type a decimal number between 0 and 20,000, representing the maximum acceptable delay, in milliseconds. By default, if the server's file system does not respond within 120 milliseconds, it is considered to be slow.  Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.  Important: If the Do not detect slow network connections setting is enabled, this setting is ignored. Also, if the Delete cached copies of roaming profiles setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. HKLM\Software\Policies\Microsoft\Windows\System!UserProfileMinTransferRate, HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkTimeOut
MACHINE Administrative Templates\System\User Profiles Wait for remote user profile At least Microsoft Windows 2000 Directs the system to wait for the remote copy of the roaming user profile to load, even when loading is slow. Also, the system waits for the remote copy when the user is notified about a slow connection, but does not respond in the time allowed.  This setting and related settings in this folder together define the system's response when roaming user profiles are slow to load.  If you disable this setting or do not configure it, then when a remote profile is slow to load, the system loads the local copy of the roaming user profile. The local copy is also used when the user is consulted (as set in the Prompt user when slow link is detected setting), but does not respond in the time allowed (as set in the Timeout for dialog boxes setting).  Waiting for the remote profile is appropriate when users move between computers frequently and the local copy of their profile is not always current. Using the local copy is desirable when quick logging on is a priority.  Important: If the Do not detect slow network connections setting is enabled, this setting is ignored. Also, if the Delete cached copies of roaming profiles setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkProfileDefault
MACHINE Administrative Templates\System\User Profiles Prompt user when slow link is detected At least Microsoft Windows 2000 Notifies users when their roaming profile is slow to load. The notice lets users decide whether to use a local copy or to wait for the roaming user profile.  If you disable this setting or do not configure it, when a roaming user profile is slow to load, the system does not consult the user. Instead, it loads the local copy of the profile. If you have enabled the Wait for remote user profile setting, the system loads the remote copy without consulting the user.  This setting and related settings in this folder together define the system's response when roaming user profiles are slow to load.  To adjust the time within which the user must respond to this notice, use the Timeout for dialog boxes setting.  Important: If the Do not detect slow network connections setting is enabled, this setting is ignored. Also, if the Delete cached copies of roaming profiles setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkUIEnabled
MACHINE Administrative Templates\System\User Profiles Timeout for dialog boxes At least Microsoft Windows 2000 Determines how long the system waits for a user response before it uses a default value.  The default value is applied when the user does not respond to messages explaining that any of the following events has occurred:  --  The system detects a slow connection between the user's computer and the server that stores users' roaming user profiles.  --  The system cannot access users' server-based profiles when users log on or off.  --  Users' local profiles are newer than their server-based profiles.  You can use this setting to override the system's default value of 30 seconds. To use this setting, type a decimal number between 0 and 600 for the length of the interval. HKLM\Software\Policies\Microsoft\Windows\System!ProfileDlgTimeOut
MACHINE Administrative Templates\System\User Profiles Log users off when roaming profile fails At least Microsoft Windows 2000 Logs a user off automatically when the system cannot load the user's roaming user profile.  This setting is used when the system cannot find the roaming user profile or the profile contains errors which prevent it from loading correctly.  If you disable this setting or do not configure it, when the roaming profile fails, the system loads a local copy of the roaming user profile, if one is available. Otherwise, the system loads the default user profile (stored in %Systemroot%\Documents and Settings\Default User).  Also, see the Delete cached copies of roaming profiles setting. HKLM\Software\Policies\Microsoft\Windows\System!ProfileErrorAction
MACHINE Administrative Templates\System\User Profiles Maximum retries to unload and update user profile At least Microsoft Windows 2000 Determines how many times the system tries to unload and update the registry portion of a user profile. When the number of trials specified by this setting is exhausted, the system stops trying. As a result, the user profile might not be current, and local and roaming user profiles might not match.  When a user logs off of the computer, the system unloads the user-specific section of the registry (HKEY_CURRENT_USER) into a file (NTUSER.DAT) and updates it. However, if another program or service is reading or editing the registry, the system cannot unload it. The system tries repeatedly (at a rate of once per second) to unload and update the registry settings. By default, the system repeats its periodic attempts 60 times (over the course of one minute).  If you enable this setting, you can adjust the number of times the system tries to unload and update the user's registry settings. (You cannot adjust the retry rate.)  If you disable this setting or do not configure it, the system repeats its attempt 60 times.  If you set the number of retries to 0, the system tries just once to unload and update the user's registry settings. It does not try again.  Note: This setting is particularly important to servers running Terminal Services. Because Terminal Services edits the users' registry settings when they log off, the system's first few attempts to unload the user settings are more likely to fail.  This setting does not affect the system's attempts to update the files in the user profile.  Tip: Consider increasing the number of retries specified in this setting if there are many user profiles stored in the computer's memory. This indicates that the system has not been able to unload the profile.  Also, check the Application Log in Event Viewer for events generated by Userenv. The system records an event whenever it tries to unload the registry portion of the user profile. The system also records an event when it fails to update the files in a user profile. HKLM\Software\Policies\Microsoft\Windows\System!ProfileUnloadTimeout
MACHINE Administrative Templates\System\User Profiles Add the Administrators security group to roaming user profiles At least Microsoft Windows XP Professional or Windows Server 2003 family This setting adds the Administrator security group to the roaming user profile share.  Once an administrator has configured a users' roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator.  For the Windows 2000 Professional and Windows XP Professional operating systems, the default file permissions for the newly generated profile are full control, or read and write access for the user, and no file access for the administrators group.  By configuring this setting, you can alter this behavior.  If you enable this setting, the administrator group is also given full control to the user's profile folder.  If you disable or do not configure it, only the user is given full control of their user profile, and the administrators group has no file system access to this folder.  Note: If the setting is enabled after the profile is created, the setting has no effect.  Note: The setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time.  Note: In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions.  Note: The behavior when this setting is enabled is exactly the same behavior as in Windows NT 4.0. HKLM\Software\Policies\Microsoft\Windows\System!AddAdminGroupToRUP
MACHINE Administrative Templates\System\User Profiles Prevent Roaming Profile changes from propagating to the server At least Microsoft Windows XP Professional or Windows Server 2003 family This setting determines if the changes a user makes to their roaming profile are merged with the server copy of their profile.  By default, when a roaming profile user logs on to a computer, their roaming profile is copied down to the local computer. If they have already logged on to this computer in the past, the roaming profile is merged with the local profile. Similiarly, when the user logs off this computer, the local copy of their profile, including any changes they have made, is merged with the server copy of their profile.  Using the setting, you can prevent changes made to a roaming profile on a particular computer from being persisted.  If you enable this setting, the following occurs on the affected computer: At login, the user receives their roaming profile. But, any changes a user makes to their profile will not be merged to their roaming profile when they log off.  If this setting is disabled or not configured, the default behavior occurs, as indicated above.  Note: This setting only affects roaming profile users. HKLM\Software\Policies\Microsoft\Windows\System!ReadOnlyProfile
MACHINE Administrative Templates\System\User Profiles Only allow local user profiles At least Microsoft Windows XP Professional or Windows Server 2003 family This setting determines if roaming user profiles are available on a particular computer. By default, when roaming profile users log on to a computer, their roaming profile is copied down to the local computer. If they have already logged on to this computer in the past, the roaming profile is merged with the local profile. Similarly, when the user logs off this computer, the local copy of their profile, including any changes they have made, is merged with the server copy of their profile.  Using the setting, you can prevent users configured to use roaming profiles from receiving their profile on a specific computer.  If you enable this setting, the following occurs on the affected computer: At first logon, the user receives a new local  profile, rather than the roaming profile. At logoff, changes are saved to the local profile. All subsequent logons use the local profile.   If you disable this setting or do not configure it, the default behavior occurs, as indicated above.  If you enable both the Prevent Roaming Profile changes from propagating to the server setting and the Only allow local user profiles setting, roaming profiles are disabled.  Note: This setting only affects roaming profile users. HKLM\Software\Policies\Microsoft\Windows\System!LocalProfile
MACHINE Administrative Templates\System\User Profiles Leave Windows Installer and Group Policy Software Installation Data At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Determines whether the system retains a roaming user’s Windows Installer and Group Policy based software installation data on their profile deletion.  By default User profile deletes all information related to a roaming user (which includes the user’s settings, data, Windows Installer related data etc.) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy to change this behavior.  If you enable this setting, Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine.  If you disable or do not configure this policy, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted.  Note: If this policy is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Poliy software installation data stored in the registry and file system of roaming users’ profiles on the machine. HKLM\Software\Policies\Microsoft\Windows\System!LeaveAppMgmtData
MACHINE Administrative Templates\System\Scripts Run logon scripts synchronously At least Microsoft Windows 2000 Directs the system to wait for the logon scripts to finish running before it starts the Windows Explorer interface program and creates the desktop.  If you enable this setting, Windows Explorer does not start until the logon scripts have finished running. This setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.  If you disable this setting or do not configure it, the logon scripts and Windows Explorer are not synchronized and can run simultaneously.  This setting appears in the Computer Configuration and User Configuration folders. The setting set in Computer Configuration takes precedence over the setting set in User Configuration. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunLogonScriptSync
MACHINE Administrative Templates\System\Scripts Run startup scripts asynchronously At least Microsoft Windows 2000 Lets the system run startup scripts simultaneously.  Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script.  If you enable this setting, the system does not coordinate the running of startup scripts. As a result, startup scripts can run simultaneously.  If you disable this setting or do not configure it, a startup cannot run until the previous script is complete. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunStartupScriptSync
MACHINE Administrative Templates\System\Scripts Run startup scripts visible At least Microsoft Windows 2000 Displays the instructions in startup scripts as they run.  Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script.  If you enable this setting, the system displays each instruction in the startup script as it runs. The instructions appear in a command window. This setting is designed for advanced users.  If you disable this setting or do not configure it, the instructions are suppressed. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideStartupScripts
MACHINE Administrative Templates\System\Scripts Run shutdown scripts visible At least Microsoft Windows 2000 Displays the instructions in shutdown scripts as they run.  Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script.  If you enable this setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window.  If you disable this setting or do not configure it, the instructions are suppressed. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideShutdownScripts
MACHINE Administrative Templates\System\Scripts Maximum wait time for Group Policy scripts At least Microsoft Windows 2000 Determines how long the system waits for scripts applied by Group Policy to run.  This setting limits the total time allowed for all logon, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event.  By default, the system lets the combined set of scripts run for up to 600 seconds (10 minutes), but you can use this setting to adjust this interval.  To use this setting, in the Seconds box, type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0.  This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the Run logon scripts synchronously setting to direct the system to wait for the logon scripts to complete before loading the desktop.  An excessively long interval can delay the system and inconvenience users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!MaxGPOScriptWait
MACHINE Administrative Templates\System\Logon Don't display the Getting Started welcome screen at logon Only works on Microsoft Windows 2000 Supresses the welcome screen.  This setting hides the welcome screen that is displayed on Windows 2000 Professional and Windows XP Professional each time the user logs on.  Users can still display the welcome screen by selecting it on the Start menu or by typing Welcome in the Run dialog box.  This setting applies only to Windows 2000 Professional and Windows XP Professional. It does not affect the Configure Your Server on a Windows 2000 Server screen on Windows 2000 Server.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click Getting Started. To suppress the welcome screen without specifying a setting, clear the Show this screen at startup check box on the welcome screen. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWelcomeScreen
MACHINE Administrative Templates\System\Logon Always use classic logon At least Microsoft Windows XP Professional or Windows Server 2003 family This setting forces the user to log on to the computer using the classic logon screen. By default, a workgroup is set to use the simple logon screen. This setting only works when the computer is not on a domain. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!LogonType
MACHINE Administrative Templates\System\Logon Run these programs at user logon At least Microsoft Windows 2000 Specifies additional programs or documents that Windows starts automatically when a user logs on to the system.  To use this setting, click Show, click Add, and then, in the text box, type the name of the executable program (.exe) file or document file. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting.  Also, see the Do not process the legacy run list and the Do not process the run once list settings. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run!{1,2,3,...}
MACHINE Administrative Templates\System\Logon Do not process the run once list At least Microsoft Windows 2000 Ignores customized run-once lists.  You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts.  If you enable this setting, the system ignores the run-once list.  If you disable this setting or do not configure it, the system runs the programs in the run-once list.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Note: Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.  Also, see the Do not process the legacy run list setting. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRunOnce
MACHINE Administrative Templates\System\Logon Do not process the legacy run list At least Microsoft Windows 2000 Ignores the customized run list.  You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows XP Professional, Windows 2000 Professional, Windows NT Workstation 4.0 and earlier. These programs are added to the standard run list of programs and services that the system starts.  If you enable this setting, the system ignores the run list for Windows NT Workstation 4.0, Windows 2000 Professional, and Windows XP Professional.  If you disable or do not configure this setting, Windows 2000 adds any customized run list configured for Windows NT 4.0 and earlier to its run list.  This setting appears in the Computer Configuration and User Configuration folders. If both policies are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Note: To create a customized run list by using a policy, use the Run these applications at startup setting.  The customized run lists for Windows NT 4.0 and earlier are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run. They can be configured by using the Run setting in System Policy Editor for Windows NT 4.0 and earlier.  Also, see the Do not process the run once list setting. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRun
MACHINE Administrative Templates\System\Logon Always wait for the network at computer startup and logon At least Microsoft Windows XP Professional or Windows Server 2003 family Determines whether Windows XP waits for the network during computer startup and user logon. By default, Windows XP does not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background once the network becomes available.  Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected.  If a user with a roaming profile, home directory, or user object logon script logs on to a computer, Windows XP always waits for the network to be initialized before logging the user on.  If a user has never logged on to this computer before, Windows XP always waits for the network to be initialized.  If you enable this setting, logons are performed in the same way as for Windows 2000 clients, in that Windows XP waits for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously.  If you disable or do not configure this setting, Windows does not wait for the network to be fully initialized and users are logged on with cached credentials. Group Policy is applied asynchronously in the background.  Note: If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this setting to ensure that Windows waits for the network to be available before applying policy.  Note: For servers, the startup and logon processing always behaves as if this policy setting is enabled. HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon!SyncForegroundPolicy
MACHINE Administrative Templates\System\Disk Quotas Enable disk quotas At least Microsoft Windows 2000 Enables and disables disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting.  If you enable this setting, disk quota management is enabled, and users cannot disable it.  If you disable the setting, disk quota management is disabled, and users cannot enable it.  If this setting is not configured, disk quota management is disabled by default, but administrators can enable it.  To prevent users from changing the setting while a setting is in effect, the system disables the Enable quota management option on the Quota tab of NTFS volumes.  Note: This setting enables disk quota management but does not establish or enforce a particular disk quota limit. To specify a disk quota limit, use the Default quota limit and warning level setting. Otherwise, the system uses the physical space on the volume as the quota limit.  Note: To enable or disable disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click the Enable quota management option. HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Enable
MACHINE Administrative Templates\System\Disk Quotas Enforce disk quota limit At least Microsoft Windows 2000 Determines whether disk quota limits are enforced and prevents users from changing the setting.  If you enable this setting, disk quota limits are enforced. If you disable this setting, disk quota limits are not enforced. When you enable or disable the setting, the system disables the Deny disk space to users exceeding quota limit option on the Quota tab so administrators cannot make changes while the setting is in effect.  If the setting is not configured, the disk quota limit is not enforced by default, but administrators change the setting.  Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as long as physical space is available.  Note: This setting overrides user settings that enable or disable quota enforcement on their volumes.  Note: To specify a disk quota limit, use the Default quota limit and warning level setting. Otherwise, the system uses the physical space on the volume as the quota limit. HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Enforce
MACHINE Administrative Templates\System\Disk Quotas Default quota limit and warning level At least Microsoft Windows 2000 Specifies the default disk quota limit and warning level for new users of the volume.  This setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit.  This setting overrides new users’ settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the Select the default quota limit for new users of this volume section on the Quota tab.  This setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).  If you disable this setting or do not configure it, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level.  When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group.  This setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume. HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Limit, HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!LimitUnits, HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Threshold, HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!ThresholdUnits
MACHINE Administrative Templates\System\Disk Quotas Log event when quota limit exceeded At least Microsoft Windows 2000 Determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting.  If you enable this setting, the system records an event when the user reaches their limit. If you disable this setting, no event is recorded. Also, when you enable or disable this setting, the system disables the Log event when a user exceeds their quota limit option on the Quota tab, so administrators cannot change the setting while a setting is in effect.  If the setting is not configured, no events are recorded, but administrators can use the Quota tab option to change the setting.  This setting is independent of the enforcement settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit.  Also, this setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes.  Note: To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!LogEventOverLimit
MACHINE Administrative Templates\System\Disk Quotas Log event when quota warning level exceeded At least Microsoft Windows 2000 Determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume.  If you enable this setting, the system records an event. If you disable this setting, no event is recorded. When you enable or disable the setting, the system disables the corresponding Log event when a user exceeds their warning level option on the Quota tab, so that administrators cannot change logging while a setting is in effect.  If the setting is not configured, no event is recorded, but administrators can use the Quota tab option to change the logging setting.  This setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes.  Note: To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!LogEventOverThreshold
MACHINE Administrative Templates\System\Disk Quotas Apply policy to removable media At least Microsoft Windows 2000 Extends the disk quota policies in this folder to NTFS file system volumes on removable media.  If you disable this setting or do not configure it, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. Note: When this setting is applied, the computer will apply the disk quota to both fixed and removable media. HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!ApplyToRemovableMedia
MACHINE Administrative Templates\System\Net Logon Expected dial-up delay on logon At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network.  To specify the Expected dial-up delay at logon, click Enable, and then enter the desired value in seconds (for example, the value 60 is 1 minute).  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!ExpectedDialupDelay
MACHINE Administrative Templates\System\Net Logon Site Name At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the Active Directory site to which computers belong.  An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.  To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory.  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!SiteName
MACHINE Administrative Templates\System\Net Logon Negative DC Discovery Cache Setting At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.  The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0.  Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NegativeCachePeriod
MACHINE Administrative Templates\System\Net Logon Initial DC Discovery Retry Setting for Background Callers At least Microsoft Windows XP Professional or Windows Server 2003 family When applications performing periodic searches for domain controllers (DC) are unable to find a DC, the value set in this setting determines the amount of time (in seconds) before the first retry.  The default value for this setting is 10 minutes (10*60). The maximum value for this setting is 49 days (0x4294967). The minimum value for this setting is 0.  This setting is relevant only to those callers of DsGetDcName that have specified the DS_BACKGROUND_ONLY flag.  If the value of this setting is less than the value specified in the NegativeCachePeriod subkey, the value in the NegativeCachePeriod subkey is used.  Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryInitialPeriod
MACHINE Administrative Templates\System\Net Logon Maximum DC Discovery Retry Interval Setting for Background Callers At least Microsoft Windows XP Professional or Windows Server 2003 family When applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC, the value set in this setting determines the maximum retry interval allowed.  For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached.  The default value for this setting is 60 minutes (60*60). The maximum value for this setting is 49 days (0x4294967). The minimum value for this setting is 0.  If the value for this setting is smaller than the value specified for the Initial DC Discovery Retry Setting, the Initial DC Discovery Retry Setting is used.  Warning: If the value for this setting is too large, a client may take very long periods to try to find a DC.  If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryMaximumPeriod
MACHINE Administrative Templates\System\Net Logon Final DC Discovery Retry Setting for Background Callers At least Microsoft Windows XP Professional or Windows Server 2003 family When applications performing periodic searches for domain controllers (DC) are unable to find a DC, the value set in this setting determines when retries are no longer allowed. For example, retires may be set to occur according to the Maximum DC Discovery Retry Interval Setting, but when the value set in this setting is reached, no more retries occur. If a value for this setting is smaller than the value in Maximum DC Discovery Retry Interval Setting, the value for Maximum DC Discovery Retry Interval Setting is used.  The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x4294967). The minimum value for this setting is 0.  Warning: If the value for this setting is too small, a client will stop trying to find a DC too soon. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryQuitTime
MACHINE Administrative Templates\System\Net Logon Positive Periodic DC Cache Refresh for Background Callers At least Microsoft Windows XP Professional or Windows Server 2003 family Determines when a successful DC cache entry is refreshed. This setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (4294967). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundSuccessfulRefreshPeriod
MACHINE Administrative Templates\System\Net Logon Positive Periodic DC Cache Refresh for Non-Background Callers At least Microsoft Windows XP Professional or Windows Server 2003 family Determines when a successful DC cache entry is refreshed. This setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag.  The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (4294967). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0). HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NonBackgroundSuccessfulRefreshPeriod
MACHINE Administrative Templates\System\Net Logon Scavenge Interval At least Microsoft Windows XP Professional or Windows Server 2003 family Determines the interval at which Netlogon performs the following scavenging operations:  - Checks if a password on a secure channel needs to be modified, and modifies it if necessary.  - On the domain controllers (DC), discovers a DC that has not been discovered.  - On the PDC, attempts to add the <DomainName>[1B] NetBIOS name if it hasn’t already been successfully added.  None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (e.g., ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain.  To enable the setting, click Enabled, and then specify the interval in seconds. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!ScavengeInterval
MACHINE Administrative Templates\System\Net Logon Contact PDC on logon failure At least Microsoft Windows XP Professional or Windows Server 2003 family Defines whether a domain controller (DC) should attempt to verify with the PDC the password provided by a client if the DC failed to validate the password.  Contacting the PDC is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC is located over a slow WAN connection.  To enable this feature, click Enabled.  To disable this feature, click Disabled. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AvoidPdcOnWan
MACHINE Administrative Templates\System\Net Logon Log File Debug Output Level At least Microsoft Windows Server 2003 Specifies the level of debug output for the Net Logon service.  The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged.  If you enable this setting and specify a non-zero value, debug information will be logged to the file.  Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting.  If you specify zero for this setting, the default behavior occurs as described above.  If you disable this setting or do not configure it, the default behavior occurs as described above. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!dbFlag
MACHINE Administrative Templates\System\Net Logon Maximum Log File Size At least Microsoft Windows Server 2003 Specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled.  By default, the maximum size of the log file is 20MB. If this policy is enabled, the maximum size of the log file is set to the specified size.  Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.  If this policy is disabled or not configured, the default behavior occurs as indicated above. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!MaximumLogFileSize
MACHINE Administrative Templates\System\Net Logon Sysvol share compatibility At least Microsoft Windows Server 2003 This setting controls whether or not the Sysvol share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.  When this setting is enabled, the Sysvol share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.  When this setting is disabled or not configured, the Sysvol share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission.  By default, the Sysvol share will grant shared read access to files on the share when exclusive access is requested.  Note: The Sysvol share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the Sysvol share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Sysvol share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Sysvol share on the domain will be decreased.  If this setting is enabled, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowExclusiveSysvolShareAccess
MACHINE Administrative Templates\System\Net Logon Netlogon share compatibility At least Microsoft Windows Server 2003 This setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.  When this setting is enabled, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.  When this setting is disabled or not configured, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission.  By default, the Netlogon share will grant shared read access to files on the share when exclusive access is requested.  Note: The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased.  If this setting is enabled, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowExclusiveScriptsShareAccess
MACHINE Administrative Templates\System\Net Logon\DC Locator DNS Records Dynamic Registration of the DC Locator DNS Records At least Microsoft Windows XP Professional or Windows Server 2003 family Determines if Dynamic Registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC.  If you enable this setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.  If you disable this setting, DCs will not register DC Locator DNS resource records.  If this setting is not configured, it is not applied to any DCs, and DCs use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!UseDynamicDns
MACHINE Administrative Templates\System\Net Logon\DC Locator DNS Records DC Locator DNS records not registered by the DCs At least Microsoft Windows XP Professional or Windows Server 2003 family Determines which Domain Controller (DC) Locator DNS records are not registered by the Netlogon service.  To enable this setting, select Enable and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.  Select the mnemonics from the following list:  Mnemonic         Type  DNS Record  LdapIpAddress    A     <DnsDomainName> Ldap             SRV   _ldap._tcp.<DnsDomainName> LdapAtSite       SRV   _ldap._tcp.<SiteName>._sites.<DnsDomainName> Pdc              SRV   _ldap._tcp.pdc._msdcs.<DnsDomainName> Gc               SRV   _ldap._tcp.gc._msdcs.<DnsForestName> GcAtSite         SRV   _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName> DcByGuid         SRV   _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName> GcIpAddress      A     _gc._msdcs.<DnsForestName> DsaCname         CNAME <DsaGuid>._msdcs.<DnsForestName> Kdc              SRV   _kerberos._tcp.dc._msdcs.<DnsDomainName> KdcAtSite        SRV    _kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName> Dc               SRV   _ldap._tcp.dc._msdcs.<DnsDomainName> DcAtSite         SRV   _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName> Rfc1510Kdc       SRV   _kerberos._tcp.<DnsDomainName> Rfc1510KdcAtSite SRV   _kerberos._tcp.<SiteName>._sites.<DnsDomainName> GenericGc        SRV   _gc._tcp.<DnsForestName> GenericGcAtSite  SRV   _gc._tcp.<SiteName>._sites.<DnsForestName> Rfc1510UdpKdc    SRV   _kerberos._udp.<DnsDomainName> Rfc1510Kpwd      SRV   _kpasswd._tcp.<DnsDomainName> Rfc1510UdpKpwd   SRV   _kpasswd._udp.<DnsDomainName>  If this setting is disabled, DCs configured to perform dynamic registration of DC Locator DNS records register all DC locator DNS resource records.  If this setting is not applied to DCs, DCs use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsAvoidRegisterRecords
MACHINE Administrative Templates\System\Net Logon\DC Locator DNS Records Refresh Interval of the DC Locator DNS Records At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the Refresh Interval of the domain controller (DC) Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.  DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.  Warning: If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records.  To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes).  If this setting is not configured, it is not applied to any DCs, and DCs use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsRefreshInterval
MACHINE Administrative Templates\System\Net Logon\DC Locator DNS Records Weight Set in the DC Locator DNS SRV Records At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.  The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record.  To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is 0 to 65535.  If this setting is not configured, it is not applied to any DCs, and DCs use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!LdapSrvWeight
MACHINE Administrative Templates\System\Net Logon\DC Locator DNS Records Priority Set in the DC Locator DNS SRV Records At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.  The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed.  To specify the Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of values is 0 to 65535.  If this setting is not configured, it is not applied to any DCs, and DCs use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!LdapSrvPriority
MACHINE Administrative Templates\System\Net Logon\DC Locator DNS Records TTL Set in the DC Locator DNS Records At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the value for the Time-To-Live (TTL) field in Net Logon registered SRV resource records. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the domain controller (DC).  To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value 900 is 15 minutes).  If this setting is not configured, it is not applied to any DCs, and DCs use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsTtl
MACHINE Administrative Templates\System\Net Logon\DC Locator DNS Records Automated Site Coverage by the DC Locator DNS SRV Records At least Microsoft Windows XP Professional or Windows Server 2003 family Determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.  If this setting is enabled, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists.  If you disable this setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own.  If this setting is not configured, it is not applied to any DCs, and DCs use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AutoSiteCoverage
MACHINE Administrative Templates\System\Net Logon\DC Locator DNS Records Sites Covered by the DC Locator DNS SRV Records At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.   The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.  To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited format.  If this setting is not configured, it is not applied to any DCs, and DCs use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!SiteCoverage
MACHINE Administrative Templates\System\Net Logon\DC Locator DNS Records Sites Covered by the GC Locator DNS SRV Records At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it.   The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory.  To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format.  If this setting is not configured, it is not applied to any GCs, and GCs use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!GcSiteCoverage
MACHINE Administrative Templates\System\Net Logon\DC Locator DNS Records Sites Covered by the Application Directory Partition Locator DNS SRV Records At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the sites for which the domain controllers (DC) housing application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.   The application directory partition locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.  To specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names in a space-delimited format.  If this setting is not configured, it is not applied to any DCs, and DCs use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NdncSiteCoverage
MACHINE Administrative Templates\System\Net Logon\DC Locator DNS Records Location of the DCs hosting a domain with single label DNS name At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names.  By default, when a computer (or the DC Locator running on a computer, to be more specific) needs to locate a domain controller hosting an Active Directory domain specified with a single-label name, the computer exclusively uses NetBIOS name resolution, but not the DNS name resolution, unless the computer is joined to an Active Directory forest in which at least one domain has a single-label DNS name.   If this setting is enabled, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution.  If this setting is disabled, computers to which this setting is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name only using NetBIOS name resolution, but not the DNS name resolution, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined.  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowSingleLabelDnsDomain
MACHINE Administrative Templates\System\Group Policy Turn off background refresh of Group Policy At least Microsoft Windows 2000 Prevents Group Policy from being updated while the computer is in use. This setting applies to Group Policy for computers, users, and domain controllers.  If you enable this setting, the system waits until the current user logs off the system before updating the computer and user settings.  If you disable this setting, updates can be applied while users are working. The frequency of updates is determined by the Group Policy refresh interval for computers and Group Policy refresh interval for users settings.  Note: If you make changes to this setting, you must restart your computer for it to take effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableBkGndGroupPolicy
MACHINE Administrative Templates\System\Group Policy Group Policy refresh interval for computers At least Microsoft Windows 2000 Specifies how often Group Policy for computers is updated while the computer is in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder.  In addition to background updates, Group Policy for the computer is always updated when the system starts.  By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.  You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.  If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the Turn off background refresh of Group Policy policy.  The Group Policy refresh interval for computers policy also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly.  This setting establishes the update rate for computer Group Policy. To set an update rate for user policies, use the Group Policy refresh interval for users setting (located in User Configuration\Administrative Templates\System\Group Policy).  This setting is only used when the Turn off background refresh of Group Policy setting is not enabled.  Note: Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress. HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTime, HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTimeOffset
MACHINE Administrative Templates\System\Group Policy Group Policy refresh interval for domain controllers At least Microsoft Windows 2000 Specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts.  By default, Group Policy on the domain controllers is updated every five minutes.  You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.  If you disable this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the Turn off background refresh of Group Policy setting.  This setting also lets you specify how much the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates simultaneously, the system varies the update interval for each controller by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that update requests overlap. However, updates might be delayed significantly.  Note: This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this setting. HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTimeDC, HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTimeOffsetDC
MACHINE Administrative Templates\System\Group Policy User Group Policy loopback processing mode At least Microsoft Windows 2000 Applies alternate user settings when a user logs on to a computer affected by this setting.  This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.  By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.  To use this setting, select one of the following modes from the Mode box:  --   Replace indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.  --   Merge indicates that the user settings defined in the computer's Group Policy \ HKLM\Software\Policies\Microsoft\Windows\System!UserPolicyMode
MACHINE Administrative Templates\System\Group Policy Allow Cross-Forest User Policy and Roaming User Profiles At least Microsoft Windows Server 2003 Allows User based policy processing, Roaming User Profiles and User Object logon scripts for cross forest interactive logons.  This setting affects all user accounts interactively logging on to a computer in a different forest when a Cross Forest or 2-Way Forest trust exists.  When this setting is Not Configured: - No user based policy settings are applied from the user's forest - User will not receive their roaming profiles, they will receive a local profile on the computer from the local forest. A warning message will be shown to the user, and an Event Log message (1529) will be posted. - Loopback Group Policy processing will be applied, using the Group Policy Objects scoped to the machine. - An Event Log message (1109) will be posted stating that Loopback was invoked in replace mode.  When this setting is Enabled, the behavior is exactly the same as with Windows 2000 Server Family, User policy is applied and a roaming user profile is allowed from the trusted  forest.  When this setting is Disabled, the behavior is the same as Not Configured. HKLM\Software\Policies\Microsoft\Windows\System!AllowX-ForestPolicy-and-RUP
MACHINE Administrative Templates\System\Group Policy Group Policy slow link detection At least Microsoft Windows 2000 Defines a slow connection for purposes of applying and updating Group Policy.  If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow.  The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links.  To use this setting, in the Connection speed box, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0), indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast.  If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second.  This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.  Also, see the Do not detect slow network connections and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyMinTransferRate
MACHINE Administrative Templates\System\Group Policy Turn off Resultant Set of Policy logging At least Microsoft Windows XP Professional or Windows Server 2003 family This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer.  RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy objects (GPO) were applied, where they came from, and the client-side extension settings that were included.  If you enable this setting, RSoP logging is turned off.  If you disable or do not configure this setting, RSoP logging is turned on. By default, RSoP logging is always on.  Note: To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC). HKLM\Software\Policies\Microsoft\Windows\System!RSoPLogging
MACHINE Administrative Templates\System\Group Policy Remove users ability to invoke machine policy refresh At least Microsoft Windows XP Professional or Windows Server 2003 family This setting allows you to control a user's ability to invoke a computer policy refresh.  If you enable this setting, users may not invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs.  If you disable or do not configure this setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user.  Note: This setting only applies to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy is configured.  Also, see the Group Policy refresh interval for computers setting to change the policy refresh interval.  Note: If you make changes to this setting, you must restart your computer for it to take effect. HKLM\Software\Policies\Microsoft\Windows\System!DenyUsersFromMachGP
MACHINE Administrative Templates\System\Group Policy Disallow Interactive Users from generating Resultant Set of Policy data At least Microsoft Windows XP Professional or Windows Server 2003 family This setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.  By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data.  If this setting is enabled, interactive users cannot generate RSoP data.  If this setting is not configured or disabled, interactive Users can generate RSoP.  Note: This setting does not affect administrators. If this setting is enabled or disabled, by default, administrators can view RSoP data.  Note: To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc  Note: This setting exists as both a User Configuration and Computer Configuration setting.  Also, see the Turn off Resultant set of Policy Logging setting in Computer Configuration\Administrative Templates\System\GroupPolicy. HKLM\Software\Policies\Microsoft\Windows\System!DenyRsopToInteractiveUser
MACHINE Administrative Templates\System\Group Policy Registry policy processing At least Microsoft Windows 2000 Determines when registry policies are updated.  This setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry.  It overrides customized settings that the program implementing a registry policy set when it was installed.  If you enable this setting, you can use the check boxes provided to change the options. If you disable this setting or do not configure it, it has no effect on the system.  The Do not apply during periodic background processing option prevents the system from updating affected policies in the background while the computer is in use. Background updates can disrupt the user, cause a program to stop or operate abnormally, and, in rare cases, damage data.  The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoGPOListChanges
MACHINE Administrative Templates\System\Group Policy Internet Explorer Maintenance policy processing At least Microsoft Windows 2000 Determines when Internet Explorer Maintenance policies are updated.  This setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those in Windows Settings\Internet Explorer Maintenance.  It overrides customized settings that the program implementing the Internet Explorer Maintenance policy set when it was installed.  If you enable this setting, you can use the check boxes provided to change the options. If you disable this setting or do not configure it, it has no effect on the system.  The Allow processing across a slow network connection option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.  The Do not apply during periodic background processing option prevents the system from updating affected policies in the background while the computer is in use. Background updates can disrupt the user, cause a program to stop or operate abnormally, and, in rare cases, damage data.  The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. HKLM\Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}!NoGPOListChanges
MACHINE Administrative Templates\System\Group Policy Software Installation policy processing At least Microsoft Windows 2000 Determines when software installation policies are updated.  This setting affects all policies that use the software installation component of Group Policy, such as policies in Software Settings\Software Installation. You can set software installation policy only for Group Policy objects stored in Active Directory, not for Group Policy objects on the local computer.  This policy overrides customized settings that the program implementing the software installation policy set when it was installed.  If you enable this setting, you can use the check boxes provided to change the options. If you disable this setting or do not configure it, it has no effect on the system.  The Allow processing across a slow network connection option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.  The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. HKLM\Software\Policies\Microsoft\Windows\Group Policy\{c6dc5466-785a-11d2-84d0-00c04fb169f7}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{c6dc5466-785a-11d2-84d0-00c04fb169f7}!NoGPOListChanges
MACHINE Administrative Templates\System\Group Policy Folder Redirection policy processing At least Microsoft Windows 2000 Determines when folder redirection policies are updated.  This setting affects all policies that use the folder redirection component of Group Policy, such as those in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer.  This setting overrides customized settings that the program implementing the folder redirection policy set when it was installed.  If you enable this setting, you can use the check boxes provided to change the options. If you disable this setting or do not configure it, it has no effect on the system.  The Allow processing across a slow network connection option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.  The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. HKLM\Software\Policies\Microsoft\Windows\Group Policy\{25537BA6-77A8-11D2-9B6C-0000F8080861}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{25537BA6-77A8-11D2-9B6C-0000F8080861}!NoGPOListChanges
MACHINE Administrative Templates\System\Group Policy Scripts policy processing At least Microsoft Windows 2000 Determines when policies that assign shared scripts are updated.  This setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts.  It overrides customized settings that the program implementing the scripts policy set when it was installed.  If you enable this policy, you can use the check boxes provided to change the options. If you disable this setting or do not configure it, it has no effect on the system.  The Allow processing across a slow network connection option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.  The Do not apply during periodic background processing option prevents the system from updating affected policies in the background while the computer is in use. Background updates can disrupt the user, cause a program to stop or operate abnormally, and, in rare cases, damage data.  The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. HKLM\Software\Policies\Microsoft\Windows\Group Policy\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}!NoGPOListChanges
MACHINE Administrative Templates\System\Group Policy Security policy processing At least Microsoft Windows 2000 Determines when security policies are updated.  This setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings.  It overrides customized settings that the program implementing the security policy set when it was installed.  If you enable this setting, you can use the check boxes provided to change the options. If you disable this setting or do not configure it, it has no effect on the system.  The Do not apply during periodic background processing option prevents the system from updating affected policies in the background while the computer is in use. Background updates can disrupt the user, cause a program to stop or operate abnormally, and in rare cases, damage data.  The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. HKLM\Software\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}!NoGPOListChanges
MACHINE Administrative Templates\System\Group Policy IP Security policy processing At least Microsoft Windows 2000 Determines when IP security policies are updated.  This setting affects all policies that use the IP security component of Group Policy, such as policies in Computer Configuration\Windows Settings\Security Settings\IP Security Policies on Local Machine.  It overrides customized settings that the program implementing the IP security policy set when it was installed.  If you enable this setting, you can use the check boxes provided to change the options. If you disable this setting or do not configure it, it has no effect on the system.  The Allow processing across a slow network connection option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.  The Do not apply during periodic background processing option prevents the system from updating affected policies in the background while the computer is in use. Background updates can disrupt the user, cause a program to stop or operate abnormally, and, in rare cases, damage data.  The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. HKLM\Software\Policies\Microsoft\Windows\Group Policy\{e437bc1c-aa7d-11d2-a382-00c04f991e27}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{e437bc1c-aa7d-11d2-a382-00c04f991e27}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{e437bc1c-aa7d-11d2-a382-00c04f991e27}!NoGPOListChanges
MACHINE Administrative Templates\System\Group Policy Wireless policy processing At least Microsoft Windows 2000 Determines when policies that assign wireless network settings are updated.  This setting affects all policies that use the wireless network component of Group Policy, such as those in WindowsSettings\Wireless Network Policies.  It overrides customized settings that the program implementing the wireless network set when it was installed.  If you enable this policy, you can use the check boxes provided to change the options. If you disable this setting or do not configure it, it has no effect on the system.  The Allow processing across a slow network connection option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.  The Do not apply during periodic background processing option prevents the system from updating affected policies in the background while the computer is in use. Background updates can disrupt the user, cause a program to stop or operate abnormally, and, in rare cases, damage data.  The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. HKLM\Software\Policies\Microsoft\Windows\Group Policy\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}!NoGPOListChanges
MACHINE Administrative Templates\System\Group Policy EFS recovery policy processing At least Microsoft Windows 2000 Determines when encryption policies are updated.  This setting affects all policies that use the encryption component of Group Policy, such as policies related to encryption in Windows Settings\Security Settings.  It overrides customized settings that the program implementing the encryption policy set when it was installed.  If you enable this setting, you can use the check boxes provided to change the options. If you disable this setting or do not configure it, it has no effect on the system.  The Allow processing across a slow network connection option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.  The Do not apply during periodic background processing option prevents the system from updating affected policies in the background while the computer is in use. Background updates can disrupt the user, cause a program to stop or operate abnormally, and, in rare cases, damage data.  The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoGPOListChanges
MACHINE Administrative Templates\System\Group Policy Disk Quota policy processing At least Microsoft Windows 2000 Determines when disk quota policies are updated.  This setting affects all policies that use the disk quota component of Group Policy, such as those in Computer Configuration\Administrative Templates\System\Disk Quotas.  It overrides customized settings that the program implementing the disk quota policy set when it was installed.  If you enable this setting, you can use the check boxes provided to change the options. If you disable this setting or do not configure it, it has no effect on the system.  The Allow processing across a slow network connection option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.  The Do not apply during periodic background processing option prevents the system from updating affected policies in the background while the computer is in use. Background updates can disrupt the user, cause a program to stop or operate abnormally, and, in rare cases, damage data.  The Process even if the Group Policy objects have not changed option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. HKLM\Software\Policies\Microsoft\Windows\Group Policy\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}!NoGPOListChanges
MACHINE Administrative Templates\System\Group Policy Always use local ADM files for Group Policy Object Editor At least Microsoft Windows Server 2003 Always use local ADM files for the Group Policy snap-in.  By default, when you edit a Group Policy object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This enables you to use the same version of the ADM files that were used to create the GPO while editing this GPO.  This leads to the following behavior:  -  If you originally created the GPO with, for example, an English system, the GPO contains English ADM files.  -  If you later edit the GPO from a different-language system, you get the English ADM files as they were in the GPO.  You can change this behavior by using this setting.  If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs.  This leads to the following behavior:  -  If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates.  If you disable or do not configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO.  Note: If the ADMs that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing. HKLM\Software\Policies\Microsoft\Windows\Group Policy!OnlyUseLocalAdminFiles
MACHINE Administrative Templates\System\Remote Assistance Solicited Remote Assistance At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether users can solicit another user’s assistance via Remote Assistance.  If you use Windows Firewall in your organization, depending on the kind of operating system installed on the computer, you might also need to configure certain firewall policies for Solicited Remote Assistance to work.  If you enable this policy setting, a user can create a Remote Assistance invitation that another person (the “expert”) can use at a different computer to connect to the user’s computer. If given permission, the expert can view the user’s screen, mouse, and keyboard activity in real time.  The Permit remote control of this computer setting specifies whether a user on a different computer can control this computer. If a user invites an expert to connect to the computer, and gives permission, the expert can take control of this computer. The expert can only make requests to take control during a Remote Assistance session. The user can stop remote control at any time.  The Maximum ticket time setting sets a limit on the amount of time that a Remote Assistance invitation can remain open.  The Select the method for sending e-mail invitations setting specifies which e-mail standard to use to send Remote Assistance invitations. Depending on your e-mail program, you can use either the Mailto (the invitation recipient connects through an Internet link) or SMAPI (Simple MAPI) standard (the invitation is attached to your e-mail message).  Note: The e-mail program must support the selected e-mail standard.  For all the computers in your organization using this policy setting, add the following entry to the Windows Firewall: Define program exceptions:  %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance – Windows Messenger and Voice  For the computers running the Windows 2003 Service Pack 1 (SP1) operating system, enable the policy setting “Windows Firewall: Allow Remote Desktop Exception”.  For the computers running the Windows XP Service Pack 2 (SP2) and Windows XP 64-bit Service Pack 1 (SP1) operating systems, add the following entry to the policy setting, “Windows Firewall: Define program exceptions”:  %WINDIR%\SYSTEM32\Sessmgr.exe:*: Enabled: Remote Assistance  Note: Enabling the “Allow Remote Desktop Exception” policy setting will work for computers running all versions of Windows on which this policy setting is supported, but it will leave port 3389 constantly open.  By configuring a program exception for Sessmgr.exe, port 3389 will be opened and closed dynamically on computers running the Windows Server XP SP2 and Windows XP 64-bit SP1 operating systems. However, the Sessmgr.exe exception will not work for the Windows Server 2003 SP1 operating system; instead, the “Allow Remote Desktop Exception” policy setting must be configured.  If you disable this policy setting, users cannot request Remote Assistance.  Note: An expert can connect to this computer only with the explicit permission of the user. If this policy setting is disabled or not configured and disabled in Control Panel, the “Offer Remote Assistance” policy setting will also be disabled.  If you do not configure this policy setting, users can enable or disable and configure Remote Assistance themselves in System properties in Control Panel. If this policy setting is not configured, the default maximum time a Remote Assistance invitation can stay open is determined by the Control Panel setting. HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowToGetHelp, HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowFullControl, HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!MaxTicketExpiry, HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!MaxTicketExpiryUnits, HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fUseMailto
MACHINE Administrative Templates\System\Remote Assistance Offer Remote Assistance At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether or not a support person or IT administrator (the expert) can offer remote assistance to this computer without a user explicitly requesting it first via a channel, e-mail, or Windows Messenger. If you use Windows Firewall in your organization, depending on the kind of operating system installed on the computer, you might also need to configure certain firewall policies for Offer Remote Assistance to work.  Using this policy setting, an expert can offer remote assistance to this computer.  The expert cannot connect to the computer unannounced or control it without permission from the user. When the expert tries to connect, the user is still given a chance to accept or deny the connection (giving the expert view-only privileges to the user's desktop), and thereafter the user has to explicitly click a button to give the expert the ability to remotely control the desktop, if remote control is enabled.  If you enable this policy setting, Remote Assistance can be offered to users logged on to the computer. You have two options for how experts, or “helpers,” can provide Remote Assistance: Allow helpers to only view the computer or Allow helpers to remotely control the computer. In addition to making this selection, when you configure this policy setting you also specify the list of users or user groups that will be allowed to offer remote assistance. These are known as helpers.  To configure the list of helpers, click Show. This opens a new window where you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:  <Domain Name>\<User Name> or  <Domain Name>\<Group Name>  For all the computers in your organization, add the following entry to the policy setting “Windows Firewall: Define port exceptions”:  135:TCP:*:Enabled: Offer Remote Assistance  For all the computers, add the following entries to the policy setting “Windows Firewall: Define program exceptions”:  %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance  %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance – Windows Messenger and Voice  For the computers running the Windows Server 2003 Service Pack 1 (SP1) operating system in your organization, enable the policy setting “Windows Firewall: Allow Remote Desktop Exception”.  For computers running the Windows XP Service Pack 2 (SP2) and Windows XP 64-bit Service Pack 1 (SP1) operating systems, add the following entry to the policy setting, “Windows Firewall: Define program exceptions”:  %WINDIR%\SYSTEM32\Sessmgr.exe:*: Enabled: Remote Assistance  Note: Enabling the “Allow Remote Desktop Exception” policy setting will work for computers running all versions of Windows on which this policy setting is supported, but it will leave port 3389 constantly open. By configuring a program exception for Sessmgr.exe, port 3389 will be opened and closed dynamically on computers running the Windows Server XP SP2 and Windows XP 64-bit SP1 operating systems. However, the Sessmgr.exe exception will not work for the Windows Server 2003 SP1 operating system; instead, the “Allow Remote Desktop Exception” policy setting must be configured.  If you disable or do not configure this policy setting, users or groups cannot offer unsolicited remote assistance to this computer. HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowUnsolicited, HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowUnsolicitedFullControl
MACHINE Administrative Templates\System\System Restore Turn off System Restore Only works on Microsoft Windows XP Professional Determines whether System Restore is turned on or off.  System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is on.   If you enable this setting, System Restore is turned off, and the System Restore Wizard and Configuration Interface cannot be accessed.   If you disable this setting, System Restore is turned on and enforced. It cannot be turned off in the Configuration Interface, but, depending on the Turn off Configuration settings, it may still be configured. The feature is nonfunctional until the system is rebooted. To turn off the Configuration Interface, see the Turn off Configuration setting.   If you do not configure it, the system reverts to the default local setting.   Important: This setting only refreshes at boot time.   Note: This setting is only available in Windows XP Professional.  Also, see the Turn off Configuration setting. If the Turn off System Restore setting is disabled or not configured, the Turn off Configuration setting is used to determine whether the  Configuration Interface appears. HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore!DisableSR
MACHINE Administrative Templates\System\System Restore Turn off Configuration Only works on Microsoft Windows XP Professional Allows you to turn off the Configuration Interface for System Restore.  System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this setting depends on the Turn off System Restore setting.   If you enable this setting, the option to configure System Restore on the Configuration Interface disappears. If the Turn off Configuration setting is disabled, the Configuration Interface is still visible, but all System Restore configuration defaults are enforced.   If you do not configure it, the Configuration Interface for System Restore remains, and the user has the ability to configure System Restore.   Note: This setting is only available in the Home Edition and Professional versions of Windows.   Also, see the Turn off System Restore setting. If the Turn off System Restore setting is enabled, the Turn off Configuration setting is not active. If the Turn off System Restore setting is disabled, and Turn off Configuration is not configured, System Restore cannot be turned off locally, but it can be configured. If the Turn off System Restore setting is not configured, and Turn off Configuration is disabled, System Restore can be turned off locally but not configured. HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore!DisableConfig
MACHINE Administrative Templates\System\Error Reporting Display Error Notification At least Microsoft Windows XP Professional or Windows Server 2003 family Use this setting to control whether or not a user is given the choice to report an error.  When Display Error Notification is enabled, the user will be notified that an error has occurred and will be given access to details about the error.  If the Configure Error Reporting setting is also enabled, the user will also be given the choice of whether to report the error.  When Display Error Notification is not enabled, the user will not be given the choice of whether to report the error. If the Configure Error Reporting setting is enabled, the error will be automatically reported, but the user will not be notified that an error has occurred.  Disabling this setting is useful for server machines that do not have interactive users.  If you do not configure this setting, the user will be able to adjust the setting via the control panel, which is set to 'enable notification' by default on Windows XP Personal and Windows XP Professional machines and 'disable notification' on servers.  Also, see the Configure Error Reporting policy. HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!ShowUI, HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW!DWAllowHeadless, HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW!DWAllowHeadless
MACHINE Administrative Templates\System\Error Reporting Configure Error Reporting At least Microsoft Windows XP Professional or Windows Server 2003 family Configures how errors are reported and what information is sent when Error Reporting is enabled.  This Policy will not enable or disable Error Reporting, to do so use the Turn off Windows Error Reporting policy in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.  If this setting is enabled, it will override any settings made via the control panel for error reporting, and default values will be used for any error reporting policies that are not configured (even if settings were adjusted via the control panel).  If this setting is not configured, the user will be able to adjust the setting via the control panel, which is set to 'enable reporting' by default on Windows XP and to ‘report to Queue’ on Windows Server 2003.  If this setting is disabled, configuration settings will be set to the default (unchecked for check boxes and empty for text boxes).  - Do not display links to any Microsoft ‘More information’ Web sites:  Select this if you do not want error dialogs to display links to Microsoft Web sites.  - Do not collect additional files: Select this if you do not want additional files to be collected and included in the error reports.  - Do not collect additional machine data: Select this if you do not want additional information about the computer to be collected and included in the error reports.  - Force queue mode for application errors: Select this if you do not want users to report errors. When this is selected, the errors are placed in a queue directory, and the next administrator to log onto the machine will be able to report the error.  - Corporate file path: Type a UNC path to enable Corporate Error Reporting.  All errors will be stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the machine will be able to report the error.  - Replace instances of the word ‘Microsoft’ with:  Use this to customize error report dialogs.  The word Microsoft will be replaced with the specified text.  Also, see the Display Error Notification settings in this same folder and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.  Important: If Turn off Windows Error Reporting is not configured, then Control Panel settings will override these settings. HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW!DWNoExternalURL, HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW!DWNoFileCollection, HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW!DWNoSecondLevelCollection, HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!ForceQueueMode, HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW!DWFileTreeRoot, HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW!DWReporteeName
MACHINE Administrative Templates\System\Error Reporting\Advanced Error Reporting settings Default application reporting settings At least Microsoft Windows XP Professional or Windows Server 2003 family This setting controls whether or not errors in general applications are included when error reporting is enabled.  When this setting is enabled, The 'Default' dropdown list allows you to choose whether or not to report all application errors or no application errors by default.  When the 'Report all errors in Microsoft applications' checkbox is checked, all errors in Microsoft applications will be reported, regardless of the setting in the 'Default' dropdown list.  When the 'Report all errors in Windows components' checkbox is checked, all errors in Windows applications will be reported, regardless of the setting in the 'Default' dropdown list.  If this setting is disabled, or not configured, the user will be able to adjust this setting via the control panel, which is set to 'upload all applications' by default.  This setting is ignored if the 'Configure Error Reporting' setting is disabled or not configured.  Also see the 'Configure Error Reporting' and 'Report Operating System Errors' policies. HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!AllOrNone, HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!IncludeMicrosoftApps, HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!IncludeWindowsApps
MACHINE Administrative Templates\System\Error Reporting\Advanced Error Reporting settings List of applications to always report errors for At least Microsoft Windows XP Professional or Windows Server 2003 family This setting specifies the applications that are always included in error reporting.  When this setting is enabled, You can create a list of applications that are always included in error reporting: click the 'Show' button, and edit the list of application file names. The file names must include the .exe file name extension (for example, 'notepad.exe'). Errors generated by applications on this list will be reported, even if the Default dropdown in the Default Application Reporting setting is set to report no application errors.  If the 'Report all errors in Microsoft applications' or 'Report all errors in Windows components' checkbox in the Default Application Reporting setting is checked, error reporting will report errors as though all applications in these categories were added to this list. (Note: The 'Microsoft applications' category includes the 'Windows components' category.  When this setting is disabled or not configured, no list of explicitly included files will be used, though the two checkboxes mentioned above will still be honored.  Also see the Default Application Reporting and Application Exclusion List policies.  This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured. HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
MACHINE Administrative Templates\System\Error Reporting\Advanced Error Reporting settings List of applications to never report errors for At least Microsoft Windows XP Professional or Windows Server 2003 family This setting controls error reporting for errors in general applications when error reporting is enabled.  The Default dropdown list allows you to choose whether or not to report all application errors or no application errors by default.  To create a list of applications that error reporting will report for, click the Show button next to Report errors for applications on this list and edit the list of application filenames (example: notepad.exe).  Errors generated by applications in this list will be reported, even if Default is set to report no application errors.  You may use the Report all errors in Microsoft applications and Report all errors in Windows components checkboxes to implicitly add applications in these categories to the include list.  Note that the Microsoft applications category includes the Windows components category.  To create a list of applications that error reporting will exclude from reporting, click the Show button next to Exclude errors for applications on this list.  Errors generated by applications in this list will never be reported, even if the default is set to report all application errors.  The exclude list has priority, so if an application is listed in the include list and exclude list the application will be excluded.  You may also use the exclude list to exclude specific Microsoft applications or Windows components if you implicitly included these categories in the include list via the two checkboxes.  If you disable this setting or do not configure it, the user will be able to adjust this setting via the control panel, which is set to 'upload all applications' by default. HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
MACHINE Administrative Templates\System\Error Reporting\Advanced Error Reporting settings Report operating system errors At least Microsoft Windows XP Professional or Windows Server 2003 family This setting controls whether or not errors in the operating system are included when error reporting is enabled.  When this setting is enabled, error reporting will include operating system errors.  When this setting is disabled, operating system errors will not be included in error reporting.  If you do not configure this setting, the user will be able to adjust this setting via the control panel, which is set to 'upload operating system errors' by default  Also see the 'Configure Error Reporting' setting. HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!IncludeKernelFaults
MACHINE Administrative Templates\System\Error Reporting\Advanced Error Reporting settings Report unplanned shutdown events At least Microsoft Windows Server 2003 This setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled.  When this setting is enabled, error reporting will include unplanned shutdown events.  When this setting is disabled, unplanned shutdown events will not be included in error reporting.  If you do not configure this setting, the user will be able to adjust this setting via the control panel, which is set to 'upload unplanned shutdown events' by default.  Also see the 'Configure Error Reporting' setting. HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!IncludeShutdownErrs
MACHINE Administrative Templates\System\Windows File Protection Set Windows File Protection scanning At least Microsoft Windows XP Professional or Windows Server 2003 family Determines when Windows File Protection scans protected files. This setting directs Windows File Protection to enumerate and scan all system files for changes.  You can use this setting to direct Windows File Protection to scan files more often. By default, files are scanned only during setup.  To use this setting, enable the setting, and then select a rate from the Scanning Frequency box.  --  Do not scan during startup, the default, scans files only during setup.  --  Scan during startup also scans files each time you start Windows XP. This setting delays each startup.  Note: This setting affects file scanning only. It does not affect the standard background file change detection that Windows File Protection provides. HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcScan
MACHINE Administrative Templates\System\Windows File Protection Hide the file scan progress window At least Microsoft Windows XP Professional or Windows Server 2003 family Hides the file scan progress window.  This window provides status information to sophisticated users, but it might confuse novices.  If you enable this setting, the file scan window does not appear during file scanning.  If you disable this setting or do not configure it, the file scan progress window appears. HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcShowProgress
MACHINE Administrative Templates\System\Windows File Protection Limit Windows File Protection cache size At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the maximum amount of disk space that can be used for the Windows File Protection file cache.  Windows File Protection adds protected files to the cache until the cache content reaches the quota. If the quota is greater than 50 MB, Windows File Protection adds other important Windows XP files to the cache until the cache size reaches the quota.  To enable this setting, enter the maximum amount of disk space to be used (in MB). To indicate that the cache size is unlimited, select 4294967295 as the maximum amount of disk space.  If you disable this setting or do not configure it, the default value is set to 50 MB on Windows XP Professional and is unlimited (4294967295 MB) on Windows Server 2003. HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcQuota
MACHINE Administrative Templates\System\Windows File Protection Specify Windows File Protection cache location At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate location for the Windows File Protection cache.  To enable this setting, enter the fully qualified local path to the new location in the Cache file path box.  If you disable this setting or do not configure it, the Windows File Protection cache is located in the %Systemroot%\System32\Dllcache directory.  Note: Do not put the cache on a network shared directory. HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SFCDllCacheDir
MACHINE Administrative Templates\System\Remote Procedure Call RPC Troubleshooting State Information At least Microsoft Windows XP Professional or Windows Server 2003 family   Determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems.  If you enable this setting, you can use the drop-down box to determine which systems maintain RPC state information. If the setting is disabled or not configured, RPC uses the Auto2 setting.  -- None indicates that the system does not maintain any RPC state information. Note: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations.  --  Auto1 directs RPC to maintain basic state information only if the computer has at least 64 MB of memory.  --  Auto2 directs RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server.   --  Server directs RPC to maintain basic state information on the computer, regardless of its capacity.  -- Full directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this setting can degrade performance, it is recommended for use only while you are investigating an RPC problem.  Note: To retrieve the RPC state information from a system that maintains it, you must use a debugging tool. HKLM\Software\Policies\Microsoft\Windows NT\Rpc!StateInformation
MACHINE Administrative Templates\System\Remote Procedure Call Propagation of extended error information At least Microsoft Windows XP Professional or Windows Server 2003 family Directs the RPC Runtime to generate extended error information when an error occurs.  Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer on which the error occurred or was propagated. Programs can retrieve the extended error information by using standard Windows application programming interfaces (APIs).  If you disable this setting or do not configure it, the RPC Runtime only generates a status code to indicate an error condition.  To use this setting, enable the setting, and then select an error response type in the drop-down box.  --  Off disables all extended error information for all processes. RPC only generates an error code.  --  On with Exceptions enables extended error information but lets you disable it for selected processes. To disable extended error information for a process while this setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field.  -- Off with Exceptions disables extended error information but lets you enable it for selected processes. To enable extended error information for a process while this setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field.  --  On enables extended error information for all processes.  Note: For information about the Extended Error Information Exception field, see the Windows 2000 Platform Software Development Kit (SDK).  Note: Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information.  Note: The default setting, Off, is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely. HKLM\Software\Policies\Microsoft\Windows NT\Rpc!ExtErrorInformation, HKLM\Software\Policies\Microsoft\Windows NT\Rpc!ExtErrorInfoExceptions
MACHINE Administrative Templates\System\Remote Procedure Call Ignore Delegation Failure At least Microsoft Windows Server 2003 Directs the RPC Runtime to ignore delegation failures if delegation was asked for.  Windows Server 2003 family includes a new delegation model - constrained delegation. In this model the security system does not report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation.  If you disable this setting, do not configure it or set it to Off, the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. If you configure this setting to On, the RPC Runtime will accept security contexts that do not support delegation as well as security contexts that do support delegation.  --  Off directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context does not support delegation.  -- On directs the RPC Runtime to accept security contexts that do not support delegation even if delegation was asked for. HKLM\Software\Policies\Microsoft\Windows NT\Rpc\IgnoreDelegationFailure!IgnoreDelegationFailure
MACHINE Administrative Templates\System\Remote Procedure Call Minimum Idle Connection Timeout for RPC/HTTP connections At least Microsoft Windows XP Professional with SP1 or Windows Server 2003 family Directs the RPC Runtime to assume the specified timeout as the idle connection timeout even if the IIS server running the RPC HTTP proxy is configured with a higher timeout. If the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout, the timeout on the IIS server is used. The timeout is given in seconds.  This setting is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running the RPC HTTP proxy. In such cases RPC over HTTP clients may encounter errors because connections will be timed out faster than expected. Using this setting you can force the RPC Runtime and the RPC Proxy to use a lower connection timeout.  This setting is only applicable when the RPC Client, the RPC Server and the RPC HTTP Proxy are all running Windows Server 2003 family/Windows XP SP1 or higher versions. If either the RPC Client or the RPC Server or the RPC HTTP Proxy run on an older version of Windows, this setting will be ignored.  The minimum allowed value for this setting is 90 seconds. The maximum is 7200 (2 hours).  If you disable this setting or do not configure it, the idle connection timeout on the IIS server running the RPC HTTP proxy will be used. HKLM\Software\Policies\Microsoft\Windows NT\Rpc\MinimumConnectionTimeout!MinimumConnectionTimeout
MACHINE Administrative Templates\System\Remote Procedure Call Restrictions for Unauthenticated RPC clients At least Microsoft Windows XP Professional with SP2 If you enable this setting, it directs the RPC Runtime on an RPC server to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically asked to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy.  If you disable this setting or do not configure it, the value of Authenticated will be used for Windows XP and the value of None will be used for Server SKUs that support this policy setting. If you enable it, the following values are available:  --  None allows all RPC clients to connect to RPC Servers running on the machine on which the policy is applied.  --  Authenticated allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy is applied. Interfaces that have asked to be exempt from this restriction will be granted an exemption.  -- Authenticated without exceptions allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy is applied. No exceptions are allowed. HKLM\Software\Policies\Microsoft\Windows NT\Rpc\MinimumConnectionTimeout!RestrictRemoteClients
MACHINE Administrative Templates\System\Remote Procedure Call RPC Endpoint Mapper Client Authentication At least Microsoft Windows XP Professional with SP2 Enabling this setting directs RPC Clients that need to communicate with the Endpoint Mapper Service to authenticate as long as the RPC call for which the endpoint needs to be resolved has authentication information.  Disabling this setting will cause RPC Clients that need to communicate with the Endpoint Mapper Service to not authenticate. The Endpoint Mapper Service on machines running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This means that enabling this setting on a client machine will prevent that client from communicating with a Windows NT4 server using RPC if endpoint resolution is needed.  By default, RPC Clients will not use authentication to communicate with the RPC Server Endpoint Mapper Service when asking for the endpoint of a server. HKLM\Software\Policies\Microsoft\Windows NT\Rpc\MinimumConnectionTimeout!EnableAuthEpResolution
MACHINE Administrative Templates\System\Windows Time Service Global Configuration Settings At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies a set of parameters for all time providers installed on your system. There are two sets of parameters: clock discipline parameters, which control how the Windows Time Service processes the time samples it receives from providers, and general parameters. The general parameters allow you to configure the following: whether the time service is discoverable through DsGetDcName, the verbosity of event logging, the reliability of the local CMOS clock, and the minimum and maximum suggested polling intervals for time providers. HKLM\Software\Policies\Microsoft\W32Time\Config!FrequencyCorrectRate, HKLM\Software\Policies\Microsoft\W32Time\Config!HoldPeriod, HKLM\Software\Policies\Microsoft\W32Time\Config!LargePhaseOffset, HKLM\Software\Policies\Microsoft\W32Time\Config!MaxAllowedPhaseOffset, HKLM\Software\Policies\Microsoft\W32Time\Config!MaxNegPhaseCorrection, HKLM\Software\Policies\Microsoft\W32Time\Config!MaxPosPhaseCorrection, HKLM\Software\Policies\Microsoft\W32Time\Config!PhaseCorrectRate, HKLM\Software\Policies\Microsoft\W32Time\Config!PollAdjustFactor, HKLM\Software\Policies\Microsoft\W32Time\Config!SpikeWatchPeriod, HKLM\Software\Policies\Microsoft\W32Time\Config!UpdateInterval, HKLM\Software\Policies\Microsoft\W32Time\Config!AnnounceFlags, HKLM\Software\Policies\Microsoft\W32Time\Config!EventLogFlags, HKLM\Software\Policies\Microsoft\W32Time\Config!LocalClockDispersion, HKLM\Software\Policies\Microsoft\W32Time\Config!MaxPollInterval, HKLM\Software\Policies\Microsoft\W32Time\Config!MinPollInterval
MACHINE Administrative Templates\System\Windows Time Service\Time Providers Enable Windows NTP Client At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You may want to disable this service if you decide to use a third-party time provider. HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient!Enabled
MACHINE Administrative Templates\System\Windows Time Service\Time Providers Configure Windows NTP Client At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether the Windows NTP Client synchronizes time from the domain hierarchy or a manually configured NTP server. Specifies whether the client can synchronize time from a source outside its site, how long the Windows NTP Client waits before attempting to re-resolve an unsuccessfully resolved NTP server name, and the verbosity of the NTP Client's event logging. HKLM\Software\Policies\Microsoft\W32time\Parameters!NtpServer, HKLM\Software\Policies\Microsoft\W32time\Parameters!Type, HKLM\Software\Policies\Microsoft\W32time\Parameters!CrossSiteSyncFlags, HKLM\Software\Policies\Microsoft\W32time\Parameters!ResolvePeerBackoffMinutes, HKLM\Software\Policies\Microsoft\W32time\Parameters!ResolvePeerBackoffMaxTimes, HKLM\Software\Policies\Microsoft\W32time\Parameters!SpecialPollInterval, HKLM\Software\Policies\Microsoft\W32time\Parameters!EventLogFlags
MACHINE Administrative Templates\System\Windows Time Service\Time Providers Enable Windows NTP Server At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether the Windows NTP Server is enabled. Enabling the Windows NTP Server allows your computer to service NTP requests from other machines. HKLM\Software\Policies\Microsoft\W32Time\TimeProviders\NtpServer!Enabled
MACHINE Administrative Templates\System\Internet Communication Management Restrict Internet communication At least Microsoft Windows XP Professional with SP2 Specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.  If this setting is enabled, all of the the policy settings listed in the Internet Communication settings section will be set to enabled.  If this setting is disabled, all of the the policy settings listed in the 'Internet Communication settings' section will be set to disabled.  If this setting is not configured, all of the the policy settings in the 'Internet Communication settings' section will be set to not configured. HKLM\Software\Policies\Microsoft\InternetManagement!RestrictCommunication, HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard, HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices, HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard, HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP, HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!Headlines, HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!MicrosoftKBSearch, HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!DoReport, HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith, HKLM\Software\Policies\Microsoft\Windows\Internet Connection Wizard!ExitOnMSICW, HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftEventVwrDisableLinks, HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot!DisableRootAutoUpdate, HKLM\Software\Policies\Microsoft\Windows\Registration Wizard Control!NoRegistration, HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates, HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting, HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload, HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate, HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DisableWindowsUpdateAccess, HKLM\Software\Policies\Microsoft\WindowsMovieMaker!CodecDownload, HKLM\Software\Policies\Microsoft\WindowsMovieMaker!WebHelp, HKLM\Software\Policies\Microsoft\WindowsMovieMaker!WebPublish, HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard, HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices, HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard, HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP, HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!Headlines, HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!MicrosoftKBSearch, HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!DoReport, HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith, HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAutoUpdate, HKLM\Software\Policies\Microsoft\Windows\Internet Connection Wizard!ExitOnMSICW, HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftEventVwrDisableLinks, HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot!DisableRootAutoUpdate, HKLM\Software\Policies\Microsoft\Windows\Registration Wizard Control!NoRegistration, HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates, HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting, HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload, HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate, HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DisableWindowsUpdateAccess, HKLM\Software\Policies\Microsoft\WindowsMovieMaker!CodecDownload, HKLM\Software\Policies\Microsoft\WindowsMovieMaker!WebHelp, HKLM\Software\Policies\Microsoft\WindowsMovieMaker!WebPublish
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off the Publish to Web task for files and folders At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family Specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web, are available from File and Folder Tasks in Windows folders.  The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the Web.  If you enable this setting, these tasks are removed from the File and Folder tasks in Windows folders.  If you disable or do not configure this setting, the tasks will be shown. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Internet download for Web publishing and online ordering wizards At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family Specifies whether Windows should download a list of providers for the Web publishing and online ordering wizards.  These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing.  By default, Windows displays providers downloaded from a Windows Web site in addition to providers specified in the registry.  If you enable this setting, Windows will not download providers and only the service providers that are cached in the local registry will be displayed.  If you disable or do not configure this setting, a list of providers will be downloaded when the user uses the Web publishing or online ordering wizards.  See the documentation for the Web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off the Order Prints picture task At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family Specifies whether the Order Prints Online task is available from Picture Tasks in Windows folders.  The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.  If you enable this setting, the task Order Prints Online is removed from Picture Tasks in Windows Explorer folders.  If you disable or do not configure this setting, the task is displayed. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off the Windows Messenger Customer Experience Improvement Program At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family Specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used.  With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used.  This information is used to improve the product in future releases.  If you enable this setting, Windows Messenger will not collect usage information and the user settings to enable the collection of usage information will not be shown.  If you disable this setting, Windows Messenger will collect anonymous usage information and the setting will not be shown.  If you do not configure this setting, users will have the choice to opt-in and allow information to be collected. HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Help and Support Center Did you know? content At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Specifies whether to show the Did you know? section of Help and Support Center.  This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-date information about Windows and the computer.  If you enable this setting, the Help and Support Center will no longer retrieve nor display Did you know? content.  If you disable or do not configure this setting, the Help and Support Center will retrieve and display Did you know? content.  You might want to enable this setting for users who do not have Internet access, because the content in the Did you know? section will remain static indefinitely without an Internet connection. HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!Headlines
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Help and Support Center Microsoft Knowledge Base search At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center.  The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products and is searched as part of all Help and Support Center searches with the default search options.  If you enable this setting, it will remove the Knowledge Base section from the Help and Support Center Set search options page and only help content on the local computer will be searched.   If you disable this setting or do not configure it, the Knowledge Base will be searched if the user has a connection to the Internet and has not disabled the Knowledge Base search from the Search Options page. HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!MicrosoftKBSearch
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Windows Error Reporting At least Microsoft Windows XP Professional or Windows Server 2003 family Controls whether or not errors are reported to Microsoft.  Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product.  If you enable this setting, users will not be given the option to report errors.  If you disable or do not configure this setting, the errors may be reported to Microsoft via the Internet or to a corporate file share.  This setting overrides any user setting made from the Control Panel for error reporting.  Also see Configure Error Reporting and Display Error Notification settings in Computer Configuration/Administrative Templates/System/Error Reporting. HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!DoReport
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Internet File Association service At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association.  When a user opens a file that has an extension that is not associated with any applications on the machine, the user is given the choice to choose a local application or use the Web service to find an application.  If you enable this setting, the link and the dialog for using the Web service to open an unhandled file association are removed.  If you disable or do not configure this setting, the user will be allowed to use the Web service. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs).  If you enable this setting, the Choose a list of Internet Service Providers path in the Internet Connection Wizard will cause the wizard to exit.  This prevents users from retrieving the list of ISPs, which resides on Microsoft servers.  If you disable or do not configure this setting, users will be able to connect to Microsoft to download a list of ISPs for their area. HKLM\Software\Policies\Microsoft\Windows\Internet Connection Wizard!ExitOnMSICW
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Event Viewer Events.asp links At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Specifies whether Events.asp hyperlinks are available for events within the Event Viewer application.  The Event Viewer normally makes all HTTP(S) URLs into hot links that activate the Internet browser when clicked. In addition, More Information is placed at the end of the description text if the event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information about the event to Microsoft, and allows users to learn more about why that event occurred.  If you enable this setting, event description URL links are not activated and the text More Information is not displayed at the end of the description.  If you disable or do not configure this setting, the user can click the hyperlink which prompts the user and then sends information about the event over the internet to Microsoft.  Also, see Events.asp URL, Events.asp program, and Events.asp Program Command Line Parameters settings in Administrative Templates/Windows Components/Event Viewer. HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftEventVwrDisableLinks
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Automatic Root Certificates Update At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Specifies whether to automatically update root certificates using the Windows Update Web site.   Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities.  If you enable this setting, when you are presented with a certificate issued by an untrusted root authority your computer will not contact the Windows Update web site to see if Microsoft has added the CA to its list of trusted authorities.  If you disable or do not configure this setting, your computer will contact the Windows Update Web site. HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot!DisableRootAutoUpdate
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Registration if URL connection is referring to Microsoft.com At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration.  If you enable this setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online.  If you disable or do not configure this setting, users can connect to Microsoft.com to complete the online Windows Registration.  Note that registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but does not involve submitting any personal information (except the country/region you live in). HKLM\Software\Policies\Microsoft\Windows\Registration Wizard Control!NoRegistration
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Search Companion content file updates At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Specifies whether Search Companion should automatically download content updates during local and Internet searches.  When the user searches the local machine or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display results.  If you enable this setting, Search Companion will not download content updates during searches.  If you disable or do not configure this setting, Search Companion will download content updates unless the user is using Classic Search.  Note: Internet searches will still send the search text and information about the search to Microsoft and the chosen search provider.  Choosing Classic Search will turn off the Search Companion feature completely. HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off printing over HTTP At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Specifies whether to allow printing over HTTP from this client.  Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.  Note: This setting affects the client side of Internet printing only. It does not prevent this machine from acting as an Internet Printing server and making its shared printers available via HTTP.  If you enable this setting, it prevents this client from printing to Internet printers over HTTP.  If you disable or do not configure this setting, users will be able to choose to print to Internet printers over HTTP.  Also see the Web-based Printing setting in Computer Configuration/Administrative Templates/Printers. HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off downloading of print drivers over HTTP At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Specifies whether to allow this client to download print driver packages over HTTP.  To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.  Note: This setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP.  It only prohibits downloading drivers that are not already installed locally.  If you enable this setting, print drivers will not be downloaded over HTTP.  If you disable this setting or do not configure it, users will be able to download print drivers over HTTP. HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Windows Update device driver searching At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 This policy specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present.  If you enable this setting, Windows Update will not be searched when a new device is installed.  If you disable this setting, Windows Update will always be searched for drivers when no local drivers are present.  If you do not configure this setting, searching Windows Update will be optional when installing a device.  Also see Turn off Windows Update device driver search prompt in Administrative Templates/System which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver is not found locally. HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off access to all Windows Update features At least Microsoft Windows 2000 Service Pack 3, Microsoft Windows XP Professional Service Pack 1 or Microsoft Windows Server 2003 family This setting allows you to remove access to Windows Update.  If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver updates from the Windows Update Web site.  If you disable or do not configure this setting, users will be able to access the Windows Update Web site and enable automatic updating to receive notifications and critical updates from Windows Update. HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DisableWindowsUpdateAccess
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Windows Movie Maker automatic codec downloads At least Microsoft Windows XP Professional with SP2 Specifies whether Windows Movie Maker automatically downloads codecs.  Windows Movie Maker can be configured so that codecs are downloaded automatically if the required codecs are not installed on the computer.  If you enable this setting, Windows Movie Maker will not attempt to download missing codecs for imported audio and video files.  If you disable or do not configure this setting, Windows Movie Maker might attempt to download missing codecs for imported audio and video files. HKLM\Software\Policies\Microsoft\WindowsMovieMaker!CodecDownload
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Windows Movie Maker online Web links At least Microsoft Windows XP Professional with SP2 Specifies whether links to Web sites are available in Windows Movie Maker. These links include the Windows Movie Maker on the Web and Privacy Statement commands that appear on the Help menu, as well as the Learn more about video filters hyperlink in the Options dialog box and the sign up now hyperlink in the The Web saving option in the Save Movie Wizard.  The Windows Movie Maker on the Web command lets users go directly to the Windows Movie Maker Web site to get more information, and the Privacy Statement command lets users view information about privacy issues in respect to Windows Movie Maker. The Learn more about video filters hyperlink lets users learn more about video filters and their role in saving movies process in Windows Movie Maker.  The sign up now hyperlink lets users sign up with a video hosting provider on the Web.  If you enable this setting, the previously mentioned links to Web sites from Windows Movie Maker are disabled and cannot be selected.  If you disable or do not configure this setting, the previously mentioned links to Web sites from Windows Movie Maker are enabled and can be selected. HKLM\Software\Policies\Microsoft\WindowsMovieMaker!WebHelp
MACHINE Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Windows Movie Maker saving to online video hosting provider At least Microsoft Windows XP Professional with SP2 Specifies whether users can send a final movie to a video hosting provider on the Web by choosing The Web saving option in the Save Movie Wizard of Windows Movie Maker.  When users create a movie in Windows Movie Maker, they can choose to share it in a variety of ways through the Save Movie Wizard. The Web saving option lets users send their movies to a video hosting provider.  If you enable this setting, users cannot choose The Web saving option in the Save Movie Wizard of Windows Movie Maker and cannot send a movie to a video hosting provider on the Web.  If you disable or do not configure this setting, users can choose The Web saving option in the Save Movie Wizard of Windows Movie Maker and can send a movie to a video hosting provider on the Web. HKLM\Software\Policies\Microsoft\WindowsMovieMaker!WebPublish
MACHINE Administrative Templates\System Turn off Windows Update device driver search prompt At least Microsoft Windows XP Professional with SP2 Specifies whether the administrator will be prompted about going to Windows Update to search for device drivers using the Internet.  Note: This setting only has effect if Turn off Windows Update device driver searching in Administrative Templates/System/Internet Communication Management/Internet Communication settings is disabled or not configured.  If this setting is enabled, administrators will not be prompted to search Windows Update.  If this setting is disabled or not configured and Turn off Windows Update device driver searching is disabled or not configured, the administrator will be prompted for consent before going to Windows Update to search for device drivers. HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontPromptForWindowsUpdate
MACHINE Administrative Templates\System\Distributed COM\Application Compatibility Settings Allow local activation security check exemptions At least Microsoft Windows XP Professional with SP2 Allows you to specify that local computer administrators can supplement the Define Activation Security Check exemptions list.  If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application id (appid) in the Define Activation Security Check exemptions policy (if enabled), DCOM will look for an entry in the locally configured list.  If you disable this policy setting, DCOM will not look in the locally configured DCOM activation security check exemption list.  If you do not configure this policy setting, DCOM will only look in the locally configured exemption list if the Define Activation Security Check exemptions policy is not configured.  HKLM\Software\Policies\Microsoft\Windows NT\DCOM\AppCompat!AllowLocalActivationSecurityCheckExemptionList
MACHINE Administrative Templates\System\Distributed COM\Application Compatibility Settings Define Activation Security Check exemptions At least Microsoft Windows XP Professional with SP2 Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation security check.  DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators.  DCOM ignores the second list when this policy setting is configured, unless the Allow local activation security check exemptions policy is enabled.  DCOM server appids added to this policy must be listed in curly-brace format.  For example: {b5dcb061-cefb-42e0-a1be-e6a6438133fe}.  If you enter a non-existent or improperly formatted appid DCOM will add it to the list without checking for errors.  If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server.   If you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local settings.  If you disable this policy setting, the appid exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used.  If you do not configure this policy setting, the appid exemption list defined by local computer administrators is used.  Notes:  The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process.   This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults.  If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead.   The proper action in this situation is to re-configure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short-term as an application compatibility deployment aid.  DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups.  Also note, exemptions for DCOM Server Appids added to this list will apply to both 32-bit and 64-bit versions of the server if present. HKLM\Software\Policies\Microsoft\Windows NT\DCOM\AppCompat!ListBox_Support_ActivationSecurityCheckExemptionList
MACHINE Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services Turn off Microsoft Peer-to-Peer Networking Services At least Microsoft Windows XP Professional with SP2 Allows configuration of components of the operating system used by a client computer to connect to a network. This includes DNS settings and Offline Files. HKLM\Software\policies\Microsoft\Peernet!Disabled
MACHINE Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Global Clouds Set the Seed Server At least Microsoft Windows XP Professional with SP2 The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!SeedServer, HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!DontIncludeMicrosoftSeedServer
MACHINE Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Global Clouds Turn off Multicast Bootstrap At least Microsoft Windows XP Professional with SP2 HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!DisableMulticastBootstrap
MACHINE Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds Set the Seed Server At least Microsoft Windows XP Professional with SP2 HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!SeedServer
MACHINE Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds Turn off Multicast Bootstrap At least Microsoft Windows XP Professional with SP2 HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!DisableMulticastBootstrap
MACHINE Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Link-Local Clouds Set the Seed Server At least Microsoft Windows XP Professional with SP2 HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!SeedServer
MACHINE Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Link-Local Clouds Turn off Multicast Bootstrap At least Microsoft Windows XP Professional with SP2 HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!DisableMulticastBootstrap
MACHINE Administrative Templates\Network\DNS Client Primary DNS Suffix At least Microsoft Windows 2000 Specifies the primary Domain Name System (DNS) suffix for all affected computers. The primary DNS suffix is used in DNS name registration and DNS name resolution.  This setting lets you specify a primary DNS suffix for a group of computers and prevents users, including administrators, from changing it.  If you disable this setting or do not configure it, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. However, administrators can use System in Control Panel to change the primary DNS suffix of a computer.  To use this setting, in the text box provided, type the entire primary DNS suffix you want to assign. For example, microsoft.com.  This setting does not disable the DNS Suffix and NetBIOS Computer Name dialog box that administrators use to change the primary DNS suffix of a computer. However, if administrators enter a suffix, that suffix is ignored while this setting is enabled.  Important: To make changes to this setting effective, you must restart Windows on all computers affected by the setting.  Note: To change the primary DNS suffix of a computer without setting a setting, click System in Control Panel, click the Network Identification tab, click Properties, click More, and then enter a suffix in the Primary DNS suffix of this computer box.  For more information about DNS, see Domain Name System (DNS) in Help. HKLM\Software\Policies\Microsoft\System\DNSClient!NV PrimaryDnsSuffix
MACHINE Administrative Templates\Network\DNS Client Dynamic Update At least Microsoft Windows XP Professional or Windows Server 2003 family Determines if dynamic update is enabled.  Computers configured for dynamic update automatically register and update their DNS resource records with a DNS server.  If you enable this setting, the computers to which this setting is applied may use dynamic DNS registration on each of their network connections, depending on the configuration of each individual network connection. For a dynamic DNS registration to be enabled on a specific network connection, it is necessary and sufficient that both computer-specific and connection-specific configurations allow dynamic DNS registration. This setting controls the computer-specific property controlling dynamic DNS registration. If you enable this setting, you allow dynamic update to be set individually for each of the network connections.  If you disable this setting, the computers to which this setting is applied may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationEnabled
MACHINE Administrative Templates\Network\DNS Client DNS Suffix Search List At least Microsoft Windows XP Professional or Windows Server 2003 family Determines the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.  An unqualified single-label name contains no dots, such as example. This is different from a fully qualified domain name, such as example.microsoft.com..  With this setting enabled, when a user submits a query for a single-label name, such as example, a local DNS client attaches a suffix, such as microsoft.com, resulting in the query example.microsoft.com, before sending the query to a DNS server.  If you enable this setting, you can specify the DNS suffixes to attach before submission of a query for an unqualified single-label name. The values of the DNS suffixes in this setting may be set using comma-separated strings, such as microsoft.com,serverua.microsoft.com,office.microsoft.com. One DNS suffix is attached for each submission of a query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and preceding to the right.  If you enable this setting, you must specify at least one suffix.  If you disable this setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!SearchList
MACHINE Administrative Templates\Network\DNS Client Primary DNS Suffix Devolution At least Microsoft Windows XP Professional or Windows Server 2003 family Determines whether the DNS client performs primary DNS suffix devolution in a name resolution process.  When a user submits a query for a single-label name, such as example, a local DNS client attaches a suffix, such as microsoft.com, resulting in the query example.microsoft.com, before sending the query to a DNS server.  If a DNS Suffix Search List is not specified, the DNS client attaches the Primary DNS Suffix to a single-label name, and, if this query fails, the Connection-Specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the Primary DNS Suffix of the computer (drops the leftmost label of the Primary DNS Suffix), attaches this devolved Primary DNS suffix to the single-label name, and submits this new query to a DNS server.  For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name example, and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label), and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further and the query example.microsoft.com is submitted. If this query fails, devolution continues and the query example.microsoft.com is submitted. The primary DNS suffix would not be devolved further because the DNS suffix has two labels, microsoft.com. The primary DNS suffix cannot be devolved to less than two labels.  If this setting is enabled, DNS clients on the computers to which this setting is applied attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved Primary DNS Suffix.  If this setting is disabled, DNS clients on the computers to which this setting is applied donot attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved Primary DNS Suffix.  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UseDomainNameDevolution
MACHINE Administrative Templates\Network\DNS Client Register PTR Records At least Microsoft Windows XP Professional or Windows Server 2003 family Determines whether the registration of PTR resource records is enabled for the computers to which this policy is applied.  By default, DNS clients configured to perform dynamic DNS registration attempt PTR resource record registration only if they successfully registered the corresponding A resource record. A resource records map a host DNS name to the host IP address, and PTR resource records map the host IP address to the host DNS name.  To enable this setting, click Enable, and then select one of the following values:  Do not register - computers never attempt PTR resource records registration.  Register - computers attempt PTR resource records registration regardless of the success of the A records registration.  Register only if A record registration succeeds – computers attempt PTR resource records registration only if they successfully registered the corresponding A resource records.  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegisterReverseLookup
MACHINE Administrative Templates\Network\DNS Client Registration Refresh Interval At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the Registration Refresh Interval of A and PTR resource records for computers to which this setting is applied. This setting may be applied to computers using dynamic update only.  Computers running Windows 2000 Professional and Windows XP Professional, and configured to perform dynamic DNS registration of A and PTR resource records, periodically reregister their records with DNS servers, even if their records’ data has not changed. This reregistration is required to indicate to DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.  Warning: If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Registration Refresh Interval to longer than the Refresh Interval of the DNS zones might result in the undesired deletion of A and PTR resource records.  To specify the Registration Refresh Interval, click Enable, and then enter a value larger than 1800. Remember, this value specifies the Registration Refresh Interval in seconds, for example, 1800 seconds is 30 minutes.  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationRefreshInterval
MACHINE Administrative Templates\Network\DNS Client Replace Addresses In Conflicts Only works on Microsoft Windows XP Professional Determines whether a DNS client that attempts to register its A resource record should overwrite an existing A resource record or records containing conflicting IP addresses.  This setting is designed for computers that register A resource records in DNS zones that do not support Secure Dynamic Update. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers.  During dynamic update of a zone that does not use Secure Dynamic Update, a DNS client may discover that an existing A resource record associates the client’s host DNS name with an IP address of a different computer. According to the default configuration, the DNS client attempts to replace the existing A resource record with an A resource record associating the DNS name with the client’s IP address.  If you enable this setting, DNS clients attempt to replace conflicting A resource records during dynamic update.  If you disable this setting, the DNS client still performs the dynamic update of A resource records, but if the DNS client attempts to update A resource records containing conflicts, this attempt fails and an error is recorded in the Event Viewer log.  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationOverwritesInConflict
MACHINE Administrative Templates\Network\DNS Client DNS Servers Only works on Microsoft Windows XP Professional Defines the DNS servers to which a computer sends queries when it attempts to resolve names.  Warning: The list of the DNS servers defined in this setting supersedes DNS servers configured locally and those configured using DHCP. The list of DNS servers is applied to all network connections of multihomed computers to which this setting is applied.  To use this setting, click Enable, and then enter a space-delimited list of IP addresses (in dotted decimal format) in the available field. If you enable this setting, you must enter at least one IP address.  If this setting is not configured, it is not applied to any computers, and computers use their local or DHCP-configured parameters. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!NameServer
MACHINE Administrative Templates\Network\DNS Client Connection-Specific DNS Suffix Only works on Microsoft Windows XP Professional Specifies a connection-specific DNS suffix. This setting supersedes the connection-specific DNS suffixes set on the computers to which this setting is applied, those configured locally and those configured using DHCP.  Warning: A connection-specific DNS suffix specified in this setting is applied to all the network connections used by multihomed computers to which this setting is applied.  To use this setting, click Enable, and then enter a string value representing the DNS suffix in the available field.  If this setting is not configured, it is not applied to any computers, and computers use their local or DHCP-configuration parameters. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!AdapterDomainName
MACHINE Administrative Templates\Network\DNS Client Register DNS records with connection-specific DNS suffix At least Microsoft Windows XP Professional or Windows Server 2003 family Determines if a computer performing dynamic registration may register A and PTR resource records with a concatenation of its Computer Name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its Computer Name and the Primary DNS suffix.  Warning: Enabling of this group setting is applied to all the network connections of multihomed computers to which this setting is applied.  By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its Computer Name and the primary DNS suffix. For example, a concatenation of a Computer Name, such as mycomputer, and the primary DNS suffix, such as microsoft.com, would result in mycomputer.microsoft.com.  If this setting were enabled, a computer would register A and PTR resource records with its connection-specific DNS suffix in addition to registering A and PTR resource records with the primary DNS suffix. For example, a concatenation of a Computer Name mycomputer and the connection specific DNS suffix VPNconnection would be used when registering A and PTR resource records, resulting in mycomputer.VPNconnection. Notice that if dynamic DNS registration is disabled on a computer to which this setting is applied, then, regardless of this setting’s settings, a computer does not attempt dynamic DNS registration of A and PTR records containing a concatenation of its Computer Name and a connection-specific DNS suffix. If dynamic DNS registration is disabled on a specific network connection of a computer to which this setting is applied, then, regardless of this setting’s settings, a computer does not attempt dynamic DNS registration of A and PTR records containing a concatenation of its Computer Name and a connection-specific DNS suffix on that network connection.  If this setting is disabled, a DNS client does not register A and PTR resource records with its connection-specific DNS suffix.  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegisterAdapterName
MACHINE Administrative Templates\Network\DNS Client TTL Set in the A and PTR records At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the value for the Time-To-Live (TTL) field in A and PTR resource records registered by the computers to which this setting is applied.  To specify the TTL, click Enable, and then enter a value in seconds (for example, the value 900 is 15 minutes).  If this setting is not configured, it is not applied to any computer. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationTtl
MACHINE Administrative Templates\Network\DNS Client Update Security Level At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether the computers to which this setting is applied use secure dynamic update or standard dynamic update for registration of DNS records.  To enable this setting, click Enable, and then choose one of the following values.  Unsecure followed by secure - if this option is chosen, computers send secure dynamic updates only when nonsecure dynamic updates are refused.  Only Unsecure - if this option is chosen, computers send only nonsecure dynamic updates.  Only Secure - if this option is chosen, computers send only secure dynamic updates.  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UpdateSecurityLevel
MACHINE Administrative Templates\Network\DNS Client Update Top Level Domain Zones At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether the computers to which this setting is applied may send dynamic updates to the zones named with a single label name, also known as top-level domain zones, for example, com.  By default, a DNS client configured to perform dynamic DNS update sends dynamic updates to the DNS zone that is authoritative for its DNS resource records, unless the authoritative zone is a top-level domain and root zone.  If this setting is enabled, computers to which this policy is applied send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone.  If this setting is disabled, computers to which this policy is applied do not send dynamic updates to the root and/or top-level domain zones that are authoritative for the resource records that the computer needs to update.  If this setting is not configured, it is not applied to any computers, and computers use their local configuration. HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UpdateTopLevelDomainZones
MACHINE Administrative Templates\Network\DNS Client HKLM\
MACHINE Administrative Templates\Network\Offline Files Allow or Disallow use of the Offline Files feature At least Microsoft Windows 2000 Determines whether the Offline Files feature is enabled.  This setting also disables the Enable Offline Files option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.  Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network.  If you enable this setting, Offline Files is enabled and users cannot disable it.  If you disable this setting, Offline Files is disabled and users cannot enable it.  By default, Offline Files is enabled on Windows 2000 Professional and Windows XP Professional and is disabled on Windows 2000 Server and also Windows Server 2003 family.  Tip: To enable Offline Files without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Enable Offline Files.  Note: To make changes to this setting effective, you must restart Windows. HKLM\Software\Policies\Microsoft\Windows\NetCache!Enabled
MACHINE Administrative Templates\Network\Offline Files Prohibit user configuration of Offline Files At least Microsoft Windows 2000 Prevents users from enabling, disabling, or changing the configuration of Offline Files.  This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box.  This is a comprehensive setting that locks down the configuration you establish by using other settings in this folder.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. HKLM\Software\Policies\Microsoft\Windows\NetCache!NoConfigCache
MACHINE Administrative Templates\Network\Offline Files Synchronize all offline files when logging on At least Microsoft Windows 2000 Determines whether offline files are fully synchronized when users log on.  This setting also disables the Synchronize all offline files before logging on option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.  If you enable this setting, offline files are fully synchronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager.  If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are current.  If you do not configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the Synchronize all offline files before logging on option. HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogon
MACHINE Administrative Templates\Network\Offline Files Synchronize all offline files before logging off At least Microsoft Windows 2000 Determines whether offline files are fully synchronized when users log off.  This setting also disables the Synchronize all offline files before logging off option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.  If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current.  If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are current.  If you do not configure this setting, the system performs a quick synchronization by default, but users can change this option.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the Synchronize all offline files before logging off option. HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogoff
MACHINE Administrative Templates\Network\Offline Files Synchronize offline files before suspend At least Microsoft Windows 2000 Determines whether offline files are synchonized before a computer is suspended.  If you enable this setting, offline files will be synchronized whenever the computer is suspended. Setting the synchronization action to Quick ensures only that all files in the cache are complete. Setting the synchronization action to Full ensures that all cached files and folders are up to date with the most current version.  If you disable or do not configuring this setting, a synchronization will not occur when the computer is suspended.  Note: If the computer is suspended by closing the display on a portable computer, a synchronization is not performed. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtSuspend
MACHINE Administrative Templates\Network\Offline Files Default cache size At least Microsoft Windows 2000 Limits the percentage of the computer's disk space that can be used to store automatically cached offline files.  This setting also disables the Amount of disk space to use for temporary offline files option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.  Automatic caching can be set on any network share. When a user opens a file on the share, the system automatically stores a copy of the file on the user's computer.  This setting does not limit the disk space available for files that user's make available offline manually.  If you enable this setting, you can specify an automatic-cache disk space limit.  If you disable this setting, the system limits the space that automatically cached files occupy to 10 percent of the space on the system drive.  If you do not configure this setting, disk space for automatically cached files is limited to 10 percent of the system drive by default, but users can change it.  Tip: To change the amount of disk space used for automatic caching without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then use the slider bar associated with the Amount of disk space to use for temporary offline files option. HKLM\Software\Policies\Microsoft\Windows\NetCache!DefCacheSize
MACHINE Administrative Templates\Network\Offline Files Action on server disconnect At least Microsoft Windows 2000 Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.  This setting also disables the When a network connection is lost option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.  If you enable this setting, you can use the Action box to specify how computers in the group respond.  --  Work offline indicates that the computer can use local copies of network files while the server is inaccessible.  --  Never go offline indicates that network files are not available while the server is inaccessible.  If you disable this setting or select the Work offline option, users can work offline if disconnected.  If you do not configure this setting, users can work offline by default, but they can change this option.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer  Configuration takes precedence over the setting in User Configuration.  Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the When a network connection is lost section.  Also, see the Non-default server disconnect actions setting. HKLM\Software\Policies\Microsoft\Windows\NetCache!GoOfflineAction
MACHINE Administrative Templates\Network\Offline Files Non-default server disconnect actions At least Microsoft Windows 2000 Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the Action on server disconnect setting.  To use this setting, click Show, and then click Add. In the Type the name of the item to be added box, type the server's computer name. Then, in the Type the value of the item to be added box, type 0 if users can work offline when they are disconnected from this server, or type 1 if they cannot.  This setting appears in the Computer Configuration and User Configuration folders.  If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Both Computer and User configuration take precedence over a user's setting.  This setting does not prevent users from setting custom actions through the Offline Files tab.  However, users are unable to change any custom actions established via this setting.  Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settings in the Exception list section. HKLM\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions
MACHINE Administrative Templates\Network\Offline Files Remove 'Make Available Offline' At least Microsoft Windows 2000 Prevents users from making network files and folders available offline.  This setting removes the Make Available Offline option from the File menu and from all context menus in Windows Explorer. As a result, users cannot designate files to be saved on their computer for offline use.  However, this setting does not prevent the system from saving local copies of files that reside on network shares designated for automatic caching.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKLM\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions!NoMakeAvailableOffline
MACHINE Administrative Templates\Network\Offline Files Prevent use of Offline Files folder At least Microsoft Windows 2000 Disables the Offline Files folder.  This setting disables the View Files button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location.  This setting does not prevent users from working offline or from saving local copies of files available offline. Also, it does not prevent them from using other programs, such as Windows Explorer, to view their offline files.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click View Files. HKLM\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions!NoCacheViewer
MACHINE Administrative Templates\Network\Offline Files Files not cached At least Microsoft Windows 2000 Lists types of files that cannot be used offline.  This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: Files of this type cannot be made available offline.  This setting is designed to protect files that cannot be separated, such as database components.  To use this setting, type the file name extension in the Extensions box. To type more than one extension, separate the extensions with a semicolon (;).  Note: To make changes to this setting effective, you must log off and log on again. HKLM\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions!ExcludeExtensions
MACHINE Administrative Templates\Network\Offline Files Administratively assigned offline files At least Microsoft Windows 2000 This policy setting lists network files and folders that are always available for offline use. This ensures that the the specified files and folders are available offline to users of the computer.  If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show, and then click Add. In the Type the name of the item to be added box, type the fully qualified UNC path to the file or folder. Leave the Enter the value of the item to be added field blank.  If you disable this policy setting, the list of files or folders made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made always available for offline use.  If you do not configure this policy setting, no files or folders are made always available for offline use.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the settings will be combined and all specified files will be available for offline use. HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders
MACHINE Administrative Templates\Network\Offline Files Turn off reminder balloons At least Microsoft Windows 2000 Hides or displays reminder balloons, and prevents users from changing the setting.  Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed.  If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them.  If you disable the setting, the system displays the reminder balloons and prevents users from hiding them.  If this setting is not configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting.  To prevent users from changing the setting while a setting is in effect, the system disables the Enable reminders option on the Offline Files tab  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the Enable reminders check box. HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!NoReminders
MACHINE Administrative Templates\Network\Offline Files Reminder balloon frequency At least Microsoft Windows 2000 Determines how often reminder balloon updates appear.  If you enable this setting, you can select how often reminder balloons updates apppear and also prevent users from changing this setting.  Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the Display reminder balloons every ... minutes option. HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!ReminderFreqMinutes
MACHINE Administrative Templates\Network\Offline Files Initial reminder balloon lifetime At least Microsoft Windows 2000 Determines how long the first reminder balloon for a network status change is displayed.  Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!InitialBalloonTimeoutSeconds
MACHINE Administrative Templates\Network\Offline Files Reminder balloon lifetime At least Microsoft Windows 2000 Determines how long updated reminder balloons are displayed.  Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!ReminderBalloonTimeoutSeconds
MACHINE Administrative Templates\Network\Offline Files At logoff, delete local copy of user’s offline files At least Microsoft Windows 2000 Deletes local copies of the user's offline files when the user logs off.  This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files.  If you disable this setting or do not configure it, automatically and manually cached copies are retained on the user's computer for later offline use.  Caution: Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost. HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!PurgeAtLogoff, HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!PurgeOnlyAutoCacheAtLogoff
MACHINE Administrative Templates\Network\Offline Files Event logging level At least Microsoft Windows 2000 Determines which events the Offline Files feature records in the event log.  Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record.  To use this setting, in the Enter box, select the number corresponding to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels.  0 records an error when the offline storage cache is corrupted.  1 also records an event when the server hosting the offline file is disconnected from the network.  2 also records events when the local computer is connected and disconnected from the network.  3 also records an event when the server hosting the offline file is reconnected to the network.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!EventLoggingLevel
MACHINE Administrative Templates\Network\Offline Files Subfolders always available offline At least Microsoft Windows 2000 Makes subfolders available offline whenever their parent folder is made available offline.  This setting automatically extends the make available offline setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders.  If you enable this setting, when you make a folder available offline, all folders within that folder are also made available offline. Also, new folders that you create within a folder that is available offline are made available offline when the parent folder is synchronized.  If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!AlwaysPinSubFolders
MACHINE Administrative Templates\Network\Offline Files Encrypt the Offline Files cache At least Microsoft Windows 2000 Service Pack 5, Microsoft Windows XP Professional Service Pack 2 or Microsoft Windows Server 2003 family Service Pack 1 This setting determines whether offline files are encrypted.  Offline files reside on a user's hard drive, not the network, and they are stored in a local cache on the computer. Encrypting this cache enhances security on a local computer. If the cache on the local computer is not encrypted, any encrypted files cached from the network will not be encrypted on the local computer. This may pose a security risk in some environments.  If you enable this setting, all files in the Offline Files cache are encrypted.  This includes existing files as well as files added later. The cached copy on the local computer is affected, but the associated network copy is not. The user cannot unencrypt Offline Files through the user interface.  If you disable this setting, all files in the Offline Files cache are unencrypted. This includes existing files as well as files added later. The cached copy on the local computer is affected, but the associated network copy is not. The user cannot encrypt Offline Files through the user interface.  If you do not configure this setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retained, and if the cache is only partially encrypted, the operation completes so that it is fully encrypted. The cache does not return to the unencrypted state. The user must be an administrator on the local computer to encrypt or decrypt the Offline Files cache.  Note: By default, this cache is protected on NTFS partitions by ACLs. HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!EncryptCache
MACHINE Administrative Templates\Network\Offline Files Prohibit 'Make Available Offline' for these file and folders At least Microsoft Windows XP Professional or Windows Server 2003 family This policy setting allows you to manage a list of files or folders for which you wish to prohibit the 'Make Available Offline' option.  If you enable this policy setting, the 'Make Available Offline' option is not available for the files or folders you list. To specify these files or folders, click Show, and then click Add. In the 'Type the name of the item to be added' box, type the fully qualified UNC path to the file or folder. Leave the 'Enter the value of the item to be added' field blank.  If you disable this policy setting, the list of files or folders for which the 'Make Available Offline' option is removed (including those inherited from lower precedence GPOs) is deleted.  If you do not configure this policy setting, the 'Make Available Offline' option is available for all files or folders.  Notes:  This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the 'Make Available Offline' option will be unavailable  for all specified files and folders.  This policy setting does not prevent files from being automatically cached if the network share is configured for 'Automatic Caching'. It only affects the availability of the 'Make Available Offline' menu option in the user interface.  If the 'Disable Make Available Offline' policy setting is enabled, this setting has no effect. HKLM\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOfflineList
MACHINE Administrative Templates\Network\Offline Files Configure Slow link speed At least Microsoft Windows XP Professional or Windows Server 2003 family Configures the threshold value at which Offline Files considers a network connection to be slow. Any network speed below this value is considered to be slow.  When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence of a server is detected.  If you enable this setting, you can configure the threshold value that will be used to determine a slow network connection.  If this setting is disabled or not configured, the default threshold value of 64,000 bps is used to determine if a network connection is considered to be slow.  Note: Use the following formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold value of 128,000 bps, enter a value of 1280. HKLM\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOfflineList!SlowLinkSpeed
MACHINE Administrative Templates\Network\Network Connections Prohibit use of Internet Connection Sharing on your DNS domain network At least Microsoft Windows 2000 Service Pack 1 Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer.  Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.  ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network.  If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled.  If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.)  By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS.  Note: Internet Connection Sharing is only available when two or more network connections are present.  Note: When the Prohibit access to properties of a LAN connection, Ability to change properties of an all user remote access connection, or Prohibit changing properties of a private remote access connection settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked.  Note: Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_ShowSharedAccessUI
MACHINE Administrative Templates\Network\Network Connections Prohibit use of Internet Connection Firewall on your DNS domain network At least Microsoft Windows XP Professional or Windows Server 2003 family Prohibits use of Internet Connection Firewall on your DNS domain network.  Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer.  Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.  The Internet Connection Firewall is a stateful packet filter for home and small office users to protect them from Internet network security threats.  If you enable this setting, Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled.  Note: If you enable the Windows Firewall: Protect all network connections policy setting, the Prohibit use of Internet Connection Firewall on your DNS domain network policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2.  If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_PersonalFirewallConfig
MACHINE Administrative Templates\Network\Network Connections Prohibit installation and configuration of Network Bridge on your DNS domain network At least Microsoft Windows XP Professional or Windows Server 2003 family Determines whether a user can install and configure the Network Bridge.  Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.  The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder.  If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer. HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_AllowNetBridge_NLA
MACHINE Administrative Templates\Network\Network Connections IEEE 802.1x Certificate Authority for Machine Authentication At least Microsoft Windows XP Professional or Windows Server 2003 family If you want to use IEEE 802.1x machine authentication, configure this setting.  If you enable this setting, it configures the Certificate Authority to be used on the client for authentication.  To allow successful authentication, enable this setting and indicate the thumbprint or hash for your Certificate Authority.  If you disable or do not configure this setting, the Certificate Authority for IEEE 802.1x machine authentication will not be configured on your client. This might cause machine authentication to fail.  Note: The Certificate Authority that is configured by this setting only applies to machine authentication, and not to user authentication. HKLM\Software\Policies\Microsoft\Windows\Network Connections\8021X!8021XCARootHash
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Protect all network connections At least Microsoft Windows XP Professional with SP2 Turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows XP Service Pack 2.  If you enable this policy setting, Windows Firewall runs and ignores the Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network policy setting.  If you disable this policy setting, Windows Firewall does not run. This is the only way to ensure that Windows Firewall does not run and administrators who log on locally cannot start it.  If you do not configure this policy setting, administrators can use the Windows Firewall component in Control Panel to turn Windows Firewall on or off, unless the Prohibit use of Internet Connection Firewall on your DNS domain network policy setting overrides. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!EnableFirewall
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Do not allow exceptions At least Microsoft Windows XP Professional with SP2 Specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firewall policy settings that allow such messages.  If you enable this policy setting, in the Windows Firewall component of Control Panel, the Don't allow exceptions check box is selected and administrators cannot clear it. You should also enable the Windows Firewall: Protect all network connections policy setting; otherwise, administrators who log on locally can work around the Windows Firewall: Do not allow exceptions policy setting by turning off the firewall.  If you disable this policy setting, Windows Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel, the Don't allow exceptions check box is cleared and administrators cannot select it.  If you do not configure this policy setting, Windows Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel, the Don't allow exceptions check box is cleared by default, but administrators can change it. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!DoNotAllowExceptions
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Define program exceptions At least Microsoft Windows XP Professional with SP2 Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.  If you enable this policy setting, you can view and change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any port that it asks Windows Firewall to open, even if that port is blocked by another policy setting, such as the Windows Firewall: Define port exceptions policy setting. To view the program list, enable the policy setting and then click the Show button. To add a program, enable the policy setting, note the syntax, click the Show button, click the Add button, and then type a definition string that uses the syntax format. To remove a program, click its definition, and then click the Remove button. To edit a definition, remove the current definition from the list and add a new one with different parameters. To allow administrators to add programs to the local program exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the Windows Firewall: Allow local program exceptions policy setting.  If you disable this policy setting, the program exceptions list defined by Group Policy is deleted. If a local program exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local program exceptions policy setting.  If you do not configure this policy setting, Windows Firewall uses only the local program exceptions list that administrators define by using the Windows Firewall component in Control Panel.  Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors. This allows you to add programs that you have not installed yet, but be aware that you can accidentally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters are combined for multiple entries.  Note: If you set the Status parameter of a definition string to disabled, Windows Firewall ignores port requests made by that program and ignores other definitions that set the Status of that program to enabled. Therefore, if you set the Status to disabled, you prevent administrators from allowing the program to ask Windows Firewall to open additional ports. However, even if the Status is disabled, the program can still receive unsolicited incoming messages through a port if another policy setting opens that port.  Note: Windows Firewall opens ports for the program only when the program is running and listening for incoming messages. If the program is not running, or is running but not listening for those messages, Windows Firewall does not open its ports. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications!Enabled
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Allow local program exceptions At least Microsoft Windows XP Professional with SP2 Allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Windows Firewall uses two program exceptions lists; the other is defined by the Windows Firewall: Define program exceptions policy setting.  If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local program exceptions list.  If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define a local program exceptions list.  If you do not configure this policy setting, the ability of administrators to define a local program exceptions list depends on the configuration of the Windows Firewall: Define program exceptions policy setting. If that setting is not configured, administrators can define a local program exceptions list. If it is enabled or disabled, administrators cannot define a local program exceptions list. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications!AllowUserPrefMerge
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Allow remote administration exception At least Microsoft Windows XP Professional with SP2 Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM). This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034.  If you enable this policy setting, Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresses or subnets from which these incoming messages are allowed.  If you disable or do not configure this policy setting, Windows Firewall does not open TCP port 135 or 445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from receiving unsolicited incoming messages, and prevents hosted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445, it does not conflict with the Windows Firewall: Allow file and printer sharing exception policy setting.  Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not, then do not enable this policy setting.  Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Allow file and printer sharing exception At least Microsoft Windows XP Professional with SP2 Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445.  If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the File and Printer Sharing check box is selected and administrators cannot clear it.  If you disable this policy setting, Windows Firewall blocks these ports, which prevents this computer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall component of Control Panel, the File and Printer Sharing check box is cleared and administrators cannot select it.  If you do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer cannot share files or printers unless an administrator uses other policy settings to open the required ports. In the Windows Firewall component of Control Panel, the File and Printer Sharing check box is cleared. Administrators can change this check box.  Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo requests (the message sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint!RemoteAddresses
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Allow ICMP exceptions At least Microsoft Windows XP Professional with SP2 Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If you do not enable the Allow inbound echo request message type, Windows Firewall blocks echo request messages sent by Ping running on other computers, but it does not block outbound echo request messages sent by Ping running on this computer.  If you enable this policy setting, you must specify which ICMP message types Windows Firewall allows this computer to send or receive.  If you disable this policy setting, Windows Firewall blocks all unsolicited incoming ICMP message types and the listed outgoing ICMP message types. As a result, utilities that use the blocked ICMP messages will not be able to send those messages to or from this computer. Administrators cannot use the Windows Firewall component in Control Panel to enable any message types. If you enable this policy setting and allow certain message types, then later disable this policy setting, Windows Firewall deletes the list of message types that you had enabled.  If you do not configure this policy setting, Windows Firewall behaves as if you had disabled it, except that administrators can use the Windows Firewall component in Control Panel to enable or disable message types.  Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound echo requests, even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.  Note: Other Windows Firewall policy settings affect only incoming messages, but several of the options of the Windows Firewall: Allow ICMP exceptions policy setting affect outgoing communication. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutboundDestinationUnreachable, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutboundSourceQuench, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowRedirect, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowInboundEchoRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowInboundRouterRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutboundTimeExceeded, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutboundParameterProblem, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowInboundTimestampRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowInboundMaskRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutboundPacketTooBig
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Allow Remote Desktop exception At least Microsoft Windows XP Professional with SP2 Allows this computer to receive Remote Desktop requests. To do this, Windows Firewall opens TCP port 3389.   If you enable this policy setting, Windows Firewall opens this port so that this computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the Remote Desktop check box is selected and administrators cannot clear it.   If you disable this policy setting, Windows Firewall blocks this port, which prevents this computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall component of Control Panel, the Remote Desktop check box is cleared and administrators cannot select it.  If you do not configure this policy setting, Windows Firewall does not open this port. Therefore, the computer cannot receive Remote Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Firewall component of Control Panel, the Remote Desktop check box is cleared. Administrators can change this check box. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop!RemoteAddresses
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Allow UPnP framework exception At least Microsoft Windows XP Professional with SP2 Allows this computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To do this, Windows Firewall opens TCP port 2869 and UDP port 1900.   If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the UPnP framework check box is selected and administrators cannot clear it.   If you disable this policy setting, Windows Firewall blocks these ports, which prevents this computer from receiving Plug and Play messages. If an administrator attempts to open these ports by adding them to a local port exceptions list, Windows Firewall does not open the ports. In the Windows Firewall component of Control Panel, the UPnP framework check box is cleared and administrators cannot select it.  If you do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer cannot receive Plug and Play messages unless an administrator uses other policy settings to open the required ports or enable the required programs. In the Windows Firewall component of Control Panel, the UPnP framework check box is cleared. Administrators can change this check box. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework!RemoteAddresses
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Prohibit notifications At least Microsoft Windows XP Professional with SP2 Prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the program to the program exceptions list.  If you enable this policy setting, Windows Firewall prevents the display of these notifications.  If you disable this policy setting, Windows Firewall allows the display of these notifications. In the Windows Firewall component of Control Panel, the Display a notification when Windows Firewall blocks a program check box is selected and administrators cannot clear it.  If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that in the Windows Firewall component of Control Panel, the Display a notification when Windows Firewall blocks a program check box is selected by default, and administrators can change it. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework!DisableNotifications
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Allow logging At least Microsoft Windows XP Professional with SP2 Allows Windows Firewall to record information about the unsolicited incoming messages that it receives.  If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages.  If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the Security Logging settings are cleared and administrators cannot select them.  If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the Security Logging settings. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging!LogDroppedPackets, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging!LogSuccessfulConnections, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging!LogDroppedPackets, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging!LogSuccessfulConnections, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging!LogFilePath, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging!LogFileSize
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Prohibit unicast response to multicast or broadcast requests At least Microsoft Windows XP Professional with SP2 Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages.  If you enable this policy setting, and this computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses sent by those other computers.  If you disable or do not configure this policy setting, and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits as long as three seconds for unicast responses from the other computers and then blocks all later responses.  Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by this computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging!DisableUnicastResponsesToMulticastBroadcast
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Define port exceptions At least Microsoft Windows XP Professional with SP2 Allows you to view and change the port exceptions list defined by Group Policy. Windows Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.  If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy. To view this port exceptions list, enable the policy setting and then click the Show button. To add a port, enable the policy setting, note the syntax, click the Show button, click the Add button, and then type a definition string that uses the syntax format. To remove a port, click its definition, and then click the Remove button. To edit a definition, remove the current definition from the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the Windows Firewall: Allow local port exceptions policy setting.  If you disable this policy setting, the port exceptions list defined by Group Policy is deleted, but other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local port exceptions policy setting.  If you do not configure this policy setting, Windows Firewall uses only the local port exceptions list that administrators define by using the Windows Firewall component in Control Panel. Other policy settings can continue to open or block ports.  Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, and therefore you can accidentally create multiple entries for the same port with conflicting Scope or Status values. Scope parameters are combined for multiple entries. If entries have different Status values, any definition with the Status set to disabled overrides all definitions with the Status set to enabled, and the port does not receive messages. Therefore, if you set the Status of a port to disabled, you can prevent administrators from using the Windows Firewall component in Control Panel to enable the port.  Note: The only effect of setting the Status value to disabled is that Windows Firewall ignores other definitions for that port that set the Status to enabled. If another policy setting opens a port, or if a program in the program exceptions list asks Windows Firewall to open a port, Windows Firewall opens the port.  Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts!Enabled
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Allow local port exceptions At least Microsoft Windows XP Professional with SP2 Allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall uses two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions policy setting.  If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list.  If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define a local port exceptions list.  If you do not configure this policy setting, the ability of administrators to define a local port exceptions list depends on the configuration of the Windows Firewall: Define port exceptions policy setting. If that setting is not configured, administrators can define a local port exceptions list. If it is enabled or disabled, administrators cannot define a local port exceptions list. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts!AllowUserPrefMerge
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Protect all network connections At least Microsoft Windows XP Professional with SP2 Turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows XP Service Pack 2.  If you enable this policy setting, Windows Firewall runs and ignores the Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network policy setting.  If you disable this policy setting, Windows Firewall does not run. This is the only way to ensure that Windows Firewall does not run and administrators who log on locally cannot start it.  If you do not configure this policy setting, administrators can use the Windows Firewall component in Control Panel to turn Windows Firewall on or off, unless the Prohibit use of Internet Connection Firewall on your DNS domain network policy setting overrides. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!EnableFirewall
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Do not allow exceptions At least Microsoft Windows XP Professional with SP2 Specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firewall policy settings that allow such messages.  If you enable this policy setting, in the Windows Firewall component of Control Panel, the Don't allow exceptions check box is selected and administrators cannot clear it. You should also enable the Windows Firewall: Protect all network connections policy setting; otherwise, administrators who log on locally can work around the Windows Firewall: Do not allow exceptions policy setting by turning off the firewall.  If you disable this policy setting, Windows Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel, the Don't allow exceptions check box is cleared and administrators cannot select it.  If you do not configure this policy setting, Windows Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel, the Don't allow exceptions check box is cleared by default, but administrators can change it. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DoNotAllowExceptions
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Define program exceptions At least Microsoft Windows XP Professional with SP2 Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.  If you enable this policy setting, you can view and change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any port that it asks Windows Firewall to open, even if that port is blocked by another policy setting, such as the Windows Firewall: Define port exceptions policy setting. To view the program list, enable the policy setting and then click the Show button. To add a program, enable the policy setting, note the syntax, click the Show button, click the Add button, and then type a definition string that uses the syntax format. To remove a program, click its definition, and then click the Remove button. To edit a definition, remove the current definition from the list and add a new one with different parameters. To allow administrators to add programs to the local program exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the Windows Firewall: Allow local program exceptions policy setting.  If you disable this policy setting, the program exceptions list defined by Group Policy is deleted. If a local program exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local program exceptions policy setting.  If you do not configure this policy setting, Windows Firewall uses only the local program exceptions list that administrators define by using the Windows Firewall component in Control Panel.  Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors. This allows you to add programs that you have not installed yet, but be aware that you can accidentally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters are combined for multiple entries.  Note: If you set the Status parameter of a definition string to disabled, Windows Firewall ignores port requests made by that program and ignores other definitions that set the Status of that program to enabled. Therefore, if you set the Status to disabled, you prevent administrators from allowing the program to ask Windows Firewall to open additional ports. However, even if the Status is disabled, the program can still receive unsolicited incoming messages through a port if another policy setting opens that port.  Note: Windows Firewall opens ports for the program only when the program is running and listening for incoming messages. If the program is not running, or is running but not listening for those messages, Windows Firewall does not open its ports. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications!Enabled
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Allow local program exceptions At least Microsoft Windows XP Professional with SP2 Allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Windows Firewall uses two program exceptions lists; the other is defined by the Windows Firewall: Define program exceptions policy setting.  If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local program exceptions list.  If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define a local program exceptions list.  If you do not configure this policy setting, the ability of administrators to define a local program exceptions list depends on the configuration of the Windows Firewall: Define program exceptions policy setting. If that setting is not configured, administrators can define a local program exceptions list. If it is enabled or disabled, administrators cannot define a local program exceptions list. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications!AllowUserPrefMerge
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Allow remote administration exception At least Microsoft Windows XP Professional with SP2 Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM). This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034.  If you enable this policy setting, Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresses or subnets from which these incoming messages are allowed.  If you disable or do not configure this policy setting, Windows Firewall does not open TCP port 135 or 445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from receiving unsolicited incoming messages, and prevents hosted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445, it does not conflict with the Windows Firewall: Allow file and printer sharing exception policy setting.  Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not, then do not enable this policy setting.  Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!RemoteAddresses
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Allow file and printer sharing exception At least Microsoft Windows XP Professional with SP2 Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445.  If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the File and Printer Sharing check box is selected and administrators cannot clear it.  If you disable this policy setting, Windows Firewall blocks these ports, which prevents this computer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall component of Control Panel, the File and Printer Sharing check box is cleared and administrators cannot select it.  If you do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer cannot share files or printers unless an administrator uses other policy settings to open the required ports. In the Windows Firewall component of Control Panel, the File and Printer Sharing check box is cleared. Administrators can change this check box.  Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo requests (the message sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint!RemoteAddresses
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Allow ICMP exceptions At least Microsoft Windows XP Professional with SP2 Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If you do not enable the Allow inbound echo request message type, Windows Firewall blocks echo request messages sent by Ping running on other computers, but it does not block outbound echo request messages sent by Ping running on this computer.  If you enable this policy setting, you must specify which ICMP message types Windows Firewall allows this computer to send or receive.  If you disable this policy setting, Windows Firewall blocks all unsolicited incoming ICMP message types and the listed outgoing ICMP message types. As a result, utilities that use the blocked ICMP messages will not be able to send those messages to or from this computer. Administrators cannot use the Windows Firewall component in Control Panel to enable any message types. If you enable this policy setting and allow certain message types, then later disable this policy setting, Windows Firewall deletes the list of message types that you had enabled.  If you do not configure this policy setting, Windows Firewall behaves as if you had disabled it, except that administrators can use the Windows Firewall component in Control Panel to enable or disable message types.  Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound echo requests, even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.  Note: Other Windows Firewall policy settings affect only incoming messages, but several of the options of the Windows Firewall: Allow ICMP exceptions policy setting affect outgoing communication. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboundDestinationUnreachable, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboundSourceQuench, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowRedirect, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowInboundEchoRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowInboundRouterRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboundTimeExceeded, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboundParameterProblem, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowInboundTimestampRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowInboundMaskRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboundPacketTooBig
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Allow Remote Desktop exception At least Microsoft Windows XP Professional with SP2 Allows this computer to receive Remote Desktop requests. To do this, Windows Firewall opens TCP port 3389.   If you enable this policy setting, Windows Firewall opens this port so that this computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the Remote Desktop check box is selected and administrators cannot clear it.   If you disable this policy setting, Windows Firewall blocks this port, which prevents this computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall component of Control Panel, the Remote Desktop check box is cleared and administrators cannot select it.  If you do not configure this policy setting, Windows Firewall does not open this port. Therefore, the computer cannot receive Remote Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Firewall component of Control Panel, the Remote Desktop check box is cleared. Administrators can change this check box. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop!RemoteAddresses
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Allow UPnP framework exception At least Microsoft Windows XP Professional with SP2 Allows this computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To do this, Windows Firewall opens TCP port 2869 and UDP port 1900.   If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the UPnP framework check box is selected and administrators cannot clear it.   If you disable this policy setting, Windows Firewall blocks these ports, which prevents this computer from receiving Plug and Play messages. If an administrator attempts to open these ports by adding them to a local port exceptions list, Windows Firewall does not open the ports. In the Windows Firewall component of Control Panel, the UPnP framework check box is cleared and administrators cannot select it.  If you do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer cannot receive Plug and Play messages unless an administrator uses other policy settings to open the required ports or enable the required programs. In the Windows Firewall component of Control Panel, the UPnP framework check box is cleared. Administrators can change this check box. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\UPnPFramework!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\UPnPFramework!RemoteAddresses
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Prohibit notifications At least Microsoft Windows XP Professional with SP2 Prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the program to the program exceptions list.  If you enable this policy setting, Windows Firewall prevents the display of these notifications.  If you disable this policy setting, Windows Firewall allows the display of these notifications. In the Windows Firewall component of Control Panel, the Display a notification when Windows Firewall blocks a program check box is selected and administrators cannot clear it.  If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that in the Windows Firewall component of Control Panel, the Display a notification when Windows Firewall blocks a program check box is selected by default, and administrators can change it. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\UPnPFramework!DisableNotifications
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Allow logging At least Microsoft Windows XP Professional with SP2 Allows Windows Firewall to record information about the unsolicited incoming messages that it receives.  If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages.  If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the Security Logging settings are cleared and administrators cannot select them.  If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the Security Logging settings. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging!LogDroppedPackets, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging!LogSuccessfulConnections, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging!LogDroppedPackets, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging!LogSuccessfulConnections, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging!LogFilePath, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging!LogFileSize
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Prohibit unicast response to multicast or broadcast requests At least Microsoft Windows XP Professional with SP2 Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages.  If you enable this policy setting, and this computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses sent by those other computers.  If you disable or do not configure this policy setting, and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits as long as three seconds for unicast responses from the other computers and then blocks all later responses.  Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by this computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging!DisableUnicastResponsesToMulticastBroadcast
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Define port exceptions At least Microsoft Windows XP Professional with SP2 Allows you to view and change the port exceptions list defined by Group Policy. Windows Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.  If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy. To view this port exceptions list, enable the policy setting and then click the Show button. To add a port, enable the policy setting, note the syntax, click the Show button, click the Add button, and then type a definition string that uses the syntax format. To remove a port, click its definition, and then click the Remove button. To edit a definition, remove the current definition from the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the Windows Firewall: Allow local port exceptions policy setting.  If you disable this policy setting, the port exceptions list defined by Group Policy is deleted, but other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local port exceptions policy setting.  If you do not configure this policy setting, Windows Firewall uses only the local port exceptions list that administrators define by using the Windows Firewall component in Control Panel. Other policy settings can continue to open or block ports.  Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, and therefore you can accidentally create multiple entries for the same port with conflicting Scope or Status values. Scope parameters are combined for multiple entries. If entries have different Status values, any definition with the Status set to disabled overrides all definitions with the Status set to enabled, and the port does not receive messages. Therefore, if you set the Status of a port to disabled, you can prevent administrators from using the Windows Firewall component in Control Panel to enable the port.  Note: The only effect of setting the Status value to disabled is that Windows Firewall ignores other definitions for that port that set the Status to enabled. If another policy setting opens a port, or if a program in the program exceptions list asks Windows Firewall to open a port, Windows Firewall opens the port.  Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts!Enabled
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Allow local port exceptions At least Microsoft Windows XP Professional with SP2 Allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall uses two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions policy setting.  If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list.  If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define a local port exceptions list.  If you do not configure this policy setting, the ability of administrators to define a local port exceptions list depends on the configuration of the Windows Firewall: Define port exceptions policy setting. If that setting is not configured, administrators can define a local port exceptions list. If it is enabled or disabled, administrators cannot define a local port exceptions list. HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts!AllowUserPrefMerge
MACHINE Administrative Templates\Network\Network Connections\Windows Firewall Windows Firewall: Allow authenticated IPSec bypass At least Microsoft Windows XP Professional with SP2 Allows unsolicited incoming messages from specified systems that authenticate using the IPSec transport.  If you enable this policy setting, you must type a security descriptor containing a list of computers or groups of computers. If a computer on that list authenticates using IPSec, Windows Firewall does not block its unsolicited messages. This policy setting overrides other policy settings that would block those messages.  If you disable or do not configure this policy setting, Windows Firewall makes no exception for messages sent by computers that authenticate using IPSec. If you enable this policy setting and add systems to the list, upon disabling this policy, Windows Firewall deletes the list.  Note: You define entries in this list by using Security Descriptor Definition Language (SDDL) strings. For more information about the SDDL format, see the Windows Firewall deployment information at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=25131). HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\ICFv4!BypassFirewall
MACHINE Administrative Templates\Network\QoS Packet Scheduler Limit reservable bandwidth At least Microsoft Windows XP Professional or Windows Server 2003 family Determines the percentage of connection bandwidth that the system can reserve. This value limits the combined bandwidth reservations of all programs running on the system.  By default, the Packet Scheduler limits the system to 20 percent of the bandwidth of a connection, but you can use this setting to override the default.  If you enable this setting, you can use the Bandwidth limit box to adjust the amount of bandwidth the system can reserve.  If you disable this setting or do not configure it, the system uses the default value of 20 percent of the connection.  Important: If a bandwidth limit is set for a particular network adapter in the registry, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched!NonBestEffortLimit
MACHINE Administrative Templates\Network\QoS Packet Scheduler Limit outstanding packets At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies the maximum number of outstanding packets permitted on the system. When the number of outstanding packets reaches this limit, the Packet Scheduler postpones all submissions to network adapters until the number falls below this limit.  Outstanding packets are packets that the Packet Scheduler has submitted to a network adapter for transmission, but which have not yet been sent.  If you enable this setting, you can limit the number of outstanding packets.  If you disable this setting or do not configure it, then the setting has no effect on the system.  Important: If the maximum number of outstanding packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched!MaxOutstandingSends
MACHINE Administrative Templates\Network\QoS Packet Scheduler Set timer resolution At least Microsoft Windows XP Professional or Windows Server 2003 family Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for transmission. The Packet Scheduler cannot schedule packets for transmission more frequently than permitted by the value of this entry.  If you enable this setting, you can override the default timer resolution established for the system, usually units of 10 microseconds.  If you disable this setting or do not configure it, the setting has no effect on the system.  Important: If a timer resolution is specified in the registry for a particular network adapter, then this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched!TimerResolution
MACHINE Administrative Templates\Network\QoS Packet Scheduler\DSCP value of conforming packets Best effort service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.  This setting applies only to packets that conform to the flow specification.  If you enable this setting, you can change the default DSCP value associated with the Best Effort service type.  If you disable this setting, the system uses the default DSCP value of 0.  Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeBestEffort
MACHINE Administrative Templates\Network\QoS Packet Scheduler\DSCP value of conforming packets Controlled load service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.  This setting applies only to packets that conform to the flow specification.  If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type.  If you disable this setting, the system uses the default DSCP value of 24 (0x18).  Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeControlledLoad
MACHINE Administrative Templates\Network\QoS Packet Scheduler\DSCP value of conforming packets Guaranteed service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.  This setting applies only to packets that conform to the flow specification.  If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type.  If you disable this setting, the system uses the default DSCP value of 40 (0x28).  Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeGuaranteed
MACHINE Administrative Templates\Network\QoS Packet Scheduler\DSCP value of conforming packets Network control service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.  This setting applies only to packets that conform to the flow specification.  If you enable this setting, you can change the default DSCP value associated with the Network Control service type.  If you disable this setting, the system uses the default DSCP value of 48 (0x30).  Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeNetworkControl
MACHINE Administrative Templates\Network\QoS Packet Scheduler\DSCP value of conforming packets Qualitative service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.  This setting applies only to packets that conform to the flow specification.  If you enable this setting, you can change the default DSCP value associated with the Qualitative service type.  If you disable this setting, the system uses the default DSCP value of 0.  Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeQualitative
MACHINE Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets Best effort service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.  This setting applies only to packets that do not conform to the flow specification.  If you enable this setting, you can change the default DSCP value associated with the Best Effort service type.  If you disable this setting, the system uses the default DSCP value of 0.  Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceTypeBestEffort
MACHINE Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets Controlled load service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.  This setting applies only to packets that do not conform to the flow specification.  If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type.  If you disable this setting, the system uses the default DSCP value of 0.  Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceTypeControlledLoad
MACHINE Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets Guaranteed service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.  This setting applies only to packets that do not conform to the flow specification.  If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type.  If you disable this setting, the system uses the default DSCP value of 0.  Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceTypeGuaranteed
MACHINE Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets Network control service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.  This setting applies only to packets that do not conform to the flow specification.  If you enable this setting, you can change the default DSCP value associated with the Network Control service type.  If you disable this setting, the system uses the default DSCP value of 0.  Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceTypeNetworkControl
MACHINE Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets Qualitative service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.  This setting applies only to packets that do not conform to the flow specification.  If you enable this setting, you can change the default DSCP value associated with the Qualitative service type.  If you disable this setting, the system uses the default DSCP value of 0.  Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceTypeQualitative
MACHINE Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value Non-conforming packets At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow specification. The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.  If you enable this setting, you can change the default priority value associated with nonconforming packets.  If you disable this setting, the system uses the default priority value of 1.  Important: If the Layer-2 priority value for nonconforming packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeNonConforming
MACHINE Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value Best effort service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.  If you enable this setting, you can change the default priority value associated with the Best Effort service type.  If you disable this setting, the system uses the default priority value of 0.  Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeBestEffort
MACHINE Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value Controlled load service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.  If you enable this setting, you can change the default priority value associated with the Controlled Load service type.  If you disable this setting, the system uses the default priority value of 4.  Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeControlledLoad
MACHINE Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value Guaranteed service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.  If you enable this setting, you can change the default priority value associated with the Guaranteed service type.  If you disable this setting, the system uses the default priority value of 5.  Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeGuaranteed
MACHINE Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value Network control service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.  If you enable this setting, you can change the default priority value associated with the Network Control service type.  If you disable this setting, the system uses the default priority value of 7.  Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeNetworkControl
MACHINE Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value Qualitative service type At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.  If you enable this setting, you can change the default priority value associated with the Qualitative service type.  If you disable this setting, the system uses the default priority value of 0.  Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeQualitative
MACHINE Administrative Templates\Network\SNMP Communities At least Microsoft Windows XP Professional or Windows Server 2003 family Configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service.  SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring network events.  A valid community is a community recognized by the SNMP service, while a community is a group of hosts (servers, workstations, hubs, and routers) that are administered together by SNMP. The SNMP service is a managed network node that receives SNMP packets from the network.  If you enable this setting, the SNMP agent only accepts requests from management systems within the communities it recognizes, and only SNMP Read operation is allowed for the community.  If you disable or do not configure this setting, the SNMP service takes the Valid Communities configured on the local computer instead.  Best Practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\ValidCommunities key to allow only the local admin group full control.  Note: It is good practice to use a cryptic community name.  Note: This setting has no effect if the SNMP agent is not installed on the client computer.  Also, see the other two SNMP settings: Permitted Managers and Trap Configuration. HKLM\Software\Policies\SNMP\Parameters\ValidCommunities!{1,2,3,...}
MACHINE Administrative Templates\Network\SNMP Permitted Managers At least Microsoft Windows XP Professional or Windows Server 2003 family This setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer.  Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events.  The manager is located on the host computer on the network. The manager's role is to poll the agents for certain requested information.  If you enable this setting, the SNMP agent only accepts requests from the list of Permitted Managers that you configure using this setting.  If you disable or do not configure this setting, SNMP service takes the Permitted Managers configured on the local computer instead.  Best Practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\PermittedManagers key to allow only the local admin group full control.  Note: This setting has no effect if the SNMP agent is not installed on the client computer.  Also, see the other two SNMP settings: Trap Configuration and Community Name. HKLM\Software\Policies\SNMP\Parameters\PermittedManagers!{1,2,3,...}
MACHINE Administrative Templates\Network\SNMP Traps for public community At least Microsoft Windows XP Professional or Windows Server 2003 family This setting allows Trap configuration for the Simple Network Management Protocol (SNMP) agent.  Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events.  This setting allows you to configure the name of the hosts that receive trap messages for the community sent by the SNMP service. A trap message is an alert or significant event that allows the SNMP agent to notify management systems asynchronously.  If you enable this setting, the SNMP service sends trap messages to the hosts within the public community.  If you disable or do not configure this setting, the SNMP service takes the Trap Configuration configured on the local computer instead.  Note: This setting has no effect if the SNMP agent is not installed on the client computer.  Also, see the other two SNMP settings: Permitted Managers and Community Name. HKLM\Software\Policies\SNMP\Parameters\TrapConfiguration\public!{1,2,3,...}
MACHINE Administrative Templates\Network\Background Intelligent Transfer Service Maximum network bandwidth that BITS uses Windows XP SP2 or Windows Server 2003 SP1, or computers with BITS 2.0 installed. Limits the network bandwidth that BITS uses for background transfers (this policy does not affect foreground transfers).  Specify a limit to use during a specific time interval and a limit to use at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8AM to 5PM, and use all available unused bandwidth the rest of the time.  Specify the limit in kilobits per second (Kbps). Base the limit on the size of the network link, not the computer’s network interface card (NIC). BITS uses approximately two kilobits if you specify a value less than two kilobits.  To prevent BITS transfers from occurring, specify a limit of 0.   If you disable or do not configure this policy, BITS uses all available unused bandwidth.  Typically, you use this policy to prevent BITS transfers from competing for network bandwidth when the client has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). HKLM\Software\Policies\Microsoft\Windows\BITS!EnableBITSMaxBandwidth, HKLM\Software\Policies\Microsoft\Windows\BITS!MaxTransferRateOnSchedule, HKLM\Software\Policies\Microsoft\Windows\BITS!MaxBandwidthValidFrom, HKLM\Software\Policies\Microsoft\Windows\BITS!MaxBandwidthValidTo, HKLM\Software\Policies\Microsoft\Windows\BITS!UseSystemMaximum, HKLM\Software\Policies\Microsoft\Windows\BITS!MaxTransferRateOffSchedule
MACHINE Administrative Templates\Network\Background Intelligent Transfer Service Timeout (days) for inactive jobs Windows XP or Windows Server 2003, or computers with BITS 1.5 installed. The number of days a pending BITS job can remain inactive before being considered abandoned by the requestor.  Once a job is determined to be abandoned, it is removed by the system and any downloaded files pertaining to the job are deleted from the disk. Any property changes for the job or any successful download action resets this timer.  If the computer remains offline for a long period of time, no activity for the job will be recorded.  You might want to increase this value if computers tend to stay offline for a longer period of time and still have pending jobs. You might want to decrease this value if you are concerned about orphaned jobs occupying disk space.  If you enable this setting, you can configure the inactive job time-out to specified number of days. If you disable or do not configure this setting, the default value of 90 (days) will be used for the inactive job time-out. HKLM\Software\Policies\Microsoft\Windows\BITS!JobInactivityTimeout
MACHINE Administrative Templates\Network Sets how often a DFS Client discovers DC's At least Microsoft Windows XP Professional or Windows Server 2003 family Allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on their network.  By default, a DFS client attempts to discover domain controllers every 15 minutes.  If you enable this setting, you can configure how often a DFS client attempts to discover domain controllers. This value is specified in minutes.  If you disable this setting or do not configure it, the default value of 15 minutes applies.  Note: The minimum value you can select is 15 minutes. If you try to set this setting to a value less then 15 minutes, the default value of 15 minutes is applied. HKLM\Software\Policies\Microsoft\System\DFSClient!DfsDcNameDelay
MACHINE Administrative Templates\Printers Allow printers to be published At least Microsoft Windows 2000 Determines whether the computer's shared printers can be published in Active Directory.  If you enable this setting or do not configure it, users can use the List in directory option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.  If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the List in directory option is not available.  Note: This settings takes priority over the setting Automatically publish new printers in the Active Directory. HKLM\Software\Policies\Microsoft\Windows NT\Printers!PublishPrinters
MACHINE Administrative Templates\Printers Allow pruning of published printers At least Microsoft Windows 2000 Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer.  By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects.  If you enable this setting or do not configure it, the domain controller prunes this computer's printers when the computer does not respond.  If you disable this setting, the domain controller does not prune this computer's printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the network.  Note: You can use the Directory Pruning Interval and Directory Pruning Retry settings to adjust the contact interval and number of contact attempts. HKLM\Software\Policies\Microsoft\Windows NT\Printers!Immortal
MACHINE Administrative Templates\Printers Automatically publish new printers in Active Directory At least Microsoft Windows 2000 Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory.  If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers.  If you disable this setting, the Add Printer Wizard does not automatically publish printers. However, you can publish shared printers manually.  The default behavior is to automatically publish shared printers in Active Directory.   Note: This setting is ignored if the Allow printers to be published setting is disabled. HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Auto Publishing
MACHINE Administrative Templates\Printers Check published state At least Microsoft Windows 2000 Directs the system to periodically verify that the printers published by this computer still appear in Active Directory.  This setting also specifies how often the system repeats the verification.  By default, the system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating.  To enable this additional verification, enable this setting, and then select a verification interval.  To disable verification, disable this setting, or enable this setting and select Never for the verification interval.   HKLM\Software\Policies\Microsoft\Windows NT\Printers!VerifyPublishedState
MACHINE Administrative Templates\Printers Computer location At least Microsoft Windows 2000 Specifies the default location criteria used when searching for printers.  This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the Pre-populate printer search location text setting.  When Location Tracking is enabled, the system uses the specified location as a criterion when users search for printers. The value you type here overrides the actual location of the computer conducting the search.  Type the location of the user's computer. When users search for printers, the system uses the specified location (and other search criteria) to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers that you want them to use.  If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. HKLM\Software\Policies\Microsoft\Windows NT\Printers!PhysicalLocation
MACHINE Administrative Templates\Printers Custom support URL in the Printers folder's left pane At least Microsoft Windows 2000 Adds a customized Web page link to the Printers folder.  By default, the Printers folder includes a link to the Microsoft Support Web page called Get help with printing. It can also include a link to a Web page supplied by the vendor of the currently selected printer.  You can use this setting to replace the Get help with printing default link with a link to a Web page customized for your enterprise.  If you disable this setting or do not configure it, or if you do not enter an alternate Internet address, the default link will appear in the Printers folder.  Note: Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click Enable Web content in folders.)  Also, see the Web-based printing setting in this setting folder and the Browse a common web site to find printers setting in User Configuration\Administrative Templates\Control Panel\Printers.  Web view is affected by the Turn on Classic Shell and Remove the Folder Options menu item from the Tools menu settings in User Configuration\Administrative Templates\Windows Components\Windows Explorer, and by the Enable Active Desktop setting in User Configuration\Administrative Templates\Desktop\Active Desktop. HKLM\Software\Policies\Microsoft\Windows NT\Printers!SupportLink
MACHINE Administrative Templates\Printers Directory pruning interval At least Microsoft Windows 2000 Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational.  The pruning service periodically contacts computers that have published printers. If a computer does not respond to the contact message (optionally, after repeated attempts), the pruning service prunes (deletes from Active Directory) printer objects the computer has published.  By default, the pruning service contacts computers every eight hours and allows two repeated contact attempts before deleting printers from Active Directory.  If you enable this setting, you can change the interval between contact attempts.  If you do not configure or disable this setting the default values will be used.  Note: This setting is used only on domain controllers. HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningInterval
MACHINE Administrative Templates\Printers Directory pruning priority At least Microsoft Windows 2000 Sets the priority of the pruning thread.  The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keeps printer information in Active Directory current.  The thread priority influences the order in which the thread receives processor time and determines how likely it is to be preempted by higher priority threads.  By default, the pruning thread runs at normal priority. However, you can adjust the priority to improve the performance of this service.  Note: This setting is used only on domain controllers. HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningPriority
MACHINE Administrative Templates\Printers Directory pruning retry At least Microsoft Windows 2000 Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers.  The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service prunes (deletes from Active Directory) printer objects the computer has published.  By default, the pruning service contacts computers every eight hours and allows two retries before deleting printers from Active Directory. You can use this setting to change the number of retries.  If you enable this setting, you can change the interval between attempts.  If you do not configure or disable this setting, the default values are used.  Note: This setting is used only on domain controllers. HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningRetries
MACHINE Administrative Templates\Printers Disallow installation of printers using kernel-mode drivers At least Microsoft Windows XP Professional or Windows Server 2003 family Determines whether printers using kernel-mode drivers may be installed on the local computer.  Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors.  If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional.  If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked.  If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed.  Note: By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. HKLM\Software\Policies\Microsoft\Windows NT\Printers!KMPrintersAreBlocked
MACHINE Administrative Templates\Printers Log directory pruning retry events At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers.  The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The Directory pruning retry setting determines the number of times the attempt is retried; the default value is two retries. The Directory Pruning Interval setting determines the time interval between retries; the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the directory.  If the Log directory pruning retry events setting is enabled, the contact events are recorded in the event log. If this setting is not configured or is disabled, the contact events are not recorded in the event log.  Note: This setting does not affect the logging of pruning events; the actual pruning of a printer is always logged.  Note: This setting is used only on domain controllers. HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningRetryLog
MACHINE Administrative Templates\Printers Pre-populate printer search location text At least Microsoft Windows 2000 Enables the physical Location Tracking support feature of Windows printers.  Location tracking lets you design a location scheme for your enterprise and assign computers and printers to locations in your scheme. Location tracking overrides the standard method of locating and associating users and printers, which uses the IP address and subnet mask of a computer to estimate its physical location and proximity to other computers.  If you enable Location Tracking, a Browse button appears beside the Location field in the Find Printers dialog box. (To go to the Browse button, click Start, click Search, and click For printers.) The Browse button also appears on the General tab of the Properties dialog box for a printer. It lets users browse for printers by location without their having to know the precise location (or location naming scheme). Also, if you enable the Computer location setting, the default location you type appears in the Location field.  If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated based on IP address and subnet mask. HKLM\Software\Policies\Microsoft\Windows NT\Printers!PhysicalLocationSupport
MACHINE Administrative Templates\Printers Printer browsing At least Microsoft Windows 2000 Announces the presence of shared printers to print browse master servers for the domain.  On domains with Active Directory, shared printer resources are available in Active Directory and are not announced.  If you enable this setting, the print spooler announces shared printers to the print browse master servers. As a result, shared printers appear in the domain list in the Browse for Printer dialog box in the Add Printer Wizard.  If you disable this setting, shared printers are not announced to print browse master servers, even if Active Directory is not available.  If you do not configure this setting, shared printers are announced to browse master servers only when Active Directory is not available.  Note: A client license is used each time a client computer announces a printer to a print browse master on the domain. HKLM\Software\Policies\Microsoft\Windows NT\Printers!ServerThread
MACHINE Administrative Templates\Printers Prune printers that are not automatically republished At least Microsoft Windows 2000 Determines whether the system prunes (deletes from Active Directory) printers that are not automatically republished. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest.  The Windows pruning service prunes printer objects from Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory automatically, by default the system never prunes their printer objects.  You can enable this setting to change the default behavior. To use this setting, select one of the following options from the Prune non-republishing printers box:  --  Never specifies that printer objects that are not automatically republished are never pruned. Never is the default.  --  Only if Print Server is found prunes printer objects that are not automatically republished only when the print server responds, but the printer is unavailable.  --  Whenever printer is not found prunes printer objects that are not automatically republished whenever the host computer does not respond, just as it does with Windows 2000 printers.  Note: This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It does not apply to printers published by using Printers in Control Panel.  Tip: If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server. HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruneDownlevel
MACHINE Administrative Templates\Printers Allow Print Spooler to accept client connections At least Microsoft Windows Server 2003 This policy controls whether the print spooler will accept client connections.    When the policy is unconfigured, the spooler will not accept client connections until a user shares out a local printer or opens the print queue on a printer connection, at which point spooler will begin accepting client connections automatically.   When the policy is enabled, the spooler will always accept client connections.  When the policy is disabled, the spooler will not accept client connections nor allow users to share printers.  All printers currently shared will continue to be shared.  The spooler must be restarted for changes to this policy to take effect. HKLM\Software\Policies\Microsoft\Windows NT\Printers!RegisterSpoolerRemoteRpcEndPoint
MACHINE Administrative Templates\Printers Web-based printing Windows 2000 or later, running IIS. Not supported on Windows Server 2003 Determines whether Internet printing is activated on this server.  Internet printing lets you display printers on Web pages so the printers can be viewed, managed, and used across the Internet or an intranet.  Internet printing is an extension of the Internet Information Server.  IIS must be installed and the printing support must be enabled in order to use Internet Printing as well as this policy.  Note: This setting affects the server side of Internet printing only. It does not prevent the print client on the computer from printing across the Internet.  Also, see the Custom support URL in the Printers folder's left pane setting in this folder and the Browse a common web site to find printers setting in User Configuration\Administrative Templates\Control Panel\Printers. HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPrinting
MACHINE Administrative Templates\Windows Components\Application Compatibility Turn Off Application Compatibility Engine At least Microsoft Windows Server 2003  This policy controls the state of the application compatibility engine in the system.  The engine is part of the loader and looks through a compatibility database every time an application is started on the system.  If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem.  Turning off the application compatibility engine will boost system performance.  However, this will degrade the compatibility of many popular legacy applications, and will not block known incompatible applications from installing.  (For Instance: This may result in a blue screen if an old anti-virus application is installed.)  This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using.  It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableEngine
MACHINE Administrative Templates\Windows Components\Application Compatibility Turn Off Program Compatibility Wizard At least Microsoft Windows Server 2003 This policy controls the state of the Program Compatibility Wizard.  When enabled, this policy disables the start page of the wizard in the Help and Support Center, and in the Start Menu.  These entry points will still exist but the first page of the Help and Support Center wizard will let the user know that this option has been disabled. HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableWizard
MACHINE Administrative Templates\Windows Components\Application Compatibility Remove Program Compatibility Property Page At least Microsoft Windows Server 2003 This policy controls the visibility of the Program Compatibility property page shell extension.  This shell extension is visible on the property context-menu of any program shortcut or executable file.  The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications.  Enabling this policy setting removes the property page from the context-menus, but does not affect previous compatibility settings applied to application using this interface. HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePropPage
MACHINE Administrative Templates\Windows Components\Application Compatibility Turn On Application Help Log Events At least Microsoft Windows Server 2003 The Application Help features blocks known incompatible applications and displays a dialog to the end-user regarding the problem.  This dialog may include links to the web for downloading updates for the application, manual steps to work around an issue, or basic incompatibility information.  Enabling this option turns on logging of Application Help events to the Application log. HKLM\Software\Policies\Microsoft\Windows\AppCompat!LogAppHelpEvents
MACHINE Administrative Templates\Windows Components\Application Compatibility Prevent access to 16-bit applications At least Microsoft Windows Server 2003 Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. By default, the MS-DOS subsystem runs for all users on this computer.  You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, ntvdm.exe must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased.  If the status is set to Enabled, ntvdm.exe is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run.  If the status is set to Disabled, the default setting applies and the MS-DOS subsystem runs for all users on this computer.  If the status is set to Not Configured, the default applies and ntvdm.exe runs for all users. However, if an administrator sets the registry DWORD value HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault to 1, the default changes to prevent all 16-bit applications from running.  Note:  This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKLM\Software\Policies\Microsoft\Windows\AppCompat!VDMDisallowed
MACHINE Administrative Templates\Windows Components\Event Viewer Events.asp URL At least Microsoft Windows XP Professional with SP2 This is the URL that will be passed to the Description area in the Event Properties dialog box. Change this value if you want to use a different Web server to handle event information requests. HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionURL
MACHINE Administrative Templates\Windows Components\Event Viewer Events.asp program At least Microsoft Windows XP Professional with SP2 This is the program that will be invoked when the user clicks the events.asp link. HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionProgram
MACHINE Administrative Templates\Windows Components\Event Viewer Events.asp program command line parameters At least Microsoft Windows XP Professional with SP2 This specifies the command line parameters that will be passed to the events.asp program HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionProgramCommandLineParameters
MACHINE Administrative Templates\Windows Components\Internet Information Services Prevent IIS installation At least Microsoft Windows Server 2003 When you enable this setting, it will prevent Internet Information Services (IIS) from being installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS may not receive a warning that IIS cannot be installed because of this Group Policy. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. HKLM\Software\Policies\Microsoft\Windows NT\IIS!PreventIISInstall
MACHINE Administrative Templates\Windows Components\Security Center Turn on Security Center (Domain PCs only) At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether the Security Center is turned on or off on users' computers that are joined to an Active Directory domain.  When the Security Center is turned on, it monitors essential security settings (firewall, antivirus, and  Automatic Updates), and notifies users when their computers might be at risk.  The Security Center Control Panel category view also contains a status section, where users can get recommendations for helping to increase their computer's security.  When the Security Center is turned off, neither the notifications nor the Security Center status section are displayed.  Note that the Security Center cannot be turned off for computers that are NOT joined to a Windows domain, and this policy setting will have no effect in that case.  If this setting is Not Configured, the Security Center is turned off for domain members.  When this policy setting is Enabled, the Security Center is turned on for all users.  Note that the Security Center will not become available following a change to this policy setting until after a computer is restarted.  When this policy is Disabled, the Security Center is turned off for domain members. HKLM\Software\Policies\Microsoft\Windows NT\Security Center!SecurityCenterInDomain
MACHINE Administrative Templates\Windows Components\Task Scheduler Hide Property Pages At least Microsoft Windows 2000 Prevents users from viewing and changing the properties of an existing task.  This setting removes the Properties item from the File menu in Scheduled Tasks and from the context menu that appears when you right-click a task. As a result, users cannot change any properties of a task. They can only see the properties that appear in Detail view and in the task preview.  This setting prevents users from viewing and changing characteristics such as the program the task runs, its schedule details, idle time and power management settings, and its security context.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: This setting affects existing tasks only. To prevent users from changing the properties of newly created tasks, use the Remove Advanced Menu setting. HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Property Pages
MACHINE Administrative Templates\Windows Components\Task Scheduler Prevent Task Run or End At least Microsoft Windows 2000 Prevents users from starting and stopping tasks manually.  This setting removes the Run and End Task items from the context menu that appears when you right-click a task. As a result, users cannot start tasks manually or force tasks to end before they are finished.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Execution
MACHINE Administrative Templates\Windows Components\Task Scheduler Prohibit Drag-and-Drop At least Microsoft Windows 2000 Prevents users from adding or removing tasks by moving or copying programs in the Scheduled Tasks folder.  This setting disables the Cut, Copy, Paste, and Paste shortcut items on the context menu and the Edit menu in Scheduled Tasks. It also disables the drag-and-drop features of the Scheduled Tasks folder.  As a result, users cannot add new scheduled tasks by dragging, moving, or copying a document or program into the Scheduled tasks folder.  This setting does not prevent users from using other methods to create new tasks, and it does not prevent users from deleting tasks.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!DragAndDrop
MACHINE Administrative Templates\Windows Components\Task Scheduler Prohibit New Task Creation At least Microsoft Windows 2000 Prevents users from creating new tasks.  This setting removes the Add Scheduled Task item that starts the New Task Wizard. Also, the system does not respond when users try to move, paste, or drag programs or documents into the Scheduled Tasks folder.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Important: This setting does not prevent administrators of a computer from using At.exe to create new tasks or prevent administrators from submitting tasks from remote computers. HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Creation
MACHINE Administrative Templates\Windows Components\Task Scheduler Prohibit Task Deletion At least Microsoft Windows 2000 Prevents users from deleting tasks from the Scheduled Tasks folder.  This setting removes the Delete command from the Edit menu in the Scheduled Tasks folder and from the menu that appears when you right-click a task. Also, the system does not respond when users try to cut or drag a task from the Scheduled Tasks folder.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Important: This setting does not prevent administrators of a computer from using At.exe to delete tasks. HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Deletion
MACHINE Administrative Templates\Windows Components\Task Scheduler Hide Advanced Properties Checkbox in Add Scheduled Task Wizard At least Microsoft Windows 2000 This setting removes the Open advanced properties for this task when I click Finish checkbox from the last page of the Scheduled Task Wizard.  This policy is only designed to simplify task creation for beginning users.  The checkbox, when checked, instructs Task Scheduler to automatically open the newly created task's property sheet upon completion of the Add Scheduled Task wizard.  The task's property sheet allows users to change task characteristics such as: the program the task runs, details of its schedule, idle time and power management settings, and its security context.  Beginning users will often not be interested or confused by having the property sheet displayed automatically.  Note that the checkbox is not checked by default even if this setting is Disabled or Not Configured.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Disable Advanced
MACHINE Administrative Templates\Windows Components\Task Scheduler Prohibit Browse At least Microsoft Windows 2000 Limits newly scheduled to items on the user's Start menu, and prevents the user from changing the scheduled program for existing tasks.  This setting removes the Browse button from the Schedule Task Wizard and from the Task tab of the properties dialog box for a task. Also, users cannot edit the Run box or the Start in box that determine the program and path for a task.  As a result, when users create a task, they must select a program from the list in the Scheduled Task Wizard, which displays only the tasks that appear on the Start menu and its submenus. Once a task is created, users cannot change the program a task runs.  Important: This setting does not prevent users from creating a new task by pasting or dragging any program into the Scheduled Tasks folder. To prevent this action, use the Prohibit Drag-and-Drop setting.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Allow Browse
MACHINE Administrative Templates\Windows Components\Terminal Services Keep-Alive Connections At least Microsoft Windows XP Terminal Services Specifies whether persistent connections are allowed.   After a terminal server client loses the connection to a terminal server, the session on the terminal server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the terminal server. If the client logs on to the same terminal server again, a new session might be established (if Terminal Services is configured to allow multiple sessions), and the original session might still be active.   You can use this setting to enable keep-alive connections and ensure that the session state is consistent with the client state. By default, keep-alive connections are disabled.   To configure keep-alive connections, enable the setting and set the Keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state.   If the status is set to Enabled, keep-alive connections are enabled.   If the status is set to Disabled, the default behavior is enforced.   If the status is set to Not Configured, keep-alive connections remain disabled by default. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!KeepAliveEnable, HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!KeepAliveInterval
MACHINE Administrative Templates\Windows Components\Terminal Services Automatic reconnection At least Microsoft Windows XP Terminal Services Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to Terminal Services sessions if their network link is temporarily lost. By default, a maximum  of twenty reconnection attempts are made at five second intervals.   If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost.   If the status is set to Disabled, automatic reconnection of clients is prohibited.   If the status is set to Not Configured, automatic reconnection is not specified at the  Group Policy level. However, users can configure automatic reconnection using the Reconnect if connection is dropped checkbox on the Experience tab in Remote Desktop Connection.  HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableAutoReconnect
MACHINE Administrative Templates\Windows Components\Terminal Services Restrict Terminal Services users to a single remote session At least Microsoft Windows XP Terminal Services Specifies whether to restrict users to a single remote Terminal Services session.   If the status is set to Enabled, users who log on remotely via Terminal Services will be restricted to a single session on that server (either active or disconnected). If the user leaves the session in a disconnected state, the user automatically reconnects to that session at next logon.   If the status is set to Disabled, users are allowed to make unlimited simultaneous remote connections.   If the status is set to Not Configured, behavior is determined by the setting in the Terminal Services Configuration tool (the default is for users to be limited to one remote session). HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fSingleSessionPerUser
MACHINE Administrative Templates\Windows Components\Terminal Services Enforce Removal of Remote Desktop Wallpaper At least Microsoft Windows XP Terminal Services Specifies whether desktop wallpaper is displayed to remote clients connecting via Terminal Services.   You can use this setting to enforce the removal of wallpaper during a remote session. By default, Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2003 do not display wallpaper by default to remote sessions.   If the status is set to Enabled, wallpaper never appears to a Terminal Services client.   If the status is set to Disabled, wallpaper might appear to a Terminal Services client, depending on the client configuration.   If the status is set to Not Configured, the default behavior applies. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fNoRemoteDesktopWallpaper
MACHINE Administrative Templates\Windows Components\Terminal Services Deny log off of an administrator logged in to the console session At least Microsoft Windows Server 2003 Specifies whether to allow an administrator attempting to connect to the console of a server to log off an administrator currently logged on to the console. The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line.   If the status is set to Enabled, logging off the connected administrator is not allowed. If the status is set to Disabled, logging off the connected administrator is allowed. If the status is set to Not Configured, logging off the connected administrator is allowed but can be changed at the local computer policy level.  This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost.  HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableForcibleLogoff
MACHINE Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Allow Time Zone Redirection At least Microsoft Windows XP Terminal Services Specifies whether to allow the client computer to redirect its time zone settings to the Terminal Services session.  By default, the session time zone is the same as the server time zone, and the client computer cannot redirect its time zone information.  If the status is set to Enabled, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). Currently, Remote Desktop Connection and Windows CE 5.1 are the only clients capable of time zone redirection.  Session 0 (the console session) always has the server time zone and settings. To change the system time and time zone, connect to session 0.  If the status is set to Disabled, time zone redirection is not possible.  If the status is set to Not Configured, time zone redirection is not specified at the Group Policy level and the default behavior is for time zone redirection to be turned off.  When an administrator changes this setting, only new connections display the behavior specified by the new setting. Sessions that were initiated before the change must log off and reconnect to be affected by the new setting. Microsoft recommends that all users log off the server after this setting is changed.  Note: Time zone redirection is only possible when connecting to a Windows Server 2003 family terminal server. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableTimeZoneRedirection
MACHINE Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Do not allow clipboard redirection At least Microsoft Windows XP Terminal Services Specifies whether to prevent the sharing of clipboard contents (clipboard redirection) between a remote computer and a client computer during a Terminal Services session.   You can use this setting to prevent users from redirecting clipboard data to and from the remote computer and the local computer. By default, Terminal Services allows this clipboard redirection.   If the status is set to Enabled, users cannot redirect clipboard data.   If the status is set to Disabled, Terminal Services always allows clipboard redirection.   If the status is set to Not Configured, clipboard redirection is not specified at the Group Policy level. However, an administrator can still disable clipboard redirection using the Terminal Services Configuration tool. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableClip
MACHINE Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Do not allow smart card device redirection At least Microsoft Windows XP Terminal Services Specifies whether to prevent the mapping of smart card devices (smart card device redirection) in a Terminal Services session. The client computer must be running Windows 2000 server, Windows XP Professional, or Windows Server 2003 family.   By default, Terminal Services automatically maps smart card devices on connection.   If the status is set to Enabled, Terminal Services users cannot use a smart card to log on to a Terminal Services session.   If the status is set to Disabled, smart card device redirection is always allowed.   If the status is set to Not Configured, smart card device redirection is not specified at the Group Policy level. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableSmartCard
MACHINE Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Allow audio redirection At least Microsoft Windows XP Terminal Services Specifies whether users can choose where to play the remote computer's audio output during a Terminal Services session (audio redirection).   Users can use the Remote computer sound option on the Local Resources tab of Remote Desktop Connection to choose whether to play the remote audio on the remote computer or on the local computer. Users can also choose to disable the audio.   By default, users cannot apply audio redirection when connecting via Terminal Services to a server running Windows Server 2003. Users connecting to a computer running Windows XP Professional can apply audio redirection by default.   If the status is set to Enabled, users can apply audio redirection.   If the status is set to Disabled, users cannot apply audio redirection.   If the status is set to Not Configured, audio redirection is not specified at the Group Policy level. However, an administrator can still enable or disable audio redirection by using the Terminal Services Configuration tool. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCam
MACHINE Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Do not allow COM port redirection At least Microsoft Windows XP Terminal Services Specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Terminal Services session.   You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Terminal Services session. By default, Terminal Services allows this COM port redirection.   If the status is set to Enabled, users cannot redirect server data to the local COM port.   If the status is set to Disabled, Terminal Services always allows COM port redirection.   If the status is set to Not Configured, COM port redirection is not specified at the Group Policy level. However, an administrator can still disable COM port redirection using the Terminal Services Configuration tool. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCcm
MACHINE Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Do not allow client printer redirection At least Microsoft Windows XP Terminal Services Specifies whether to prevent the mapping of client printers in Terminal Services sessions.   You can use this setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Terminal Services allows this client printer mapping.   If the status is set to Enabled, users cannot redirect print jobs from the remote computer to a local client printer in Terminal Services sessions.   If the status is set to Disabled, users can redirect print jobs with client printer mapping.   If the status is set to Not Configured, client printer mapping is not specified at the Group Policy level. However, an administrator can still disable client printer mapping using the Terminal Services Configuration tool. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCpm
MACHINE Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Do not allow LPT port redirection At least Microsoft Windows XP Terminal Services Specifies whether to prevent the redirection of data to client LPT ports during a Terminal Services session.   You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Terminal Services allows this LPT port redirection.   If the status is set to Enabled, users in a Terminal Services session cannot redirect server data to the local LPT port.   If the status is set to Disabled, LPT port redirection is always allowed.   If the status is set to Not Configured, LPT port redirection is not specified at the Group Policy level. However, an administrator can still disable local LPT port redirection using the Terminal Services Configuration tool. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableLPT
MACHINE Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Do not allow drive redirection At least Microsoft Windows XP Terminal Services Specifies whether to prevent the mapping of client drives in a Terminal Services session (drive redirection).   By default, Terminal Services maps client drives automatically upon connection. Mapped drives appear in the session folder tree in Windows Explorer or My Computer in the format <driveletter> on <computername>. You can use this setting to override this behavior.   If the status is set to Enabled, client drive redirection is not allowed in Terminal Services sessions.   If the status is set to Disabled, client drive redirection is always allowed.   If the status is set to Not Configured, client drive redirection is not specified at the Group Policy level. However, an administrator can still disable client drive redirection by using the Terminal Services Configuration tool. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCdm
MACHINE Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Do not set default client printer to be default printer in a session At least Microsoft Windows XP Terminal Services Specifies whether the client default printer is automatically set as the default printer in a Terminal Services session.   By default, Terminal Services automatically designates the client default printer as the default printer in a Terminal Services session. You can use this setting to override this behavior.   If the status is set to Enabled, the default printer is the printer specified on the remote computer.   If the status is set to Disabled, the terminal server automatically maps the client default printer and sets it as the default printer upon connection.   If the status is set to Not Configured, the default printer is not specified at the Group Policy level. However, an administrator can configure the default printer for client sessions by using the Terminal Services Configuration tool. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fForceClientLptDef
MACHINE Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Terminal Server Fallback Printer Driver Behavior At least Microsoft Windows Server 2003 with SP1 Specifies the Terminal Server fallback printer driver behavior.  By default, Terminal Server fallback printer driver is disabled. If the Terminal Server does not have a printer driver that matches the client's printer, no printer will be available for the terminal server session.  If this setting is set to enabled, the Fallback Printer Driver is enabled and the default behavior is for the Terminal Server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are:  Do nothing if one is not found - In the event of a printer driver mismatch, the server will attempt to find a suitable driver, If one is not found, the client's printer is not available. This is the default behavior.  Default to PCL if one is not found - If no suitable printer driver can be found, default to the PCL fallback printer driver.  Default to PS if one is not found - If no suitable printer driver can be found, default to the PS fallback printer driver.  Show both PCL and PS if one is not found - In the event that no suitable driver can be found, show both PS and PCL based fallback printer drivers.  If this setting is set to disabled, the Terminal Server fallback driver is disabled and the Terminal Server will not attempt to use the Fallback driver.   If this setting is Not configured, the fallback printer driver behavior is off by default.  Note: If the Do not allow client printer redirection setting is enabled, this setting is ignored and the fallback driver is disabled.   HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fPolicyFallbackPrintDriver, HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!FallbackPrintDriverType
MACHINE Administrative Templates\Windows Components\Terminal Services\Encryption and Security Always prompt client for password upon connection At least Microsoft Windows XP Terminal Services Specifies whether Terminal Services always prompts the client for a password upon connection.   You can use this setting to enforce a password prompt for users logging on to Terminal Services, even if they already provided the password in the Remote Desktop Connection client.   By default, Terminal Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.   If the status is set to Enabled, users cannot automatically log on to Terminal Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.   If the status is set to Disabled, users can always log on to Terminal Services automatically by supplying their passwords in the Remote Desktop Connection client.   If the status is set to Not Configured, automatic logon is not specified at the Group Policy level. However, an administrator can still enforce password prompting by using the Terminal Services Configuration tool. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fPromptForPassword
MACHINE Administrative Templates\Windows Components\Terminal Services\Encryption and Security Set client connection encryption level At least Microsoft Windows XP Terminal Services Specifies whether to enforce an encryption level for all data sent between the client and the server during the Terminal Services session.   If the status is set to Enabled, encryption for all connections to the server is set to the level you specify. The following encryption levels are available.   High: All data sent between the client and the server is protected by encryption based on the server’s maximum key strength. Clients that do not support this level of encryption cannot connect.   Client compatible: All data sent between the client and the server is protected by encryption based on the maximum key strength supported by the client.   Low: All data sent from the client to the server is protected by encryption based on the maximum key strength supported by the client.   If the status is set to Disabled or Not Configured, the encryption level is not enforced through Group Policy. However, administrators can set the encryption level on the server using the Terminal Services Configuration tool. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel
MACHINE Administrative Templates\Windows Components\Terminal Services\Encryption and Security\RPC Security Policy Secure Server (Require Security) At least Microsoft Windows Server 2003 Specifies whether a Terminal Server requires secure RPC communication with all clients or allows unsecured communication.  You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.  If the status is set to Enabled, the Terminal Server accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.  If the status is set to Disabled, the Terminal Server always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.  If the status is set to Not Configured, unsecured communication is allowed.  Note: The RPC interface is used for administering and configuring Terminal Services. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEncryptRPCTraffic
MACHINE Administrative Templates\Windows Components\Terminal Services Limit number of connections At least Microsoft Windows XP Terminal Services Specifies whether Terminal Services limits the number of simultaneous connections to the server.   You can use this setting to restrict the number of remote sessions that can be active on a server. If this number is exceeded, addtional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, terminal servers allow an unlimited number of remote sessions, and Remote Desktop for Administration allows two remote sessions.   To use this setting, enter the number of connections you want to specify as the maximum for the server. To specify an unlimited number of connections, type 999999.   If the status is set to Enabled, the maximum number of connections is limited to the specified number consistent with the version of Windows and the mode of Terminal Services running on the server.   If the status is set to Disabled or Not Configured, limits to the number of connections are not enforced at the Group Policy level.   Note: This setting is designed to be used on terminal servers (that is, on servers running Windows with Terminal Server installed). HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxInstanceCount
MACHINE Administrative Templates\Windows Components\Terminal Services Limit maximum color depth At least Microsoft Windows XP Terminal Services Specifies the maximum color resolution (color depth) for Terminal Services connections.  You can use this setting to set a limit on the color depth of any connection to a terminal server or Remote Desktop. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load.  To use this setting, select the setting from the Color Depth list. To specify that all connections should be at the highest color depth supported by the client, select Client Compatible. The current maximum color depth for Terminal Server and Remote Desktop connections is 24 bit. The default maximum color depth is set to 16 bit for Terminal Server and Remote Desktop on Windows XP Professional.  If the status is set to Enabled, the specified color depth is the maximum depth for a user's Terminal Services connection. The actual color depth for the connection is determined by the color support available on the client computer.  If the status is set to Disabled or Not Configured, the color depth for connections is the default value for the Terminal Services mode/Windows version running on the computer, unless a lower level is specified by the user at the time of connection. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!ColorDepth
MACHINE Administrative Templates\Windows Components\Terminal Services Allow users to connect remotely using Terminal Services At least Microsoft Windows XP Terminal Services Specifies whether to allow users to connect remotely using Terminal Services.   You can use this setting to configure Terminal Services remote access for the target computers.   If the status is set to Enabled, users can connect to the target computers remotely using Terminal Services. You can limit the number of users who can connect simultaneously by configuring the Limit number of connections setting or the Maximum Connections option on the Network Adapter tab in the Terminal Services Configuration tool.   If the status is set to Disabled, the target computers maintain current connections, but will not accept any new incoming connections.   If the status is set to Not Configured, Terminal Services uses the Allow users to connect remotely to your computer option on the target computer to determine whether remote connection is allowed. This option is found on the Remote tab in System Properties. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDenyTSConnections, HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDenyTSConnections
MACHINE Administrative Templates\Windows Components\Terminal Services Do not allow local administrators to customize permissions At least Microsoft Windows XP Terminal Services Specifies whether to disable the administrator rights to customize security permissions in the Terminal Services Configuration tool (tscc.msc).   You can use this setting to prevent administrators from making changes to the security descriptors for user groups in the TSCC Permissions tab. By default, administrators are able to make such changes.   If the status is set to Enabled, the TSCC Permissions tab cannot be used to customize per-connection security descriptors or to change the default security descriptors for an existing group. All of the security descriptors are Read Only.   If the status is set to Disabled or Not Configured, server administrators have full Read/Write privileges to the user security descriptors in the TSCC Permissions tab.   Note: The preferred method of managing user access is by adding a user to the Remote Desktop Users group. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fWritableTSCCPermTab
MACHINE Administrative Templates\Windows Components\Terminal Services Remove Windows Security item from Start menu At least Microsoft Windows 2000 Terminal Services Specifies whether to remove the Windows Security item from the Settings menu on Terminal Services clients. You can use this setting to prevent inexperienced users from logging off from Terminal Services inadvertently.   If the status is set to Enabled, Windows Security does not appear in Settings on the Start menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Windows Security dialog box on the client computer.   If the status is set to Disabled or Not Configured, Windows Security remains in the Settings menu. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNTSecurity
MACHINE Administrative Templates\Windows Components\Terminal Services Remove Disconnect option from Shut Down dialog At least Microsoft Windows 2000 Terminal Services Specifies whether to remove the Disconnect option from the Shut Down Windows dialog box on Terminal Services clients.   You can use this setting to prevent users from using this familiar method to disconnect their client from a terminal server.   If the status is set to Enabled, Disconnect does not appear as an option in the drop-down list in the Shut Down Windows dialog box.   If the status is set to Disabled, Disconnect always appears as an option in the drop-down list.   If the status is set to Not Configured, the appearance of the Disconnect option is not specified at the Group Policy level.   Note: This setting affects the Shut Down Windows dialog box only. It does not prevent users from using other methods of disconnecting from a Terminal Services session. This setting also does not prevent disconnected sessions at the server. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDisconnect
MACHINE Administrative Templates\Windows Components\Terminal Services Always show desktop on connection At least Microsoft Windows Server 2003 with SP1 This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop Connection, Terminal Services Client, or through Group Policy.  If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings.  If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer.  Note: If this policy setting is enabled, then the Start a program on connection policy setting is ignored. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!fTurnOffSingleAppMode
MACHINE Administrative Templates\Windows Components\Terminal Services\Licensing License Server Security Group At least Microsoft Windows XP Terminal Services Specifies the terminal servers and license servers to which a Terminal Server License Server offers licenses.  You can use this setting to control which servers are issued licenses. By default, a Terminal Server License Server issues a license to any computer that requests one.  If the status is set to Enabled, a local group called Terminal Services Computers is created. The Terminal Server License Server grants licenses only to computers whose computer accounts are placed in this group. When the target computer is a domain controller, this group is a domain local group.  If the status is set to Disabled, the Terminal Server License Server issues a license to any computer that requests one. The Terminal Services Computers group is not deleted or changed in any way. This is the default behavior.  If the status is set to Not Configured, the Terminal Server License Server issues a license to any computer that requests one. The Terminal Services Computers group is not deleted or changed in any way. This is the default behavior.  Notes: 1. The Terminal Services Computers group is empty by default. The Terminal Server License Server does not grant licenses to any computers unless you explicitly populate this group. 2. The most efficient way to manage Terminal Server computer accounts is to create a global group containing the accounts of all terminal servers and license servers that must receive licenses. Then, place this global group into the local (or domain local) Terminal Services Computers group. This method allows a domain administrator to manage a single list of computer accounts. 3. To add a computer account to a group, open the Computer Management snap-in, navigate to the Properties page of the group, and click Add.  On the Select Users, Computers, or Groups dialog box, click Object Types and then check Computers. HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!fSecureLicensing
MACHINE Administrative Templates\Windows Components\Terminal Services\Licensing Prevent License Upgrade At least Microsoft Windows XP Terminal Services Specifies how a License Server distributes license upgrades to terminal servers running Windows 2000.   A License Server attempts to provide the most appropriate Client Access License (CAL) for a connection. For example, a License Server provides a Windows 2000 Terminal Services (TS) CAL token for clients connecting to a terminal server running Windows 2000 operating system, and a Windows Server 2003 family TS CAL token for a connection to a terminal server running Windows Server 2003.   By default, this per-computer setting allows a License Server to supply a Windows Server 2003 family TS CAL token, if available, to a terminal server running Windows 2000 operating system if there is no Windows 2000 server TS CAL token available.   If the status is set to Enabled, when a terminal server running Windows 2000 server requests a license, but no Windows 2000 server TS CAL token is available, a temporary CAL is issued if the client has not already been issued a temporary CAL. Otherwise, no CAL is issued and the client is refused connection, unless the terminal server is within its grace period.   If the status is set to Disabled, the default behavior is enforced.   If the status is set to Not Configured, the License Server exhibits the default behavior. HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!fPreventLicenseUpgrade
MACHINE Administrative Templates\Windows Components\Terminal Services\Temporary folders Do not use temp folders per session At least Microsoft Windows XP Terminal Services Specifies whether to prevent Terminal Services from creating session-specific temporary folders.   You can use this setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Terminal Services creates a separate temporary folder for each active session that a user maintains on a remote computer. Unless otherwise specified, these temporary folders are in %USERPROFILE%\Local Settings\Temp\<sessionID>.   If the status is set to Enabled, per-session temporary folders are not created. Instead, users' temporary files are stored in a common Temp directory for each user on the server (by default, %USERPROFILE%\Local Settings\Temp).   If the status is set to Disabled, per-session temporary folders are always created, even if the administrator specifies otherwise in the Terminal Services Configuration tool.   If the status is set to Not Configured, per-session temporary folders are created unless otherwise specified by the server administrator. HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!PerSessionTempDir
MACHINE Administrative Templates\Windows Components\Terminal Services\Temporary folders Do not delete temp folder upon exit At least Microsoft Windows XP Terminal Services Specifies whether Terminal Services retains a user's per-session temporary folders at logoff.   You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Terminal Services deletes a user's temporary folders when the user logs off.   If the status is set to Enabled, users' per-session temporary folders are retained when the user logs off from a session.   If the status is set to Disabled, temporary folders are deleted when a user logs off, even if the administrator specifies otherwise in the Terminal Services Configuration tool.   If the status is set to Not Configured, Terminal Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator.   Note: This setting only takes effect if per-session temporary folders are in use on the server. That is, if you enable the Do not use temporary folders per session setting, this setting has no effect. HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!DeleteTempDirsOnExit
MACHINE Administrative Templates\Windows Components\Terminal Services\Client Do not allow passwords to be saved At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Controls whether passwords can be saved on this computer from Terminal Services clients.  If you enable this setting the password saving checkbox in Terminal Services clients will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using the Terminal Services client and saves his settings, any password that previously existed in the RDP file will be deleted.  If you disable this setting or leave it not configured, the user will be able to save passwords using the Terminal Services client. HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!DisablePasswordSaving
MACHINE Administrative Templates\Windows Components\Terminal Services\Session Directory Terminal Server IP Address Redirection Microsoft Windows Server 2003, Enterprise Edition Specifies how client devices are directed when reconnecting to an existing terminal server session.   If the status is set to Enabled, client devices attempt to reconnect to disconnected sessions using the internal IP addresses of the terminal servers in the Session Directory. Enable this setting if clients can directly connect to an individual terminal server via that terminal server's IP address.   If the status is set to Disabled, client devices are redirected to disconnected sessions using the virtual IP address of the cluster. To direct the request to the proper terminal server, terminal server clients and the load balancing hardware must both support the use of routing tokens. This requires configuration and software support in the load balancing device specifically for terminal servers and routing tokens. Disable this setting if the clients only have visibility to the virtual IP address for the terminal server cluster, and cannot connect to an individual terminal server's IP address.  If the status is set to Not Configured, the IP address redirection setting in the Terminal Services Configuration tool is used. The default for this setting in the Terminal Services Configuration tool is enabled. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryExposeServerIP
MACHINE Administrative Templates\Windows Components\Terminal Services\Session Directory Join Session Directory Microsoft Windows Server 2003, Enterprise Edition Specifies whether Terminal Services uses a Session Directory for tracking user sessions, allowing a group of terminal servers to locate and connect a user back to an existing session.   If the status is set to Enabled, Terminal Services stores user session information in a Session Directory on the server specified in the Session Directory Server setting.   If the status is set to Disabled, session tracking is not performed, and cannot be enabled using either the Terminal Services Configuration tool or the Terminal Services WMI provider.   If the status is set to Not Configured, session tracking is not specified at the Group Policy level. However, an administrator can configure servers to participate in a Session Directory with the Terminal Services Configuration tool or via the Terminal Services WMI provider.   Note: If you enable this setting, you must enable the Session Directory Server and Session Directory Cluster Name settings. The Session Directory service can only be used when the Terminal Server component is installed on the server. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryActive
MACHINE Administrative Templates\Windows Components\Terminal Services\Session Directory Session Directory Server Microsoft Windows Server 2003, Enterprise Edition Specifies whether to configure a server as a Session Directory Server for Terminal Services sessions on your network.   A Session Directory Server directs incoming Terminal Services connections for a terminal server cluster.   If the status is set to Enabled, you can specify a server and its DNS name, IP address, or fully qualified domain name to act as the Session Directory Server. Terminal Services Session Directory must be running on the specified server for this setting to be effective. If the name specified for the Session Directory Server is not valid, an error is logged in Event Viewer on the target computer indicating that the specified location could not be found.  If status is set to Disabled or Not Configured, the Session Directory Server is not specified at the Group Policy level, and can be adjusted using the Terminal Services Configuration tool or the Terminal Services WMI provider.  Note: This setting must be used in combination with the Join Session Directory setting. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryLocation
MACHINE Administrative Templates\Windows Components\Terminal Services\Session Directory Session Directory Cluster Name Microsoft Windows Server 2003, Enterprise Edition Specifies the Cluster Name for the terminal server, associating it with other servers in the same logical group.  If the status is set to Enabled, you can specify the name of the terminal server cluster. If the name is invalid, an error is logged in the event log stating that the specified cluster could not be found.  If the status is set to Disabled or Not Configured, Cluster Name is not specified at the Group Policy level, and may be adjusted using the Terminal Services Configuration tool or the Terminal Services WMI provider.  Note: Use this setting in combination with Join Session Directory and Session Directory Server settings. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryClusterName
MACHINE Administrative Templates\Windows Components\Terminal Services\Sessions Set time limit for disconnected sessions At least Microsoft Windows XP Terminal Services Specifies a time limit for disconnected Terminal Services sessions.   You can use this setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Terminal Services allows users to disconnect from a remote session without logging off and ending the session.   When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.   If the status is set to Enabled, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never.   If the status is set to Disabled or Not Configured, time limits for disconnected sessions are not specified at the Group Policy level.   Note: This setting does not apply to console sessions such as Remote Desktop sessions with computers running Windows XP Professional. Also note that this setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime VALUE 0, HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime
MACHINE Administrative Templates\Windows Components\Terminal Services\Sessions Sets a time limit for active Terminal Services sessions At least Microsoft Windows XP Terminal Services Specifies a time limit for active Terminal Services sessions.   You can use this setting to specify the maximum amount of time a Terminal Services session can be active before it is automatically disconnected.  To use this setting, select Enabled, and then select the desired limit in the Active session limit drop-down list. By default, Terminal Services allows sessions to remain active for an unlimited time.   If the status is set to Enabled, Terminal Services ends active sessions after the specified amount of time. The user receives a two-minute warning before the Terminal Services session ends, which allows the user to save open files and close programs.   If the status is set to Disabled or Not Configured, time limits for active sessions are not specified at the Group Policy level. However, an administrator can specify time limits for active sessions in the Terminal Services Configuration tool.   Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. Active session limits do not apply to the console session. To specify user sessions to be terminated at time-out, enable the Terminate session when time limits are reached setting. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxConnectionTime
MACHINE Administrative Templates\Windows Components\Terminal Services\Sessions Sets a time limit for active but idle Terminal Services sessions At least Microsoft Windows XP Terminal Services Specifies a time limit for active but idle Terminal Services sessions.   You can use this setting to specify the maximum amount of time that an active session can be idle (that is, no user input) before it is automatically disconnected. By default, Terminal Services allows active sessions to remain idle for an unlimited time.   To use this setting, select Enabled, and then select the desired time limit in the Idle session limit drop-down list.   If the status is set to Enabled, active but idle sessions are automatically disconnected after the specified amount of time. The user receives a two-minute warning before the session ends, which allows the user to press a key or move the mouse to keep the session active.   If the status is set to Disabled or Not Configured, the time limit for active but idle sessions is not specified at the Group Policy level. However, an administrator can specify time limits for idle sessions in the Terminal Services Configuration tool.   Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. Idle session limits do not apply to the console session. To specify that user sessions are terminated at time-out, enable the  Terminate session when time limits are reached setting. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxIdleTime
MACHINE Administrative Templates\Windows Components\Terminal Services\Sessions Allow reconnection from original client only At least Microsoft Windows XP Terminal Services Specifies whether to allow users to reconnect to a disconnected Terminal Services session using a computer other than the original client computer.   You can use this setting to prevent Terminal Services users from reconnecting to the disconnected session using a computer other than the client computer from which they originally created the session. By default, Terminal Services allows users to reconnect to disconnected sessions from any client computer.   If the status is set to Enabled, users can reconnect to disconnected sessions only from the original client computer. If a user attempts to connect to the disconnected session from another computer, a new session is created instead.   If the status is set to Disabled, users can always connect to the disconnected session from any computer.   If the status is set to Not Configured, session reconnection from the original client computer is not specified at the Group Policy level.   Important: This option is only supported for Citrix ICA clients that provide a serial number when connecting; this setting is ignored if the user is connecting with a Windows client. Also note that this setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fReconnectSame
MACHINE Administrative Templates\Windows Components\Terminal Services\Sessions Terminate session when time limits are reached Specifies whether to terminate a timed-out Terminal Services session instead of disconnecting it.   You can use this setting to direct Terminal Services to terminate a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Terminal Services disconnects sessions that reach their time limits.   Time limits are set locally by the server administrator or in Group Policy. See the Sets a time limit for active Terminal Services sessions and Sets a time limit for active but idle Terminal Services sessions settings.   If the status is set to Enabled, Terminal Services terminates any session that reaches its time-out limit.   If the status is set to Disabled, Terminal Services always disconnects a timed-out session, even if specified otherwise by the server administrator.   If the status is set to Not Configured, Terminal Services disconnects a timed-out session, unless specified otherwise in local settings.   Note: This setting only applies to time-out limits that are deliberately set (in the Terminal Services Configuration tool or Group Policy Object Editor), not to time-out events that occur due to connectivity or network conditions. Also note that this setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fResetBroken
MACHINE Administrative Templates\Windows Components\Terminal Services Set path for TS Roaming Profiles At least Microsoft Windows XP Terminal Services Specifies whether Terminal Services uses the specified network path for roaming user profiles.   You can use this setting to specify a network share where the profiles are stored, allowing users to access the same profile for sessions on all terminal servers in the same organizational unit. By default, Terminal Services stores all user profiles locally on the terminal server.   To use this setting, type the path to the network share in the form \\Computername\Sharename. Do not specify a placeholder for user alias, because Terminal Services automatically appends this at logon. If the specified network share does not exist, Terminal Services displays an error message at the server and stores the user profiles locally.   If the status is set to Enabled, Terminal Services uses the specified path as the root directory for all user profiles. The profiles themselves are contained in subdirectories named for the alias of each user.   If the status is set to Disabled or Not Configured, user profiles are stored locally on the server, unless specified otherwise by the server administrator.   Note: The roaming profiles specified with this setting apply to Terminal Services connections only; a user might also have a Windows roaming profile, in which case the Terminal Services roaming profile always takes precedence in a Terminal Services session. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFProfilePath
MACHINE Administrative Templates\Windows Components\Terminal Services Use the specified Terminal Server license servers At least Microsoft Windows Server 2003 with SP1 Determines whether terminal servers must first attempt to locate Terminal Server license servers that are specified in this setting before attempting to locate other license servers.  During the automatic discovery process, terminal servers attempt to contact license servers in the following order:  1. Enterprise license servers or domain license servers that are specified in the LicenseServers registry key. 2. Enterprise license servers that are specified in Active Directory. 3. Domain license servers.  If you enable this setting, terminal servers attempt to locate license servers that are specified in this setting, before following the automatic license server discovery process.  If you disable or do not configure this setting, terminal servers follow the automatic license server discovery process.   HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!LicenseServers
MACHINE Administrative Templates\Windows Components\Terminal Services Set the Terminal Server licensing mode At least Microsoft Windows Server 2003 with SP1 Determines the type of Terminal Server client access license (CAL) a device or user requires to connect to this Terminal Server.  Per User licensing mode: Each user connecting to this terminal server requires a Per User Terminal Server CAL.  Per Device licensing mode: Each device connecting to this terminal server requires a Per Device Terminal Server CAL.  If you enable this setting, the licensing mode that you specify in this setting overrides the licensing mode that is specified during Setup or in Terminal Services Configuration (TSCC.msc).  If you disable or do not configure this setting, the licensing mode that is specified during Setup or in Terminal Services Configuration is used. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!LicensingMode
MACHINE Administrative Templates\Windows Components\Terminal Services Show Tooltips for Licensing problems on Terminal Server At least Microsoft Windows Server 2003 with SP1 Displays tooltips to the Administrator upon login if there are any licensing issues with the Terminal Server.  Not configured: If this setting is not configured, the display of these tooltips will be governed by registry settings defined for this purpose.  Enabled: If you enable this setting, tooltips will be shown to the administrator upon login if any Licensing related problems persist with this computer.  Disabled: If you disable this policy for any computer that this policy is applied to, then tooltips will not be shown if any Licensing related problems persist with this computer. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableTerminalServerTooltip, HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableTerminalServerTooltip
MACHINE Administrative Templates\Windows Components\Terminal Services TS User Home Directory At least Microsoft Windows XP Terminal Services Specifies whether Terminal Services uses the specified network share or local directory path as the root of the user's home directory for a Terminal Services session.   To use this setting, select the location for the home directory (network or local) from the Location drop-down list. If you choose to place the directory on a network share, type the Home Dir Root Path in the form \\Computername\Sharename, and then select the drive letter to which you want the network share to be mapped.   If you choose to keep the home directory on the local computer, type the Home Dir Root Path in the form Drive:\Path (without quotes), without environment variables or ellipses. Do not specify a placeholder for user alias, because Terminal Services automatically appends this at logon.   Note: The Drive Letter field is ignored if you choose to specify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path, Terminal Services places user home directories in the network location.   If the status is set to Enabled, Terminal Services creates the user's home directory in the specified location on the local computer or the network. The home directory path for each user is the specified Home Dir Root Path and the user's alias.   If the status is set to Disabled or Not Configured, the user's home directory is as specified at the server. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFHomeDirUNC, HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFHomeDir, HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFHomeDirDrive
MACHINE Administrative Templates\Windows Components\Terminal Services Sets rules for remote control of Terminal Services user sessions At least Microsoft Windows XP Terminal Services Specifies the level of remote control permitted in a Terminal Services session. Remote control can be established with or without the session user's permission.   You can use this setting to select one of two levels of remote control: View Session permits the remote control user to watch a session, Full Control permits the remote control user to interact with the session.   If the status is set to Enabled, administrators can remotely interact with a user's Terminal Services session according to the specified rules. To set these rules, select the desired level of control and permission in the Options list. To disable remote control, select No remote control allowed.   If the status is set to Disabled or Not Configured, remote control rules are determined by the server administrator using the Terminal Services Configuration tool (tscc.msc). By default, remote control users can have full control with the session user's permission.   Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!Shadow
MACHINE Administrative Templates\Windows Components\Terminal Services Start a program on connection At least Microsoft Windows XP Terminal Services Configures Terminal Services to run a specified program automatically upon connection.  You can use this setting to specify a program to run automatically when a user logs on to a remote computer.  By default, Terminal Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the Start Program settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off.  To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the terminal server connection fails with an error message.   If the status is set to Enabled, Terminal Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program.   If the status is set to Disabled or Not Configured, Terminal Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See Computer Config\Administrative templates\Windows Components\System\Logon\Run these programs at user logon setting.)   Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!InitialProgram, HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WorkDirectory
MACHINE Administrative Templates\Windows Components\Windows Explorer Turn off shell protocol protected mode At least Microsoft Windows XP Professional with SP2 This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.  If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files.  If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.  If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PreXPSP2ShellProtocolBehavior
MACHINE Administrative Templates\Windows Components\Windows Installer Disable Windows Installer At least Microsoft Windows 2000 Disables or restricts the use of Windows Installer.  This setting can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator.  If you enable this setting, you can use the options in the Disable Windows Installer box to establish an installation setting.  --   The Never option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional and Windows XP Professional when the policy is not configured.  --   The For non-managed apps only option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured.  --   The Always option indicates that Windows Installer is disabled.  This setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs. HKLM\Software\Policies\Microsoft\Windows\Installer!DisableMSI
MACHINE Administrative Templates\Windows Components\Windows Installer Always install with elevated privileges At least Microsoft Windows 2000 Directs Windows Installer to use system permissions when it installs any program on the system.  This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.  If you disable this setting or do not configure it, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.  Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders.  Caution: Skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. HKLM\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated
MACHINE Administrative Templates\Windows Components\Windows Installer Prohibit rollback At least Microsoft Windows 2000 Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.  This setting prevents Windows Installer from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.  This setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this setting unless it is essential.  This setting appears in the Computer Configuration and User Configuration folders. If the setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. HKLM\Software\Policies\Microsoft\Windows\Installer!DisableRollback
MACHINE Administrative Templates\Windows Components\Windows Installer Remove browse dialog box for new source At least Microsoft Windows 2000 Prevents users from searching for installation files when they add features or components to an installed program.  This setting disables the Browse button beside the Use feature from list in the Windows Installer dialog box. As a result, users must select an installation file source from the Use features from list that the system administrator configures.  This setting applies even when the installation is running in the user's security context.  If you disable this setting or do not configure it, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.  This setting affects Windows Installer only. It does not prevent users from selecting other browsers, such as Windows Explorer or My Network Places, to search for installation files.  Also, see the Enable user to browse for source while elevated setting. HKLM\Software\Policies\Microsoft\Windows\Installer!DisableBrowse
MACHINE Administrative Templates\Windows Components\Windows Installer Prohibit patching At least Microsoft Windows 2000 Prevents users from using Windows Installer to install patches.  Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use.  Note: This setting applies only to installations that run in the user's security context. By default, users who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs.  Also, see the Enable user to patch elevated products setting. HKLM\Software\Policies\Microsoft\Windows\Installer!DisablePatch
MACHINE Administrative Templates\Windows Components\Windows Installer Disable IE security prompt for Windows Installer scripts At least Microsoft Windows 2000 Allows Web-based programs to install software on the computer without notifying the user.  By default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. This setting suppresses the warning and allows the installation to proceed.  This setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this setting can pose a security risk, it should be applied cautiously. HKLM\Software\Policies\Microsoft\Windows\Installer!SafeForScripting
MACHINE Administrative Templates\Windows Components\Windows Installer Enable user control over installs At least Microsoft Windows 2000 Permits users to change installation options that typically are available only to system administrators.  This setting bypasses some of the security features of Windows Installer. It permits installations to complete that otherwise would be halted due to a security violation.  The security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user.  This setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed. HKLM\Software\Policies\Microsoft\Windows\Installer!EnableUserControl
MACHINE Administrative Templates\Windows Components\Windows Installer Enable user to browse for source while elevated At least Microsoft Windows 2000 Allows users to search for installation files during privileged installations.  This setting enables the Browse button in the Use feature from dialog box. As a result, users can search for installation files, even when the installation program is running with elevated system privileges. By default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.  Because the installation is running with elevated system privileges, users can browse through directories that their own permissions would not allow.  This setting does not affect installations that run in the user's security context. Also, see the Remove browse dialog box for new source setting. HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownBrowse
MACHINE Administrative Templates\Windows Components\Windows Installer Enable user to use media source while elevated At least Microsoft Windows 2000 Allows users to install programs from removable media, such as floppy disks and CD-ROMs, during privileged installations.  This setting permits all users to install programs from removable media, even when the installation program is running with elevated system privileges. By default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media.  This setting does not affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context.  Also, see the Prevent removable media source for any install setting in User Configuration\Administrative Templates\Windows Components\Windows Installer. HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownMedia
MACHINE Administrative Templates\Windows Components\Windows Installer Enable user to patch elevated products At least Microsoft Windows 2000 Allows users to upgrade programs during privileged installations.  This setting permits all users to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use.  By default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.  This setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the Prohibit patching setting. HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownPatch
MACHINE Administrative Templates\Windows Components\Windows Installer Allow admin to install from Terminal Services session At least Microsoft Windows 2000 Allows Terminal Services administrators to install and configure programs remotely.  By default, system administrators can install programs only when system administrators are logged on to the computer on which the program is being installed. This setting creates a special exception for computers running Terminal Services.  This setting affects system administrators only. Other users cannot install programs remotely. HKLM\Software\Policies\Microsoft\Windows\Installer!EnableAdminTSRemote
MACHINE Administrative Templates\Windows Components\Windows Installer Cache transforms in secure location on workstation At least Microsoft Windows 2000 Saves copies of transform files in a secure location on the local computer.  Transform files consist of instructions to modify or customize a program during installation.  If you enable this setting, the transform file is saved in a secure location on the user's computer. Because Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation. This is the default behavior on Windows Server 2003 family when the policy is not configured.  This setting is designed for enterprises to prevent unauthorized or malicious editing of transform files.  If you disable this setting, Windows Installer stores transform files in the Application Data directory in the user's profile. When a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network. This is the default behavior on Windows 2000 Professional and Windows XP Professional when the policy is not configured. HKLM\Software\Policies\Microsoft\Windows\Installer!TransformsSecure
MACHINE Administrative Templates\Windows Components\Windows Installer Logging At least Microsoft Windows 2000 Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume.  When you enable this setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want.  To disable logging, delete all of the letters from the box.  If you disable this setting or do not configure it, Windows Installer logs the default event types, represented by the letters iweap. HKLM\Software\Policies\Microsoft\Windows\Installer!Logging
MACHINE Administrative Templates\Windows Components\Windows Installer Prohibit User Installs Microsoft Windows XP or Windows 2000 with Windows Installer v2.0 This setting allows you to configure user installs. To configure this setting, set it to enabled and use the drop-down list to select the behavior you want.  If this setting is not configured, or if the setting is enabled and Allow User Installs is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product.  If this setting is enabled and Hide User Installs is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile.  If this setting is enabled and Prohibit User Installs is selected, the installer prevents applications from being installed per user, and it ignores previously installed per-user applications. An attempt to perform a per-user installation causes the installer to display an error message and stop the installation. This setting is useful in environments where the administrator only wants per-computer applications installed, such as on a kiosk or a Windows Terminal Server. HKLM\Software\Policies\Microsoft\Windows\Installer!DisableUserInstalls
MACHINE Administrative Templates\Windows Components\Windows Installer Turn off creation of System Restore Checkpoints Only works on Microsoft Windows XP Professional System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application.  If you enable this setting, the windows Installer does not generate System Restore checkpoints when installing applications.  If you disable this setting or do not configure it, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed.  Note: This setting only applies to Windows XP Professional. HKLM\Software\Policies\Microsoft\Windows\Installer!LimitSystemRestoreCheckpointing
MACHINE Administrative Templates\Windows Components\Windows Installer Prohibit removal of updates Windows Installer v3.0 This setting controls the ability for users or administrators to remove Windows Installer based updates.   This setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators.  If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product.  If you disable this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether Disable Windows Installer and Always install with elevated privileges policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context. HKLM\Software\Policies\Microsoft\Windows\Installer!DisablePatchUninstall
MACHINE Administrative Templates\Windows Components\Windows Installer Enforce upgrade component rules Windows Installer v3.0 This setting causes the Windows Installer to enforce strict rules for component upgrades - setting this may cause some updates to fail.  If you enable this policy setting strict upgrade rules will be enforced by the Windows Installer. Upgrades can fail if they attempt to do one of the following:  (1) Remove a component from a feature. This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component.  (2) Add a new feature to the top or middle of an existing feature tree. The new feature must be added as a new leaf feature to an existing feature tree.  If you disable this policy setting, the Windows Installer will use less restrictive rules for component upgrades. HKLM\Software\Policies\Microsoft\Windows\Installer!EnforceUpgradeComponentRules
MACHINE Administrative Templates\Windows Components\Windows Installer Prohibit non-administrators from applying vendor signed updates Windows Installer v3.0 This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.  Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users.  If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based application.   If you disable this policy setting, users without administrative privileges will be able to install non-administrator updates. HKLM\Software\Policies\Microsoft\Windows\Installer!DisableLUAPatching
MACHINE Administrative Templates\Windows Components\Windows Installer Baseline file cache maximum size Windows Installer v3.0 This policy controls the percentage of disk space available to the Windows Installer baseline file cache.  The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied.  If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache.  If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed.  If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache.  If you disable this policy setting or if it is not configured the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size. HKLM\Software\Policies\Microsoft\Windows\Installer!MaxPatchCacheSize
MACHINE Administrative Templates\Windows Components\Windows Messenger Do not allow Windows Messenger to be run At least Microsoft Windows XP Professional or Windows Server 2003 family Allows you to disable Windows Messenger.  If you enable this setting, Windows Messenger will not run.  If you disable or do not configure this setting, Windows Messenger can be used.  Note: If you enable this setting, Remote Assistance also cannot use Windows Messenger.  Note: This setting is available under both Computer Configuration and User Configuration. If both are present, the Computer Configuration version of this setting takes precedence. HKLM\Software\Policies\Microsoft\Messenger\Client!PreventRun
MACHINE Administrative Templates\Windows Components\Windows Messenger Do not automatically start Windows Messenger initially At least Microsoft Windows XP Professional or Windows Server 2003 family Windows Messenger is automatically loaded and running when a user logs on to a Windows XP computer. You can use this setting to stop Windows Messenger from automatically being run at logon.  If you enable this setting, Windows Messenger will not be loaded automatically when a user logs on.  If you disable or do not configure this setting, the Windows Messenger will be loaded automatically at logon.  Note: This setting simply prevents Windows Messenger from running intially. If the user invokes and uses Windows Messenger from that point on, Windows Messenger will be loaded.  The user can also configure this behavior on the Preferences tab on the Tools menu in the Windows Messenger user interface.  Note: If you do not want users to use Windows Messenger, enable the Do not allow Windows Messenger to run setting.  Note: This setting is available under both Computer Configuration and User Configuration. If both are present, the Computer Configuration version of this setting takes precedence. HKLM\Software\Policies\Microsoft\Messenger\Client!PreventAutoRun
MACHINE Administrative Templates\Windows Components\Windows Media Digital Rights Management Prevent Windows Media DRM Internet Access At least Microsoft Windows Server 2003 Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).  When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.  When this policy is enabled, programs are not able to acquire licenses for secure content, upgrade Windows Media DRM security components, or restore backed up content licenses.  Secure content that is already licensed to the local computer will continue to play. Users are also able to protect music that they copy from a CD and play this protected content on their computer, since the license is generated locally in this scenario.  When this policy is either disabled or not configured, Windows Media DRM functions normally and will connect to the Internet (or intranet) to acquire licenses, download security upgrades, and perform license restoration. HKLM\Software\Policies\Microsoft\WMDRM!DisableOnline
MACHINE Administrative Templates\Windows Components\Windows Movie Maker Do not allow Windows Movie Maker to run At least Microsoft Windows XP Professional with SP2 Specifies whether Windows Movie Maker can run.  Windows Movie Maker is a feature of the Windows XP operating system that can be used to capture, edit, and then save video as a movie to share with others.  If you enable this setting, Windows Movie Maker will not run.  If you disable or do not configure this setting, Windows Movie Maker can be run. HKLM\Software\Policies\Microsoft\WindowsMovieMaker!MovieMaker
MACHINE Administrative Templates\Windows Components\Windows Update Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box At least Microsoft Windows XP Professional with SP2 This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Windows dialog box.  If you enable this policy setting, 'Install Updates and Shut Down' will not appear as a choice in the Shut Down Windows dialog box, even if updates are available for installation when the user selects the Shut Down option in the Start menu.  If you disable or do not configure this policy setting, the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu. HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUShutdownOption
MACHINE Administrative Templates\Windows Components\Windows Update Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box At least Microsoft Windows XP Professional with SP2 This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog.  If you enable this policy setting, the user's last shut down choice (Hibernate, Restart, etc.) is the default option in the Shut Down Windows dialog box, regardless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list.  If you disable or do not configure this policy setting, the 'Install Updates and Shut Down' option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option in the Start menu.  Note that this policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled. HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUAsDefaultShutdownOption
USER Administrative Templates\Start Menu and Taskbar Remove user's folders from the Start Menu At least Microsoft Windows 2000 Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden.  This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start menu. However, the original, user-specific version of the folder still appears on the top section of the Start menu. Because the appearance of two folders with the same name might confuse users, you can use this setting to hide user-specific folders.  Note that this setting hides all user-specific folders, not just those associated with redirected folders.  If you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu.  If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuSubFolders
USER Administrative Templates\Start Menu and Taskbar Remove links and access to Windows Update At least Microsoft Windows 2000 Prevents users from connecting to the Windows Update Web site.  This setting blocks user access to the Windows Update Web site at http://windowsupdate.microsoft.com. Also, the setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.  Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download.  Also, see the Hide the Add programs from Microsoft option setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWindowsUpdate
USER Administrative Templates\Start Menu and Taskbar Remove common program groups from Start Menu At least Microsoft Windows 2000 Removes items in the All Users profile from the Programs menu on the Start menu.  By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu.  Tip: To see the Program menu items in the All Users profile, on the system drive, go to Documents and Settings\All Users\Start Menu\Programs. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoCommonGroups
USER Administrative Templates\Start Menu and Taskbar Remove My Documents icon from Start Menu At least Microsoft Windows 2000 Removes the My Documents icon from the Start menu and its submenus.  This setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the My Documents folder.  Note: To make changes to this setting effective, you must log off and then log on.  Also, see the Remove My Documents icon on the desktop setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMMyDocs
USER Administrative Templates\Start Menu and Taskbar Remove Documents menu from Start Menu At least Microsoft Windows 2000 Removes the Documents menu from the Start menu.  The Documents menu contains links to the nonprogram files that users have most recently opened. It appears so that users can easily reopen their documents.  If you enable this setting, the system saves document shortcuts but does not display them in the Documents menu. If you later disable it or set it to Not Configured, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Documents menu.  Note: This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the Do not keep history of recently opened documents setting.  Also, see the Do not keep history of recently opened documents and Clear history of recenTly opened documents on exit policies in this folder.  This setting also does not hide document shortcuts displayed in the Open dialog box. See the Hide the dropdown list of recent files setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsMenu
USER Administrative Templates\Start Menu and Taskbar Remove programs on Settings menu At least Microsoft Windows 2000 Prevents Control Panel, Printers, and Network Connections from running.  This setting removes the Control Panel, Printers, and Network and Connection folders from Settings on the Start menu, and from My Computer and Windows Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running.  However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking My Computer to start System.  Also, see the Disable Control Panel, Disable Display in Control Panel, and Remove Network Connections from Start Menu settings. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSetFolders
USER Administrative Templates\Start Menu and Taskbar Remove Network Connections from Start Menu At least Microsoft Windows 2000 Prevents users from running Network Connections.  This setting prevents the Network Connections folder from opening. This setting also removes Network Connections from Settings on the Start menu.  Network Connections still appears in Control Panel and in Windows Explorer, but if users try to start it, a message appears explaining that a setting prevents the action.  Also, see the Disable programs on Settings menu and Disable Control Panel settings and the settings in the Network Connections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections). HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetworkConnections
USER Administrative Templates\Start Menu and Taskbar Remove Favorites menu from Start Menu At least Microsoft Windows 2000 Prevents users from adding the Favorites menu to the Start menu or classic Start menu.  If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box.  If you disable or do not configure this setting, the Display Favorite item is available.  Note:The Favorities menu does not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize.  If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options.  Note:The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group.  Note:This setting only affects the Start menu. The Favorites item still appears in Windows Explorer and in Internet Explorer. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFavoritesMenu
USER Administrative Templates\Start Menu and Taskbar Remove Search menu from Start Menu At least Microsoft Windows 2000 Removes the Search item from the Start menu, and disables some Windows Explorer search elements.  This setting removes the Search item from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F.  In Windows Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon representing a drive or a folder.  This setting affects the specified user interface elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search.  Also, see the Remove Search button from Windows Explorer setting in User Configuration\Administrative Templates\Windows Components\Windows Explorer.  Note:  This setting also prevents the user from using the F3 key. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFind
USER Administrative Templates\Start Menu and Taskbar Remove Help menu from Start Menu At least Microsoft Windows 2000 Removes the Help command from the Start menu.  This setting only affects the Start menu. It does not remove the Help menu from Windows Explorer and does not prevent users from running Help. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMHelp
USER Administrative Templates\Start Menu and Taskbar Remove Run menu from Start Menu At least Microsoft Windows 2000 Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.  If you enable this setting, the following changes occur:  (1) The Run command is removed from the Start menu.  (2) The New Task (Run) command is removed from Task Manager.  (3) The user will be blocked from entering the following into the Internet Explorer Address Bar:  --- A UNC path: \\<server>\<share>   ---Accessing local drives:  e.g., C:  --- Accessing local folders: e.g., \temp>  Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R.  If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar.    Note:This setting affects the specified interface only. It does not prevent users from using other methods to run programs.  Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRun
USER Administrative Templates\Start Menu and Taskbar Remove My Pictures icon from Start Menu At least Microsoft Windows XP Professional or Windows Server 2003 family Removes the My Pictures icon from the Start Menu. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMMyPictures
USER Administrative Templates\Start Menu and Taskbar Remove My Music icon from Start Menu At least Microsoft Windows XP Professional or Windows Server 2003 family Removes the My Music icon from the Start Menu. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMyMusic
USER Administrative Templates\Start Menu and Taskbar Remove My Network Places icon from Start Menu At least Microsoft Windows XP Professional or Windows Server 2003 family Removes the My Network Places icon from the Start Menu. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuNetworkPlaces
USER Administrative Templates\Start Menu and Taskbar Add Logoff to the Start Menu At least Microsoft Windows 2000 Adds the Log Off <username> item to the Start menu and prevents users from removing it.  If you enable this setting, the Log Off <username> item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off <username> item from the Start Menu.  If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item.  This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del.  Note: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff.  Also, see Remove Logoff in User Configuration\Administrative Templates\System\Logon/Logoff. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceStartMenuLogOff
USER Administrative Templates\Start Menu and Taskbar Remove Logoff on the Start Menu At least Microsoft Windows 2000 Removes the Log Off <username> item from the Start menu and prevents users from restoring it.  If you enable this setting, the Log Off <username> item does not appear in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off <username> item to the Start Menu.  If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item.  This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it does not prevent users from using other methods to log off.  Tip: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff.  See also: Remove Logoff in User Configuration\Administrative Templates\System\Logon/Logoff. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!StartMenuLogOff
USER Administrative Templates\Start Menu and Taskbar Remove and prevent access to the Shut Down command At least Microsoft Windows 2000 Prevents users from shutting down or restarting Windows.  This setting removes the Shut Down option from the Start menu and disables the Shut Down button on the Windows Security dialog box, which appears when you press CTRL+ALT+DEL.  This setting prevents users from using the Windows user interface to shut down the system, although it does not prevent them from running programs that shut down Windows.   If you disable this setting or do not configure it, the Shut Down menu option appears, and the Shut Down button is enabled.  Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoClose
USER Administrative Templates\Start Menu and Taskbar Remove Drag-and-drop context menus on the Start Menu At least Microsoft Windows 2000 Prevents users from using the drag-and-drop method to reorder or remove items on the Start menu. Also, it removes context menus from the Start menu.  If you disable this setting or do not configure it, users can remove or reorder Start menu items by dragging and dropping the item. They can display context menus by right-clicking a Start menu item.  This setting does not prevent users from using other methods of customizing the Start menu or performing the tasks available from the context menus.  Also, see the Prevent changes to Taskbar and Start Menu Settings and the Remove access to the context menus for taskbar settings. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeStartMenu
USER Administrative Templates\Start Menu and Taskbar Prevent changes to Taskbar and Start Menu Settings At least Microsoft Windows 2000 Removes the Taskbar and Start Menu item from Settings on the Start menu. This setting also prevents the user from opening the Taskbar Properties dialog box.  If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSetTaskbar
USER Administrative Templates\Start Menu and Taskbar Remove access to the context menus for the taskbar At least Microsoft Windows 2000 Hides the menus that appear when you right-click the taskbar and items on the taskbar, such as the Start button, the clock, and the taskbar buttons.  This setting does not prevent users from using other methods to issue the commands that appear on these menus. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTrayContextMenu
USER Administrative Templates\Start Menu and Taskbar Do not keep history of recently opened documents At least Microsoft Windows 2000 Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.  If you enable this setting, the system and Windows programs do not create shortcuts to documents opened while the setting is in effect. Also, they retain but do not display existing document shortcuts. The system empties the Documents menu on the Start menu, and Windows programs do not display shortcuts at the bottom of the File menu.  If you disable this setting, the system defaults are enforced. Disabling this setting has no effect on the system.  Note: The system saves document shortcuts in the user profile in the System-drive\Documents and Settings\User-name\Recent folder.  Also, see the Remove Documents menu from Start Menu and Clear history of recently opened documents on exit policies in this folder.  If you enable this setting but do not enable the Remove Documents menu from Start Menu setting, the Documents menu appears on the Start menu, but it is empty.  If you enable this setting, but then later disable it or set it to Not Configured, the document shortcuts saved before the setting was enabled reappear in the Documents menu and program File menus.  This setting does not hide document shortcuts displayed in the Open dialog box. See the Hide the dropdown list of recent files setting.  Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsHistory
USER Administrative Templates\Start Menu and Taskbar Clear history of recently opened documents on exit At least Microsoft Windows 2000 Clear history of recently opened documents on exit.  If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Documents menu on the Start menu is always empty when the user logs on.  If you disable or do not configure this setting, the system retains document shortcuts, and when a user logs on the Documents menu appears just as it did when the user logged off.  Note: The system saves document shortcuts in the user profile in the System-drive\Documents and Settings\User-name\Recent folder.  Also, see the Remove Documents menu from Start Menu and Do not keep history of recently opened documents policies in this folder. The system only uses this setting when neither of these related settings are selected.  This setting does not clear the list of recent files that Windows programs display at the bottom of the File menu. See the Do not keep history of recently opened documents setting.  This policy setting also does not hide document shortcuts displayed in the Open dialog box. See the Hide the dropdown list of recent files setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ClearRecentDocsOnExit
USER Administrative Templates\Start Menu and Taskbar Turn off personalized menus At least Microsoft Windows 2000 Disables personalized menus.  Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu.  If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the Use Personalized Menus option so users do not try to change the setting while a setting is in effect.  Note: Personalized menus require user tracking. If you enable the Turn off user tracking setting, the system disables user tracking and personalized menus and ignores this setting.  Tip: To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the Use Personalized Menus option. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!Intellimenus
USER Administrative Templates\Start Menu and Taskbar Turn off user tracking At least Microsoft Windows 2000 Disables user tracking.  This setting prevents the system from tracking the programs users run, the paths they navigate, and the documents they open. The system uses this information to customize Windows features, such as personalized menus.  If you enable this setting, the system does not track these user actions. The system disables customized features that require user tracking information, including personalized menus.  Also, see the Turn off personalized menus setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInstrumentation
USER Administrative Templates\Start Menu and Taskbar Add Run in Separate Memory Space check box to Run dialog box At least Microsoft Windows 2000 Lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process.  All DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program. VDM simulates a 16-bit environment, complete with the DLLs required by 16-bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they share the memory space allocated to the VDM process and cannot run simultaneously.  Enabling this setting adds a check box to the Run dialog box, giving users the option of running a 16-bit program in its own dedicated NTVDM process. The additional check box is enabled only when a user enters a 16-bit program in the Run dialog box. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!MemCheckBoxInRunDlg
USER Administrative Templates\Start Menu and Taskbar Do not use the search-based method when resolving shell shortcuts At least Microsoft Windows 2000 Prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut.  By default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file.  If you enable this setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found.  Note: This setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability.  Also, see the Do not track Shell shortcuts during roaming and the Do not use the tracking-based method when resolving shell shortcuts settings. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoResolveSearch
USER Administrative Templates\Start Menu and Taskbar Do not use the tracking-based method when resolving shell shortcuts At least Microsoft Windows 2000 Prevents the system from using NTFS tracking features to resolve a shortcut.  By default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file.  If you enable this setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path.  Note: This setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability.  Also, see the Do not track Shell shortcuts during roaming and the Do not use the search-based method when resolving shell shortcuts settings. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoResolveTrack
USER Administrative Templates\Start Menu and Taskbar Gray unavailable Windows Installer programs Start Menu shortcuts At least Microsoft Windows 2000 Displays Start menu shortcuts to partially installed programs in gray text.  This setting makes it easier for users to distinguish between programs that are fully installed and those that are only partially installed.  Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured for full installation upon first use.  If you disable this setting or do not configure it, all Start menu shortcuts appear as black text.  Note: Enabling this setting can make the Start menu slow to open. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!GreyMSIAds
USER Administrative Templates\Start Menu and Taskbar Prevent grouping of taskbar items At least Microsoft Windows XP Professional or Windows Server 2003 family This setting effects the taskbar buttons used to switch between running programs.  Taskbar grouping consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full.  If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled.  If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTaskGrouping
USER Administrative Templates\Start Menu and Taskbar Turn off notification area cleanup At least Microsoft Windows XP Professional or Windows Server 2003 family This setting effects the notification area, also called the system tray.  The notification area is located in the task bar, generally at the bottom of the screen, and itincludes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the notification chevron.  If you enable this setting, the system notification area expands to show all of the notifications that use this area.  If you disable this setting, the system notification area will always collapse notifications.  If you do not configure it, the user can choose if they want notifications collapsed. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutoTrayNotify
USER Administrative Templates\Start Menu and Taskbar Lock the Taskbar At least Microsoft Windows XP Professional or Windows Server 2003 family This setting effects the taskbar, which is used to switch between running applications.  The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized.  If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties.  If you disable this setting or do not configure it, the user can configure the taskbar position.  Note: Enabling this setting also locks the quicklaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!LockTaskbar
USER Administrative Templates\Start Menu and Taskbar Force classic Start Menu At least Microsoft Windows XP Professional or Windows Server 2003 family This setting effects the presentation of the Start menu.  The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: My Documents, My Pictures, My Music, My Computer, and My Network Places. The new Start menu starts them directly.  If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons.  If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page.  If you do not configure this setting, the default is the new style, and the user can change the view. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSimpleStartMenu
USER Administrative Templates\Start Menu and Taskbar Remove Balloon Tips on Start Menu items At least Microsoft Windows XP Professional or Windows Server 2003 family Hides pop-up text on the Start menu and in the notification area.  When you hold the cursor over an item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object.  If you enable this setting, some of this pop-up text is not displayed. The pop-up text affected by this setting includes Click here to begin on the Start button, Where have all my programs gone on the Start menu, and Where have my icons gone in the notification area.  If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMBalloonTip
USER Administrative Templates\Start Menu and Taskbar Remove pinned programs list from the Start Menu At least Microsoft Windows XP Professional or Windows Server 2003 family If you enable this setting, the Pinned Programs list is removed from the Start menu, and the Internet and Email checkboxes are removed from the simple Start menu customization CPL.  If you disable this setting or do not configure it, the Pinned Programs list remains on the simple Start menu. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuPinnedList
USER Administrative Templates\Start Menu and Taskbar Remove frequent programs list from the Start Menu At least Microsoft Windows XP Professional or Windows Server 2003 family If you enable this setting, the frequently used programs list is removed from the Start menu.  If you disable this setting or do not configure it, the frequently used programs list remains on the simple Start menu. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMFUprogramsList
USER Administrative Templates\Start Menu and Taskbar Remove All Programs list from the Start menu At least Microsoft Windows XP Professional or Windows Server 2003 family If you enable this setting, the All Programs item is removed from the simple Start menu.  If you disable this setting or do not configure it, the All Programs item remains on the simple Start menu. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMorePrograms
USER Administrative Templates\Start Menu and Taskbar Remove the Undock PC button from the Start Menu At least Microsoft Windows XP Professional or Windows Server 2003 family If you enable this setting, the Undock PC button is removed from the simple Start Menu, and your PC cannot be undocked.  If you disable this setting or do not configure it, the Undock PC button remains on the simple Start menu, and your PC can be undocked. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuEjectPC
USER Administrative Templates\Start Menu and Taskbar Remove user name from Start Menu At least Microsoft Windows XP Professional or Windows Server 2003 family Remove user name from Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoUserNameInStartMenu
USER Administrative Templates\Start Menu and Taskbar Remove Clock from the system notification area At least Microsoft Windows XP Professional or Windows Server 2003 family Prevents the clock in the system notification area from being displayed.  If you enable this setting, the clock will not be displayed in the system notification area.  If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideClock
USER Administrative Templates\Start Menu and Taskbar Hide the notification area At least Microsoft Windows XP Professional or Windows Server 2003 family This setting affects the notification area (previously called the system tray) on the taskbar.  Description: The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock.  If this setting is enabled, the user’s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock.  If this setting is disabled or is not configured, the notification area is shown in the user's taskbar.  Note: Enabling this setting overrides the Turn off notification area cleanup setting, because if the notification area is hidden, there is no need to clean up the icons. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTrayItemsDisplay
USER Administrative Templates\Start Menu and Taskbar Do not display any custom toolbars in the taskbar At least Microsoft Windows XP Professional or Windows Server 2003 family This setting affects the taskbar.  The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custom toolbars created by the user or by an application.  If this setting is enabled, the taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the taskbar. Moreover, the Toolbars menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock.  If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the Toolbars command appears in the context menu. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoToolbarsOnTaskbar
USER Administrative Templates\Start Menu and Taskbar Remove Set Program Access and Defaults from Start menu At least Microsoft Windows 2000 Service Pack 3 or Microsoft Windows XP Professional Service Pack 1 Removes the Set Program Access and Defaults icon from the Start menu.  Clicking the Set Program Access and Defaults icon from the Start menu opens Add or Remove Programs and provides adminstrators the ability to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.  Note: This setting does not prevent the Set Program Access and Defaults button from appearing in Add or Remove Programs.  See the Hide the Set Program Access and Defaults page setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMConfigurePrograms
USER Administrative Templates\Desktop Hide and disable all items on the desktop At least Microsoft Windows 2000 Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, My Computer, and My Network Places.  Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent.  Also, see Items displayed in Places Bar in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDesktop
USER Administrative Templates\Desktop Remove My Documents icon on the desktop At least Microsoft Windows 2000 Removes most occurrences of the My Documents icon.  This setting removes the My Documents icon from the desktop, from Windows Explorer, from programs that use the Windows Explorer windows, and from the standard Open dialog box.  This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder.  This setting does not remove the My Documents icon from the Start menu. To do so, use the Remove My Documents icon from Start Menu setting.  Note: To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{450D8FBA-AD25-11D0-98A8-0800361B1103}
USER Administrative Templates\Desktop Remove My Computer icon on the desktop At least Microsoft Windows XP Professional or Windows Server 2003 family This setting hides My Computer from the desktop and from the new Start menu. It also hides links to My Computer in the Web view of all Explorer windows, and it hides My Computer in the Explorer folder tree pane. If the user navigates into My Computer via the Up button while this setting is enabled, they view an empty My Computer folder. This setting allows administrators to restrict their users from seeing My Computer in the shell namespace, allowing them to present their users with a simpler desktop environment.  If you enable this setting, My Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to My Computer, the folder will be empty.  If you disable this setting, My Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting.  If you do not configure this setting, the default is to display My Computer as usual.  Note: Hiding My Computer and its contents does not hide the contents of the child folders of My Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{20D04FE0-3AEA-1069-A2D8-08002B30309D}
USER Administrative Templates\Desktop Remove Recycle Bin icon from desktop At least Microsoft Windows XP Professional or Windows Server 2003 family Removes most occurrences of the Recycle Bin icon.  This setting removes the Recycle Bin icon from the desktop, from Windows Explorer, from programs that use the Windows Explorer windows, and from the standard Open dialog box.  This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder.  Note: To make changes to this setting effective, you must log off and then log back on. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{645FF040-5081-101B-9F08-00AA002F954E}
USER Administrative Templates\Desktop Remove Properties from the My Documents context menu At least Microsoft Windows 2000 Service Pack 3 This setting hides Properties for the context menu on My Documents.  If you enable this setting, the Properties option will not be present when the user right-clicks My Documents or clicks My Documents and then goes to the File menu.  Likewise, Alt-Enter does nothing when My Documents is selected.  If you disable or do not configure this setting, the Properties option is displayed as usual. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesMyDocuments
USER Administrative Templates\Desktop Remove Properties from the My Computer context menu At least Microsoft Windows 2000 Service Pack 3 This setting hides Properties on the context menu for My Computer.  If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks My Computer and then goes to the File menu.  Likewise, Alt-Enter does nothing when My Computer is selected.  If you disable or do not configure this setting, the Properties option is displayed as usual. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesMyComputer
USER Administrative Templates\Desktop Remove Properties from the Recycle Bin context menu At least Microsoft Windows XP Professional or Windows Server 2003 family Removes the Properties option from the Recycle Bin context menu.  If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected.  If you disable or do not configure this setting, the Properties option is displayed as usual. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesRecycleBin
USER Administrative Templates\Desktop Hide My Network Places icon on desktop At least Microsoft Windows 2000 Removes the My Network Places icon from the desktop.  This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetHood
USER Administrative Templates\Desktop Hide Internet Explorer icon on desktop At least Microsoft Windows 2000 Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar.  This setting does not prevent the user from starting Internet Explorer by using other methods. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetIcon
USER Administrative Templates\Desktop Do not add shares of recently opened documents to My Network Places At least Microsoft Windows 2000 Remote shared folders are not added to My Network Places whenever you open a document in the shared folder.  If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to My Network Places.  If you enable this setting, shared folders are not added to My Network Places automatically when you open a document in the shared folder. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsNetHood
USER Administrative Templates\Desktop Prohibit user from changing My Documents path At least Microsoft Windows 2000 Prevents users from changing the path to the My Documents folder.  By default, a user can change the location of the My Documents folder by typing a new path in the Target box of the My Documents Properties dialog box.  If you enable this setting, users are unable to type a new location in the Target box. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisablePersonalDirChange
USER Administrative Templates\Desktop Prevent adding, dragging, dropping and closing the Taskbar's toolbars At least Microsoft Windows 2000 Prevents users from manipulating desktop toolbars.  If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.  Note: If users have added or removed toolbars, this setting prevents them from restoring the default configuration.  Tip: To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to Toolbars.  Also, see the Prohibit adjusting desktop toolbars setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoCloseDragDropBands
USER Administrative Templates\Desktop Prohibit adjusting desktop toolbars At least Microsoft Windows 2000 Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars.  This setting does not prevent users from adding or removing toolbars on the desktop.  Note: If users have adjusted their toolbars, this setting prevents them from restoring the default configuration.  Also, see the Prevent adding, dragging, dropping and closing the Taskbar's toolbars setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoMovingBands
USER Administrative Templates\Desktop Don't save settings at exit At least Microsoft Windows 2000 Prevents users from saving certain changes to the desktop.  If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSaveSettings
USER Administrative Templates\Desktop Remove the Desktop Cleanup Wizard At least Microsoft Windows XP Professional or Windows Server 2003 family Prevents users from using the Desktop Cleanup Wizard.  If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard.  If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs.  Note: When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDesktopCleanupWizard
USER Administrative Templates\Desktop\Active Desktop Enable Active Desktop At least Microsoft Windows 2000 Enables Active Desktop and prevents users from disabling it.  This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.  If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.  Note: If both the Enable Active Desktop setting and the Disable Active Desktop setting are enabled, the Disable Active Desktop setting is ignored.  If the Turn on Classic Shell setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceActiveDesktopOn
USER Administrative Templates\Desktop\Active Desktop Disable Active Desktop At least Microsoft Windows 2000 Disables Active Desktop and prevents users from enabling it.  This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.  If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.  Note: If both the Enable Active Desktop setting and the Disable Active Desktop setting are enabled, the Disable Active Desktop setting is ignored. If the Turn on Classic Shell setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoActiveDesktop
USER Administrative Templates\Desktop\Active Desktop Disable all items At least Microsoft Windows 2000 Removes Active Desktop content and prevents users from adding Active Desktop content.   This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or  pictures from the Internet or an intranet to the desktop.  Note: This setting does not disable Active Desktop. Users can  still use image formats, such as JPEG and GIF, for their desktop wallpaper. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoComponents
USER Administrative Templates\Desktop\Active Desktop Prohibit changes At least Microsoft Windows 2000 Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration.  This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoActiveDesktopChanges
USER Administrative Templates\Desktop\Active Desktop Prohibit adding items At least Microsoft Windows 2000 Prevents users from adding Web content to their Active Desktop.  This setting removes the New button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content.  Also, see the Disable all items setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoAddingComponents
USER Administrative Templates\Desktop\Active Desktop Prohibit deleting items At least Microsoft Windows 2000 Prevents users from deleting Web content from their Active Desktop.  This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop.  This setting does not prevent users from adding Web content to their Active Desktop.  Also, see the Prohibit closing items and Disable all items settings. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoDeletingComponents
USER Administrative Templates\Desktop\Active Desktop Prohibit editing items At least Microsoft Windows 2000 Prevents users from changing the properties of Web content items on their Active Desktop.  This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoEditingComponents
USER Administrative Templates\Desktop\Active Desktop Prohibit closing items At least Microsoft Windows 2000 Prevents users from removing Web content from their Active Desktop.  In Active Desktop, you can add items to the desktop but close them so they are not displayed.  If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel.  Note: This setting does not prevent users from deleting items from their Active Desktop. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoClosingComponents
USER Administrative Templates\Desktop\Active Desktop Add/Delete items At least Microsoft Windows 2000 Adds and deletes specified Web content items.  You can use the Add box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed.  You can also use this setting to delete particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting is refreshed.  Note: Removing an item from the Add list for this setting is not the same as deleting it. Items that are removed from the Add list are not removed from the desktop. They are simply not added again.  Note: For this setting to take affect, you must log off and log on to the system. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\AdminComponent!Add, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\AdminComponent!Delete
USER Administrative Templates\Desktop\Active Desktop Active Desktop Wallpaper At least Microsoft Windows 2000 Specifies the desktop background (wallpaper) displayed on all users' desktops.  This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp), JPEG (*.jpg), or HTML (*.htm, *.html) file.  To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification.  If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice.  Also, see the Allow only bitmapped wallpaper in the same location, and the Prevent changing wallpaper setting in User Configuration\Administrative Templates\Control Panel.  Note: You need to enable the Active Desktop to use this setting.  Note: This setting does not apply to Terminal Server sessions. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!Wallpaper, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!WallpaperStyle
USER Administrative Templates\Desktop\Active Desktop Allow only bitmapped wallpaper At least Microsoft Windows 2000 Permits only bitmap images for wallpaper. This setting limits the desktop background (wallpaper) to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting Set as Wallpaper.  Also, see the Active Desktop Wallpaper and the Prevent changing wallpaper (in User Configuration\Administrative Templates\Control Panel\Display) settings. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoHTMLWallPaper
USER Administrative Templates\Desktop\Active Directory Maximum size of Active Directory searches At least Microsoft Windows 2000 Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory.  If you enable this setting, you can use the Number of objects returned box to limit returns from an Active Directory search.  If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space.  This setting is designed to protect the network and the domain controller from the effect of expansive searches. HKCU\Software\Policies\Microsoft\Windows\Directory UI!QueryLimit
USER Administrative Templates\Desktop\Active Directory Enable filter in Find dialog box At least Microsoft Windows 2000 Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results.  If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it.  If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting Filter on the View menu.  To see the filter bar, open My Network Places, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as  Administrator. If the filter bar does not appear above the resulting display, on the View menu, click Filter. HKCU\Software\Policies\Microsoft\Windows\Directory UI!EnableFilter
USER Administrative Templates\Desktop\Active Directory Hide Active Directory folder Only works on Microsoft Windows 2000 Hides the Active Directory folder in My Network Places.  The Active Directory folder displays Active Directory objects in a browse window.  If you enable this setting, the Active Directory folder does not appear in the My Network Places folder.  If you disable this setting or do not configure it, the Active Directory folder appears in the My Network Places folder.  This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. HKCU\Software\Policies\Microsoft\Windows\Directory UI!HideDirectoryFolder
USER Administrative Templates\Control Panel Prohibit access to the Control Panel At least Microsoft Windows 2000 Disables all Control Panel programs.  This setting prevents Control.exe, the program file for Control Panel, from starting. As a result, users cannot start Control Panel or run any Control Panel items.  This setting also removes Control Panel from the Start menu. (To open Control Panel, click Start, point to Settings, and then click Control Panel.) This setting also removes the Control Panel folder from Windows Explorer.  If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action.  Also, see the Remove Display in Control Panel and Remove programs on Settings menu settings. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoControlPanel
USER Administrative Templates\Control Panel Hide specified Control Panel applets At least Microsoft Windows 2000 Hides specified Control Panel items and folders.  This setting removes Control Panel items (such as Display) and folders (such as Fonts) from the Control Panel window and the Start menu. It can remove Control Panel items you have added to your system, as well as Control Panel items included in Windows 2000 Professional and Windows XP Professional.  To hide a Control Panel item, type the file name of the item, such as Ncpa.cpl (for Network). To hide a folder, type the folder name, such as Fonts.  This setting affects the Start menu and Control Panel window only. It does not prevent users from running Control Panel items.  Also, see the Remove Display in Control Panel setting in User Configuration\Administrative Templates\Control Panel\Display.  If both the Hide specified Control Panel applets setting and the Show only specified Control Panel applets setting are enabled, and the same item appears in both lists, the Show only specified Control Panel applets setting is ignored.  Note: To find the file name of a Control Panel item, search for files with the .cpl file name extension in the %Systemroot%\System32 directory. Note: To create a list of disallowed Control Panel applets, click Show, click Add, and then enter the Control Panel file name (ends with .cpl) or the name displayed under that item in the Control Panel. (e.g., desk.cpl, powercfg.cpl, Printers and Faxes)  Note: This setting does not affect the Categories that are displayed in the new Control Panel Category view in Windows XP. If you want to control which items are displayed in Control Panel, enable the Force classic Control Panel Style setting to remove the Category view, and then use this setting to control which .cpls are not displayed. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisallowCpl, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl!{1,2,3,...}
USER Administrative Templates\Control Panel Show only specified Control Panel applets At least Microsoft Windows 2000 Hides all Control Panel items and folders except those specified in this setting.  This setting removes all Control Panel items (such as Network) and folders (such as Fonts) from the Control Panel window and the Start menu. It removes Control Panel items you have added to your system, as well the Control Panel items included in Windows 2000 and Windows XP Professional. The only items displayed in Control Panel are those you specify in this setting.  To display a Control Panel item, type the file name of the item, such as Ncpa.cpl (for Network). To display a folder, type the folder name, such as Fonts.  This setting affects the Start menu and Control Panel window only. It does not prevent users from running any Control Panel items.  Also, see the Remove Display in Control Panel setting in User Configuration\Administrative Templates\Control Panel\Display.  If both the Hide specified Control Panel applets setting and the Show only specified Control Panel applets setting are enabled, the Show only specified Control Panel applets setting is ignored.  Tip: To find the file name of a Control Panel item, search for files with the .cpl file name extension in the %Systemroot%\System32 directory. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RestrictCpl, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl!{1,2,3,...}
USER Administrative Templates\Control Panel Force classic Control Panel Style At least Microsoft Windows XP Professional or Windows Server 2003 family This setting affects the visual style and presentation of the Control Panel.  It allows you to disable the new style of Control Panel, which is task-based, and use the Windows 2000 style, referred to as the classic Control Panel. The new Control Panel, referred to as the simple Control Panel, simplifies how users interact with settings by providing easy-to-understand tasks that help users get their work done quickly. The Control Panel allows the users to configure their computer, add or remove programs, and change settings.  If you enable this setting, Control Panel sets the classic Control Panel. The user cannot switch to the new simple style.  If you disable this setting, Control Panel is set to the task-based style. The user cannot switch to the classic Control Panel style.  If you do not configure it, the default is the task-based style, which the user can change. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl!ForceClassicControlPanel
USER Administrative Templates\Control Panel\Add or Remove Programs Remove Add or Remove Programs At least Microsoft Windows 2000 Prevents users from using Add or Remove Programs.  This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus.  Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.  If you disable this setting or do not configure it, Add or Remove Programs is available to all users.  When enabled, this setting takes precedence over the other settings in this folder.  This setting does not prevent users from using other tools and methods to install or uninstall programs. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddRemovePrograms
USER Administrative Templates\Control Panel\Add or Remove Programs Hide Change or Remove Programs page At least Microsoft Windows 2000 Removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page.  The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.  If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users.  This setting does not prevent users from using other tools and methods to delete or uninstall programs. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoRemovePage
USER Administrative Templates\Control Panel\Add or Remove Programs Hide Add New Programs page At least Microsoft Windows 2000 Removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page.  The Add New Programs button lets users install programs published or assigned by a system administrator.  If you disable this setting or do not configure it, the Add New Programs button is available to all users.  This setting does not prevent users from using other tools and methods to install programs. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddPage
USER Administrative Templates\Control Panel\Add or Remove Programs Hide Add/Remove Windows Components page At least Microsoft Windows 2000 Removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page.  The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.  If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users.  This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoWindowsSetupPage
USER Administrative Templates\Control Panel\Add or Remove Programs Hide the Set Program Access and Defaults page At least Microsoft Windows 2000 Service Pack 3 or Microsoft Windows XP Professional Service Pack 1 Removes the Set Program Access and Defaults button from the Add or Remove Programs bar.  As a result, users cannot view or change the associated page.  The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.  If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users.  This setting does not prevent users from using other tools and methods to change program access or defaults.  This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu.  See the Remove Set Program Access and Defaults from Start menu setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoChooseProgramsPage
USER Administrative Templates\Control Panel\Add or Remove Programs Hide the Add a program from CD-ROM or floppy disk option At least Microsoft Windows 2000 Removes the Add a program from CD-ROM or floppy disk section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.  If you disable this setting or do not configure it, the Add a program from CD-ROM or floppy disk option is available to all users.  This setting does not prevent users from using other tools and methods to add or remove program components.  Note: If the Hide Add New Programs page setting is enabled, this setting is ignored. Also, if the Prevent removable media source for any install setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromCDorFloppy
USER Administrative Templates\Control Panel\Add or Remove Programs Hide the Add programs from Microsoft option At least Microsoft Windows 2000 Removes the Add programs from Microsoft section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update.  If you disable this setting or do not configure it, Add programs from Microsoft is available to all users.  This setting does not prevent users from using other tools and methods to connect to Windows Update.  Note: If the Hide Add New Programs page setting is enabled, this setting is ignored. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromInternet
USER Administrative Templates\Control Panel\Add or Remove Programs Hide the Add programs from your network option At least Microsoft Windows 2000 Prevents users from viewing or installing published programs.  This setting removes the Add programs from your network section from the Add New Programs page. The Add programs from your network section lists published programs and provides an easy way to install them.  Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files.  If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu.  If you disable this setting or do not configure it, Add programs from your network is available to all users.  Note: If the Hide Add New Programs page setting is enabled, this setting is ignored. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromNetwork
USER Administrative Templates\Control Panel\Add or Remove Programs Go directly to Components Wizard At least Microsoft Windows 2000 Prevents users from using Add or Remove Programs to configure installed services.  This setting removes the Set up services section of the Add/Remove Windows Components page. The Set up services section lists system services that have not been configured and offers users easy access to the configuration tools.  If you disable this setting or do not configure it, Set up services appears only when there are unconfigured system services. If you enable this setting, Set up services never appears.  This setting does not prevent users from using other methods to configure services.  Note: When Set up services does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed.  To remove Set up services and prevent the Windows Component Wizard from starting, enable the Hide Add/Remove Windows Components page setting. If the Hide Add/Remove Windows Components page setting is enabled, this setting is ignored. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoServices
USER Administrative Templates\Control Panel\Add or Remove Programs Remove Support Information At least Microsoft Windows 2000 Removes links to the Support Info dialog box from programs on the Change or Remove Programs page.  Programs listed on the Change or Remove Programs page can include a Click here for support information hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page.  If you disable this setting or do not configure it, the Support Info hyperlink appears.  Note: Not all programs provide a support information hyperlink. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoSupportInfo
USER Administrative Templates\Control Panel\Add or Remove Programs Specify default category for Add New Programs At least Microsoft Windows 2000 Specifies the category of programs that appears when users open the Add New Programs page.  If you enable this setting, only the programs in the category you specify are displayed when the Add New Programs page opens. Users can use the Category box on the Add New Programs page to display programs in other categories.  To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation.  If you disable this setting or do not configure it, all programs (Category: All) are displayed when the Add New Programs page opens.  You can use this setting to direct users to the programs they are most likely to need.  Note: This setting is ignored if either the Remove Add or Remove Programs setting or the Hide Add New Programs page setting is enabled. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!DefaultCategory
USER Administrative Templates\Control Panel\Display Remove Display in Control Panel At least Microsoft Windows 2000 Disables Display in Control Panel.  If you enable this setting, Display in Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.  Also, see the Prohibit access to the Control Panel (User Configuration\Administrative Templates\Control Panel) and Remove programs on Settings menu (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispCPL
USER Administrative Templates\Control Panel\Display Hide Desktop tab At least Microsoft Windows 2000 Removes the Desktop tab from Display in Control Panel.  This setting prevents users from using Control Panel to change the pattern and wallpaper on the desktop.  Enabling this setting also prevents the user from customizing the desktop by changing icons or adding new Web content through Control Panel. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispBackgroundPage
USER Administrative Templates\Control Panel\Display Prevent changing wallpaper At least Microsoft Windows 2000 Prevents users from adding or changing the background design of the desktop.  By default, users can use the Desktop tab of Display in Control Panel to add a background design (wallpaper) to their desktop.  If you enable this setting, the Desktop tab still appears, but all options on the tab are disabled.  To remove the Desktop tab, use the Hide Desktop tab setting.  To specify wallpaper for a group, use the Active Desktop Wallpaper setting.  Also, see the Allow only bitmapped wallpaper setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoChangingWallPaper
USER Administrative Templates\Control Panel\Display Hide Appearance and Themes tab At least Microsoft Windows 2000 Removes the Appearance and Themes tabs from Display in Control Panel.  When this setting is enabled, it removes the desktop color selection option from the Desktop tab.  This setting prevents users from using Control Panel to change the colors or color scheme of the desktop and windows.  If this setting is disabled or not configured, the Appearance and Themes tabs are available in Display in Control Panel. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoDispAppearancePage
USER Administrative Templates\Control Panel\Display Hide Settings tab At least Microsoft Windows 2000 Removes the Settings tab from Display in Control Panel.  This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoDispSettingsPage
USER Administrative Templates\Control Panel\Display Hide Screen Saver tab At least Microsoft Windows 2000 Removes the Screen Saver tab from Display in Control Panel.  This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoDispScrSavPage
USER Administrative Templates\Control Panel\Display Screen Saver At least Microsoft Windows 2000 Service Pack 1 Enables desktop screen savers.  If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver tab in Display in Control Panel. As a result, users cannot change the screen saver options.  If you do not configure it, this setting has no effect on the system.  If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screensaver on the client is specified through the Screensaver executable name setting or through Control Panel on the client computer. Second, the screensaver timeout is set to a nonzero value through the setting or Control Panel.  Also, see the Hide Screen Saver tab setting. HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaveActive
USER Administrative Templates\Control Panel\Display Screen Saver executable name At least Microsoft Windows 2000 Service Pack 1 Specifies the screen saver for the user's desktop.  If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers on the Screen Saver tab in Display in Control Panel, which prevents users from changing the screen saver.  If you disable this setting or do not configure it, users can select any screen saver.  If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file.  If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored.  Note: This setting can be superseded by the Screen Saver setting.  If  the Screen Saver setting is disabled, this setting is ignored, and screen savers do not run. HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!SCRNSAVE.EXE
USER Administrative Templates\Control Panel\Display Password protect the screen saver At least Microsoft Windows 2000 Service Pack 1 Determines whether screen savers used on the computer are password protected.  If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver.  This setting also disables the Password protected check box on the Screen Saver tab in Display in Control Panel, preventing users from changing the password protection setting.  If you do not configure this setting, users can choose whether or not to set password protection on each screen saver.  To ensure that a computer will be password protected, also enable the Screen Saver setting and specify a timeout via the Screen Saver timeout setting.  Note: To remove the Screen Saver tab, use the Hide Screen Saver tab setting. HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaverIsSecure
USER Administrative Templates\Control Panel\Display Screen Saver timeout At least Microsoft Windows 2000 Service Pack 1 Specifies how much user idle time must elapse before the screen saver is launched.  When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started.  This setting has no effect under any of the following circumstances:      - The setting is disabled or not configured.      - The wait time is set to zero.      - The No screen saver setting is enabled.      - Neither the Screen saver executable name setting nor the Screen Saver tab of the client computer's Display Properties dialog box specifies a valid existing screensaver program on the client.  When not configured, whatever wait time is set on the client through the Screen Saver tab of the Display Properties dialog box is used. The default is 15 minutes. HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaveTimeOut
USER Administrative Templates\Control Panel\Display\Desktop Themes Remove Theme option At least Microsoft Windows XP Professional or Windows Server 2003 family This setting effects the Themes tab that controls the overall appearance of windows.  It is accessed through the Display icon in Control Panel.  Using the options under the Themes tab, users can configure the theme for their desktop.  If you enable this setting, it removes the Themes tab.  If you disable or do not configure this setting, there is no effect.  Note: If you enable this setting but do not set a theme, the theme defaults to whatever the user previously set. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoThemesTab
USER Administrative Templates\Control Panel\Display\Desktop Themes Prevent selection of windows and buttons styles At least Microsoft Windows XP Professional or Windows Server 2003 family Prevents users from changing the visual style of the windows and buttons displayed on their screens. When enabled, this setting disables the Windows and buttons drop-down list on the Appearance tab in Display Properties. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoVisualStyleChoice
USER Administrative Templates\Control Panel\Display\Desktop Themes Prohibit selection of font size At least Microsoft Windows XP Professional or Windows Server 2003 family Prevents users from changing the size of the font in the windows and buttons displayed on their screens.  If this setting is enabled, the Font size drop-down list on the Appearance tab in Display Properties is disabled.   If you disable or do not configure this setting, a user may change the font size using the Font size drop-down list on the Appearance tab. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoSizeChoice
USER Administrative Templates\Control Panel\Display\Desktop Themes Prohibit Theme color selection At least Microsoft Windows XP Professional or Windows Server 2003 family This setting forces the theme color to be the default color scheme.  If you enable this setting, a user cannot change the color scheme of the current desktop theme.  If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoColorChoice
USER Administrative Templates\Control Panel\Display\Desktop Themes Load a specific visual style file or force Windows Classic At least Microsoft Windows XP Professional or Windows Server 2003 family This setting allows you to load a specific visual style file by entering the path (location) of the visual style file.  This can be a local computer visual style (Luna.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\luna.msstyles).  If you enable this setting, the visual style file that you specify will be used. Also, a user may not choose to use a different visual style.  If you disable or do not configure this setting, the users can select the visual style that they want to use for their desktop.  Note: If this setting is enabled and the file is not available at user logon, the default visual style is loaded.  Note: When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles  Note: To select the Windows Classic visual style, leave the box blank beside Path to Visual Style: and enable this setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!SetVisualStyle
USER Administrative Templates\Control Panel\Printers Browse a common web site to find printers At least Microsoft Windows 2000 Adds a link to an Internet or intranet Web page to the Add Printer Wizard.  You can use this setting to direct users to a Web page from which they can install printers.  If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the Specify a Printer page in the Add Printer Wizard. The Browse button appears beside the Connect to a printer on the Internet or on a home or office network option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers.  This setting makes it easy for users to find the printers you want them to add.  Also, see the Custom support URL in the Printers folder's left pane and Web-based printing settings in Computer Configuration\Administrative Templates\Printers. HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Printers Page URL
USER Administrative Templates\Control Panel\Printers Browse the network to find printers At least Microsoft Windows 2000 Allows users to use the Add Printer Wizard to search the network for shared printers.  If you enable this setting or do not configure it, when users choose to add a network printer by selecting the A network printer, or a printer attached to another computer radio button on Add Printer Wizard's page 2, and also check the Connect to this printer (or to browse for a printer, select this option and click Next) radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent Name edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list.  If you disable this setting, the network printer browse page is removed from within the Add Printer Wizard, and users cannot search the network but must type a printer name.  Note: This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers. HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Downlevel Browse
USER Administrative Templates\Control Panel\Printers Default Active Directory path when searching for printers At least Microsoft Windows 2000 Specifies the Active Directory location where searches for printers begin.  The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. If you enable this setting, these searches begin at the location you specify in the Default Active Directory path box. Otherwise, searches begin at the root of Active Directory.  This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory. HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Default Search Scope
USER Administrative Templates\Control Panel\Printers Point and Print Restrictions At least Microsoft Windows XP Professional with SP1 or Windows Server 2003 family This policy setting restricts the servers that a client can connect to for point and print. The policy setting applies only to non Print Administrators clients, and only to machines that are members of a domain.  When the policy setting is enabled, the client can be restricted to only point and print to a server within its own forest, and/or to a list of explicitly trusted servers.  When the policy setting is not-configured, it defaults to allowing point and print only within the client’s forest.  When the policy setting is disabled, client machines can point and print to any server. HKCU\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!Restricted, HKCU\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!InForest, HKCU\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!TrustedServers, HKCU\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!ServerList
USER Administrative Templates\Control Panel\Printers Prevent addition of printers At least Microsoft Windows 2000 Prevents users from using familiar methods to add local and network printers.  This setting removes the Add Printer option from the Start menu. (To find the Add Printer option, click Start, click Printers, and then click Add Printer.) This setting also removes Add Printer from the Printers folder in Control Panel.  Also, users cannot add printers by dragging a printer icon into the Printers folder. If they try, a message appears explaining that the setting prevents the action.  However, this setting does not prevent users from using the Add Hardware Wizard to add a printer. Nor does it prevent users from running other programs to add printers.  This setting does not delete printers that users have already added. However, if users have not added a printer when this setting is applied, they cannot print.  Note: You can use printer permissions to restrict the use of printers without specifying a setting. In the Printers folder, right-click a printer, click Properties, and then click the Security tab. HKCU\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!NoAddPrinter
USER Administrative Templates\Control Panel\Printers Prevent deletion of printers At least Microsoft Windows 2000 Prevents users from deleting local and network printers.  If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action.  This setting does not prevent users from running other programs to delete a printer. HKCU\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!NoDeletePrinter
USER Administrative Templates\Control Panel\Regional and Language Options Restrict selection of Windows menus and dialogs language At least Microsoft Windows 2000 This setting restricts users to the specified language by disabling the menus and dialog box controls in the Regional and Language Options Control Panel. If the specified language is not installed on the target computer, the language selection defaults to English. HKCU\Software\Policies\Microsoft\Control Panel\Desktop!MultiUILanguageID
USER Administrative Templates\Shared Folders Allow shared folders to be published At least Microsoft Windows XP Professional or Windows Server 2003 family Determines whether the user can publish shared folders in Active Directory.  If you enable this setting or do not configure it, users can use the Publish in Active Directory option in the Shared Folders snap-in to publish shared folders in Active Directory.  If you disable this setting, the user cannot publish shared folders in Active Directory, and the Publish in Active Directory option is disabled. Note: The default is to allow shared folders to be published when this setting is not configured HKCU\Software\Policies\Microsoft\Windows NT\SharedFolders!PublishSharedFolders
USER Administrative Templates\Shared Folders Allow DFS roots to be published At least Microsoft Windows XP Professional or Windows Server 2003 family Determines whether the user can publish DFS roots in Active Directory.  If you enable this setting or do not configure it, users can use the Publish in Active Directory option to publish DFS roots as shared folders in Active Directory.  If you disable this setting, the user cannot publish DFS roots in Active Directory, and the Publish in Active Directory option is disabled. Note: The default is to allow shared folders to be published when this setting is not configured. HKCU\Software\Policies\Microsoft\Windows NT\SharedFolders!PublishDfsRoots
USER Administrative Templates\Network\Offline Files Prohibit user configuration of Offline Files At least Microsoft Windows 2000 Prevents users from enabling, disabling, or changing the configuration of Offline Files.  This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box.  This is a comprehensive setting that locks down the configuration you establish by using other settings in this folder.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. HKCU\Software\Policies\Microsoft\Windows\NetCache!NoConfigCache
USER Administrative Templates\Network\Offline Files Synchronize all offline files when logging on At least Microsoft Windows 2000 Determines whether offline files are fully synchronized when users log on.  This setting also disables the Synchronize all offline files before logging on option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.  If you enable this setting, offline files are fully synchronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager.  If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are current.  If you do not configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the Synchronize all offline files before logging on option. HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogon
USER Administrative Templates\Network\Offline Files Synchronize all offline files before logging off At least Microsoft Windows 2000 Determines whether offline files are fully synchronized when users log off.  This setting also disables the Synchronize all offline files before logging off option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.  If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current.  If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are current.  If you do not configure this setting, the system performs a quick synchronization by default, but users can change this option.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the Synchronize all offline files before logging off option. HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogoff
USER Administrative Templates\Network\Offline Files Synchronize offline files before suspend At least Microsoft Windows 2000 Determines whether offline files are synchonized before a computer is suspended.  If you enable this setting, offline files will be synchronized whenever the computer is suspended. Setting the synchronization action to Quick ensures only that all files in the cache are complete. Setting the synchronization action to Full ensures that all cached files and folders are up to date with the most current version.  If you disable or do not configuring this setting, a synchronization will not occur when the computer is suspended.  Note: If the computer is suspended by closing the display on a portable computer, a synchronization is not performed. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtSuspend
USER Administrative Templates\Network\Offline Files Action on server disconnect At least Microsoft Windows 2000 Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.  This setting also disables the When a network connection is lost option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.  If you enable this setting, you can use the Action box to specify how computers in the group respond.  --  Work offline indicates that the computer can use local copies of network files while the server is inaccessible.  --  Never go offline indicates that network files are not available while the server is inaccessible.  If you disable this setting or select the Work offline option, users can work offline if disconnected.  If you do not configure this setting, users can work offline by default, but they can change this option.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer  Configuration takes precedence over the setting in User Configuration.  Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the When a network connection is lost section.  Also, see the Non-default server disconnect actions setting. HKCU\Software\Policies\Microsoft\Windows\NetCache!GoOfflineAction
USER Administrative Templates\Network\Offline Files Non-default server disconnect actions At least Microsoft Windows 2000 Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the Action on server disconnect setting.  To use this setting, click Show, and then click Add. In the Type the name of the item to be added box, type the server's computer name. Then, in the Type the value of the item to be added box, type 0 if users can work offline when they are disconnected from this server, or type 1 if they cannot.  This setting appears in the Computer Configuration and User Configuration folders.  If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Both Computer and User configuration take precedence over a user's setting.  This setting does not prevent users from setting custom actions through the Offline Files tab.  However, users are unable to change any custom actions established via this setting.  Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settings in the Exception list section. HKCU\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions
USER Administrative Templates\Network\Offline Files Remove 'Make Available Offline' At least Microsoft Windows 2000 Prevents users from making network files and folders available offline.  This setting removes the Make Available Offline option from the File menu and from all context menus in Windows Explorer. As a result, users cannot designate files to be saved on their computer for offline use.  However, this setting does not prevent the system from saving local copies of files that reside on network shares designated for automatic caching.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKCU\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions!NoMakeAvailableOffline
USER Administrative Templates\Network\Offline Files Prevent use of Offline Files folder At least Microsoft Windows 2000 Disables the Offline Files folder.  This setting disables the View Files button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location.  This setting does not prevent users from working offline or from saving local copies of files available offline. Also, it does not prevent them from using other programs, such as Windows Explorer, to view their offline files.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click View Files. HKCU\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions!NoCacheViewer
USER Administrative Templates\Network\Offline Files Administratively assigned offline files At least Microsoft Windows 2000 This policy setting lists network files and folders that are always available for offline use. This ensures that the the specified files and folders are available offline to users of the computer.  If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show, and then click Add. In the Type the name of the item to be added box, type the fully qualified UNC path to the file or folder. Leave the Enter the value of the item to be added field blank.  If you disable this policy setting, the list of files or folders made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made always available for offline use.  If you do not configure this policy setting, no files or folders are made always available for offline use.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the settings will be combined and all specified files will be available for offline use. HKCU\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders
USER Administrative Templates\Network\Offline Files Turn off reminder balloons At least Microsoft Windows 2000 Hides or displays reminder balloons, and prevents users from changing the setting.  Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed.  If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them.  If you disable the setting, the system displays the reminder balloons and prevents users from hiding them.  If this setting is not configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting.  To prevent users from changing the setting while a setting is in effect, the system disables the Enable reminders option on the Offline Files tab  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the Enable reminders check box. HKCU\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!NoReminders
USER Administrative Templates\Network\Offline Files Reminder balloon frequency At least Microsoft Windows 2000 Determines how often reminder balloon updates appear.  If you enable this setting, you can select how often reminder balloons updates apppear and also prevent users from changing this setting.  Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the Display reminder balloons every ... minutes option. HKCU\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!ReminderFreqMinutes
USER Administrative Templates\Network\Offline Files Initial reminder balloon lifetime At least Microsoft Windows 2000 Determines how long the first reminder balloon for a network status change is displayed.  Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKCU\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!InitialBalloonTimeoutSeconds
USER Administrative Templates\Network\Offline Files Reminder balloon lifetime At least Microsoft Windows 2000 Determines how long updated reminder balloons are displayed.  Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKCU\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!ReminderBalloonTimeoutSeconds
USER Administrative Templates\Network\Offline Files Event logging level At least Microsoft Windows 2000 Determines which events the Offline Files feature records in the event log.  Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record.  To use this setting, in the Enter box, select the number corresponding to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels.  0 records an error when the offline storage cache is corrupted.  1 also records an event when the server hosting the offline file is disconnected from the network.  2 also records events when the local computer is connected and disconnected from the network.  3 also records an event when the server hosting the offline file is reconnected to the network.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKCU\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders!EventLoggingLevel
USER Administrative Templates\Network\Offline Files Prohibit 'Make Available Offline' for these file and folders At least Microsoft Windows XP Professional or Windows Server 2003 family This policy setting allows you to manage a list of files or folders for which you wish to prohibit the 'Make Available Offline' option.  If you enable this policy setting, the 'Make Available Offline' option is not available for the files or folders you list. To specify these files or folders, click Show, and then click Add. In the 'Type the name of the item to be added' box, type the fully qualified UNC path to the file or folder. Leave the 'Enter the value of the item to be added' field blank.  If you disable this policy setting, the list of files or folders for which the 'Make Available Offline' option is removed (including those inherited from lower precedence GPOs) is deleted.  If you do not configure this policy setting, the 'Make Available Offline' option is available for all files or folders.  Notes:  This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the 'Make Available Offline' option will be unavailable  for all specified files and folders.  This policy setting does not prevent files from being automatically cached if the network share is configured for 'Automatic Caching'. It only affects the availability of the 'Make Available Offline' menu option in the user interface.  If the 'Disable Make Available Offline' policy setting is enabled, this setting has no effect. HKCU\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOfflineList
USER Administrative Templates\Network\Offline Files Do not automatically make redirected folders available offline At least Microsoft Windows XP Professional or Windows Server 2003 family All redirected shell folders, such as My Documents, Desktop, Start Menu, and Application Data, are available offline by default. This setting allows you to change this behavior so that redirected shell folders are not automatically available for offline use. However, users can still choose to make files and folders available offline themselves.  If you enable this setting, the users must manually select the files they wish to be made available offline.  If you disable this setting or do not configure it, redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline.  Note: This setting does not prevent files from being automatically cached if the network share is configured for Automatic Caching, nor does it affect the availability of the Make Available Offline menu option in the user interface.  Note: Do not enable this setting unless you are certain that users will not need access to all of their redirected files in the event that the network or server holding the redirected files becomes unavailable. HKCU\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOfflineList!DisableFRAdminPin
USER Administrative Templates\Network\Network Connections Ability to rename LAN connections or remote access connections available to all users At least Microsoft Windows 2000 Service Pack 1 Determines whether users can rename LAN or all user remote access connections.  If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu.  If you disable this setting (and enable the Enable Network Connections settings for Administrators setting), the Rename option for LAN and all user remote access connections is disabled for all users (including Administrators and Network Configuration Operators).  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If this setting is not configured, only Administrators and Network Configuration Operators have the right to rename LAN or all user remote access connections.  Note: When configured, this setting always takes precedence over the Ability to rename LAN connections and Ability to rename all user remote access connections settings.  Note: This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameConnection
USER Administrative Templates\Network\Network Connections Prohibit access to properties of components of a LAN connection At least Microsoft Windows 2000 Service Pack 1 Determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection.  This setting determines whether the Properties button for components of a LAN connection is enabled.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Properties button is disabled for Administrators. Network Configuration Operators are prohibited from accessing connection components, regardless of the Enable Network Connections settings for Administrators setting.  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, the Properties button is enabled for administrators and Network Configuration Operators.  The Local Area Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list.  Note: Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled.  Note: When the Prohibit access to properties of a LAN connection setting is enabled, users are blocked from accessing the Properties button for LAN connection components.  Note: Network Configuration Operators only have permission to change TCP/IP properties. Properties for all other components are unavailable to these users.  Note: Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanChangeProperties
USER Administrative Templates\Network\Network Connections Prohibit access to properties of components of a remote access connection At least Microsoft Windows 2000 Service Pack 1 Determines whether users can view and change the properties of components used by a private or all-user remote access connection.  This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Properties button is disabled for all users (including administrators).  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, the Properties button is enabled for all users.  The Networking tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list.  Note: Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled.  Note: When the Ability to change properties of an all user remote access connection or Prohibit changing properties of a private remote access connection settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked.  Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasChangeProperties
USER Administrative Templates\Network\Network Connections Prohibit TCP/IP advanced configuration At least Microsoft Windows 2000 Service Pack 1 Determines whether users can configure advanced TCP/IP settings.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information.  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box.  Note: This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users cannot gain access to the Advanced button for TCP/IP configuration.  Note: Nonadministrators (excluding Network Configuration Operators) do not have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting.  Tip: To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab.  In the Components checked are used by this connection box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button.  Note: Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AllowAdvancedTCPIPConfig
USER Administrative Templates\Network\Network Connections Prohibit access to the Advanced Settings item on the Advanced menu At least Microsoft Windows 2000 Service Pack 1 Determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators.  The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Advanced Settings item is disabled for administrators.  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, the Advanced Settings item is enabled for administrators.  Note: Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AdvancedSettings
USER Administrative Templates\Network\Network Connections Prohibit adding and removing components for a LAN or remote access connection At least Microsoft Windows 2000 Service Pack 1 Determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard.  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, the Install and Uninstall buttons for components of connections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Components Wizard.  The Install button opens the dialog boxes used to add network components. Clicking the Uninstall button removes the selected component in the components list (above the button).  The Install and Uninstall buttons appear in the properties dialog box for connections. These buttons are on the General tab for LAN connections and on the Networking tab for remote access connections.  Note: When the Prohibit access to properties of a LAN connection, Ability to change properties of an all user remote access connection, or Prohibit changing properties of a private remote access connection settings are set to deny access to the connection properties dialog box, the Install and Uninstall buttons for connections are blocked.  Note: Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AddRemoveComponents
USER Administrative Templates\Network\Network Connections Prohibit access to properties of a LAN connection At least Microsoft Windows 2000 Service Pack 1 Determines whether users can change the properties of a LAN connection.  This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Properties dialog box.  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu.  Note: This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users.  Note: Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanProperties
USER Administrative Templates\Network\Network Connections Prohibit Enabling/Disabling components of a LAN connection At least Microsoft Windows 2000 Service Pack 1 Determines whether administrators can enable and disable the components used by LAN connections.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses.  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component.  Note: When the Prohibit access to properties of a LAN connection setting is enabled, users are blocked from accessing the check boxes for enabling and disabling the components of a LAN connection.  Note: Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_ChangeBindState
USER Administrative Templates\Network\Network Connections Ability to change properties of an all user remote access connection At least Microsoft Windows 2000 Service Pack 1 Determines whether a user can view and change the properties of remote access connections that are available to all users of the computer.  To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the For all users option.  This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box is available to users.  If you enable this setting, a Properties menu item appears when any user right-clicks the icon for a remote access connection. Also, when any user selects the connection, Properties appears on the File menu.  If you disable this setting (and enable the Enable Network Connections settings for Administrators setting), the Properties menu items are disabled, and users (including administrators) cannot open the remote access connection properties dialog box.  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you do not configure this setting, only Administrators and Network Configuration Operators can change properties of all-user remote access connections.  Note: This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users.  Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasAllUserProperties
USER Administrative Templates\Network\Network Connections Prohibit changing properties of a private remote access connection At least Microsoft Windows 2000 Service Pack 1 Determines whether users can view and change the properties of their private remote access connections.  Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the Only for myself option.  This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box for a private connection is available to users.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Properties menu items are disabled, and no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection.  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu.  Note: This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users.  Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasMyProperties
USER Administrative Templates\Network\Network Connections Prohibit deletion of remote access connections At least Microsoft Windows 2000 Service Pack 1 Determines whether users can delete remote access connections.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder.  Important:  If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, all users can delete their private remote access connections. Private connections are those that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the Ability to delete all user remote access connections setting.)  Important: When enabled, this setting takes precedence over the Ability to delete all user remote access connections setting. Users cannot delete any remote access connections, and the Ability to delete all user remote access connections setting is ignored.  Note: LAN connections are created and deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection.  Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DeleteConnection
USER Administrative Templates\Network\Network Connections Ability to delete all user remote access connections At least Microsoft Windows 2000 Service Pack 1 Determines whether users can delete all user remote access connections.  To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the For all users option.  If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection.  If you disable this setting (and enable the Enable Network Connections settings for Administrators setting), users (including administrators) cannot delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the Prohibit deletion of remote access connections setting.)  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you do not configure this setting, only Administrators and Network Configuration Operators can delete all user remote access connections.  Important: When enabled, the Prohibit deletion of remote access connections setting takes precedence over this setting. Users (including administrators) cannot delete any remote access connections, and this setting is ignored.  Note: LAN connections are created and deleted automatically by the system when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection.  Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DeleteAllUserConnection
USER Administrative Templates\Network\Network Connections Prohibit connecting and disconnecting a remote access connection At least Microsoft Windows 2000 Service Pack 1 Determines whether users can connect and disconnect remote access connections.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators).  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasConnect
USER Administrative Templates\Network\Network Connections Ability to Enable/Disable a LAN connection At least Microsoft Windows 2000 Service Pack 1 Determines whether users can enable/disable LAN connections.  If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu.  If you disable this setting (and enable the Enable Network Connections settings for Administrators setting), double-clicking the icon has no effect, and the Enable and Disable menu items are disabled for all users (including administrators).  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you do not configure this setting, only Administrators and Network Configuration Operators can enable/disable LAN connections.  Note: Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanConnect
USER Administrative Templates\Network\Network Connections Prohibit access to the New Connection Wizard At least Microsoft Windows 2000 Service Pack 1 Determines whether users can use the New Connection Wizard, which creates new network connections.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard.  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon starts the New Connection Wizard.  Note: Changing this setting from Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this setting are applied, the icon does not appear or disappear in the Network Connections folder until the folder is refreshed.  Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_NewConnectionWizard
USER Administrative Templates\Network\Network Connections Ability to rename LAN connections At least Microsoft Windows XP Professional or Windows Server 2003 family Determines whether nonadministrators can rename a LAN connection.  If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu.  If you disable this setting, the Rename option is disabled for nonadministrators only.  If you do not configure this setting, only Administrators and Network Configuration Operators can rename LAN connections  Note: This setting does not apply to Administrators.  Note: When the Ability to rename LAN connections or remote access connections available to all users setting is configured (set to either enabled or disabled), this setting does not apply. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameLanConnection
USER Administrative Templates\Network\Network Connections Ability to rename all user remote access connections At least Microsoft Windows XP Professional or Windows Server 2003 family Determines whether nonadministrators can rename all-user remote access connections.  To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the For all users option.  If you enable this setting, the Rename option is enabled for all-user remote access connections. Any user can rename all-user connections by clicking an icon representing the connection or by using the File menu.  If you disable this setting, the Rename option is disabled for nonadministrators only.  If you do not configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections.  Note: This setting does not apply to Administrators  Note: When the Ability to rename LAN connections or remote access connections available to all users setting is configured (set to either Enabled or Disabled), this setting does not apply.  Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameAllUserRasConnection
USER Administrative Templates\Network\Network Connections Prohibit renaming private remote access connections At least Microsoft Windows 2000 Service Pack 1 Determines whether users can rename their private remote access connections.  Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the Only for myself option.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Rename option is disabled for all users (including administrators).  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, the Rename option is enabled for all users' private remote access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu.  Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameMyRasConnection
USER Administrative Templates\Network\Network Connections Prohibit access to the Remote Access Preferences item on the Advanced menu At least Microsoft Windows 2000 Service Pack 1 Determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connections folder is enabled.  The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features.  If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Remote Access Preferences item is disabled for all users (including administrators).  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DialupPrefs
USER Administrative Templates\Network\Network Connections Prohibit viewing of status for an active connection At least Microsoft Windows 2000 Service Pack 1 Determines whether users can view the status for an active connection.  Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection.  If you enable this setting, the connection status taskbar icon and Status dialog box are not available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the taskbar from the Connection Properties dialog box.  Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.  If you disable this setting or do not configure it, the connection status taskbar icon and  Status dialog box are available to all users. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_Statistics
USER Administrative Templates\Network\Network Connections Enable Windows 2000 Network Connections settings for Administrators At least Microsoft Windows XP Professional or Windows Server 2003 family Determines whether settings that existed in Windows 2000 Server family will apply to Administrators.  The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators.  By default, Network Connections group settings in Windows XP Professional do not have the ability to prohibit the use of features from Administrators.  If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are Ability to rename LAN connections or remote access connections available to all users, Prohibit access to properties of components of a LAN connection, Prohibit access to properties of components of a remote access connection, Ability to access TCP/IP advanced configuration, Prohibit access to the Advanced Settings Item on the Advanced Menu, Prohibit adding and removing components for a LAN or remote access connection, Prohibit access to properties of a LAN connection, Prohibit Enabling/Disabling components of a LAN connection, Ability to change properties of an all user remote access connection, Prohibit changing properties of a private remote access connection, Prohibit deletion of remote access connections, Ability to delete all user remote access connections, Prohibit connecting and disconnecting a remote access connection, Ability to Enable/Disable a LAN connection, Prohibit access to the New Connection Wizard, Prohibit renaming private remote access connections, Prohibit access to the Remote Access Preferences item on the Advanced menu, Prohibit viewing of status for an active connection. When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators.  If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators.  Note: This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_EnableAdminProhibits
USER Administrative Templates\Network\Network Connections Turn off notifications when a connection has only limited or no connectivity At least Microsoft Windows XP Professional with SP2 This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address”(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved.  If you enable this policy setting, this condition will not be reported as an error to the user.  If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_IpStateChecking
USER Administrative Templates\System Don't display the Getting Started welcome screen at logon Only works on Microsoft Windows 2000 Supresses the welcome screen.  This setting hides the welcome screen that is displayed on Windows 2000 Professional and Windows XP Professional each time the user logs on.  Users can still display the welcome screen by selecting it on the Start menu or by typing Welcome in the Run dialog box.  This setting applies only to Windows 2000 Professional and Windows XP Professional. It does not affect the Configure Your Server on a Windows 2000 Server screen on Windows 2000 Server.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click Getting Started. To suppress the welcome screen without specifying a setting, clear the Show this screen at startup check box on the welcome screen. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWelcomeScreen
USER Administrative Templates\System Century interpretation for Year 2000 At least Microsoft Windows 2000 Determines how programs interpret two-digit years.  This setting specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted as being preceded by 19.  For example, the default value, 2029, specifies that all two-digit years less than or equal to 29 (00 to 29) are interpreted as being preceded by 20, that is 2000 to 2029. Conversely, all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19, that is, 1930 to 1999.  This setting only affects the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program. HKCU\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax!1
USER Administrative Templates\System Configure driver search locations At least Microsoft Windows XP Professional or Windows Server 2003 family This setting configures the location that Windows searches for drivers when a new piece of hardware is found.  By default, Windows searches the following places for drivers: local installation, floppy drives, CD-ROM drives, Windows Update.  Using this setting, you may remove the floppy and CD-ROM drives from the search algorithm.  If you enable this setting, you can remove the locations by selecting the associated check box beside the location name.  If you disable or do not configure this setting, Windows searches the installation location, floppy drives, and CD-ROM drives.  Note: To prevent searching Windows Update for drivers also see Turn off Windows Update device driver searching in Administrative Templates/System/Internet Communication Management/Internet Communication settings. HKCU\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchFloppies, HKCU\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchCD, HKCU\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate
USER Administrative Templates\System Code signing for device drivers At least Microsoft Windows 2000 Determines how the system responds when a user tries to install device driver files that are not digitally signed.  This setting establishes the least secure response permitted on the systems of users in the group. Users can use System in Control Panel to select a more secure setting, but when this setting is enabled, the system does not implement any setting less secure than the one the setting established.  When you enable this setting, use the drop-down box to specify the desired response.  --   Ignore directs the system to proceed with the installation even if it includes unsigned files.  --   Warn notifies the user that files are not digitally signed and lets the user decide whether to stop or to proceed with the installation and whether to permit unsigned files to be installed. Warn is the default.  --   Block directs the system to refuse to install unsigned files. As a result, the installation stops, and none of the files in the driver package are installed.  To change driver file security without specifying a setting, use System in Control Panel. Right-click My Computer, click Properties, click the Hardware tab, and then click the Driver Signing button. HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing!BehaviorOnFailedVerify
USER Administrative Templates\System Custom user interface At least Microsoft Windows 2000 Specifies an alternate user interface for Windows 2000.  The Explorer program (%systemdrive%\program files\internet explorer\iExplorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. If you enable this setting, the system starts the interface you specify instead of Explorer.exe.  To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file.  If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface.  Tip: To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!Shell
USER Administrative Templates\System Prevent access to the command prompt At least Microsoft Windows 2000 Prevents users from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the computer.  If you enable this setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.  Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Terminal Services. HKCU\Software\Policies\Microsoft\Windows\System!DisableCMD
USER Administrative Templates\System Prevent access to registry editing tools At least Microsoft Windows 2000 Disables the Windows registry editor Regedit.exe.  If this setting is enabled and the user tries to start a registry editor, a message appears explaining that a setting prevents the action.  To prevent users from using other administrative tools, use the Run only allowed Windows applications setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableRegistryTools
USER Administrative Templates\System Run only allowed Windows applications At least Microsoft Windows 2000 Limits the Windows programs that users have permission to run on the computer.  If you enable this setting, users can only run programs that you add to the List of Allowed Applications.  This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.  Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. Note: To create a list of allowed applications, click Show, click Add, and then enter the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RestrictRun, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun!{1,2,3,...}
USER Administrative Templates\System Don't run specified Windows applications At least Microsoft Windows 2000 Prevents Windows from running the programs you specify in this setting.  If you enable this setting, users cannot run programs that you add to the list of disallowed applications.  This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs, such as Task Manager, that are started by the system process or by other processes. Also, if you permit users to gain access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer. Note: To create a list of disallowed applications, click Show, click Add, and then enter the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisallowRun, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun!{1,2,3,...}
USER Administrative Templates\System Turn off Autoplay At least Microsoft Windows 2000 Turns off the Autoplay feature.  Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.  By default, Autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.  If you enable this setting, you can also disable Autoplay on CD-ROM drives or disable Autoplay on all drives.  This setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.  Note: This setting appears in both the Computer Configuration and User Configuration folders. If the settings conflict, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Note: This setting does not prevent Autoplay for music CDs. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDriveTypeAutoRun
USER Administrative Templates\System Restrict these programs from being launched from Help At least Microsoft Windows XP Professional or Windows Server 2003 family Allows you to restrict programs from being run from online Help.  If you enable this setting, you can prevent programs that you specify from being allowed to be run from Help. When you enable this setting, enter the list of the programs you want to restrict. Enter the file name of the executable for each application, separated by commas.  If you disable or do not configure this setting, users will be able to run applications from online Help.  Note: You can also restrict users from running applications by using the Software Restriction settings available in Computer Configuration\Security Settings.  Note: This setting is available under Computer Configuration and User Comfiguration. If both are set, the list of programs specified in each of these will be restricted. HKCU\Software\Policies\Microsoft\Windows\System!DisableInHelp
USER Administrative Templates\System Download missing COM components At least Microsoft Windows 2000 Directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.  Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM. These programs cannot perform all of their functions unless Windows has internally registered the required components.  If you enable this setting and a component registration is missing, the system searches for it in Active Directory and if it is found, downloads it. The resulting searches might make some programs start or run slowly.  If you disable this setting or do not configure it, the program continues without the registration. As a result, the program might not perform all of its functions, or it might stop.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in  User Configuration. HKCU\Software\Policies\Microsoft\Windows\App Management!COMClassStore
USER Administrative Templates\System Windows Automatic Updates Only works on Microsoft Windows XP Professional This setting controls automatic updates to a user's computer.  Whenever a user connects to the Internet, Windows searches for updates available for the software and hardware on their computer and automatically downloads them. This happens in the background, and the user is prompted when downloaded components are ready to be installed, or prior to downloading, depending on their configuration.  If you enable this setting, it prohibits Windows from searching for updates.  If you disable or do not configure it, Windows searches for updates and automatically downloads them.  Note: Windows Update is an online catalog customized for your computer that consists of items such as drivers, critical updates, Help files, and Internet products that you can download to keep your computer up to date.  Also, see the Remove links and access to Windows Update setting. If the Remove links and access to Windows Update setting is enabled, the links to Windows Update on the Start menu are also removed.  Note: If you have installed Windows XP Service Pack 1 or the update to Automatic Updates that was released after Windows XP was originally shipped, then you should use the new Automatic Updates settings located at: 'Computer Configuration / Administrative Templates / Windows Update' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutoUpdate
USER Administrative Templates\System\User Profiles Connect home directory to root of the share At least Microsoft Windows 2000 Restores the definitions of the %HOMESHARE% and %HOMEPATH% environment variables to those used in Windows NT 4.0 and earlier.  If you enable this setting, the system uses the Windows NT 4.0 definitions. If you disable this setting or do not configure it, the system uses the new definitions designed for the Windows 2000 operating system.  Along with %HOMEDRIVE%, these variables define the home directory of a user profile. The home directory is a persistent mapping of a drive letter on the local computer to a local or remote directory.  By default, in Windows 2000 Server Family, %HOMESHARE% stores the fully qualified path to the home directory (such as \\server\share\dir1\dir2\homedir). Users can access the home directory and any of its subdirectories from the home drive letter, but they cannot see or access its parent directories. %HOMEPATH% stores a final backslash and is included for compatibility with earlier systems.  On Windows NT 4.0 and earlier, %HOMESHARE% stores only the network share (such as \\server\share). %HOMEPATH% stores the remainder of the fully qualified path to the home directory (such as \dir1\dir2\homedir). As a result, users can access any directory on the home share by using the home directory drive letter.  Tip: To specify a home directory in Windows 2000 Server Family, in Active Directory Users and Computers or Local Users and Groups, right-click the name of a user account, click Properties, click the Profile tab, and in the Home folder section, select the Connect option and select a drive letter and home directory.  Example: Drive Z is mapped to \\server\share\dir1\dir2\homedir.  If this setting is disabled or not configured (Windows 2000 Server Family behavior):  --  %HOMEDRIVE%  = Z: (mapped to \\server\share\dir1\dir2\homedir)  --  %HOMESHARE% = \\server\share\dir1\dir2\homedir  --  %HOMEPATH% = \  If the setting is enabled (Windows NT 4.0 behavior):  --  %HOMEDRIVE% = Z: (mapped to \\server\share)  --  %HOMESHARE% = \\server\share  --  %HOMEPATH% = \dir1\dir2\homedir HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!ConnectHomeDirToRoot
USER Administrative Templates\System\User Profiles Limit profile size At least Microsoft Windows 2000 Sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size.  If you disable this setting or do not configure it, the system does not limit the size of user profiles.  If you enable this setting, you can do the following:  --  Set a maximum permitted user profile size;  --  Determine whether the registry files are included in the calculation of the profile size;  --  Determine whether users are notified when the profile exceeds the permitted maximum size;  --  Specify a customized message notifying users of the oversized profile;  --  Determine how often the customized message is displayed.  Note: This setting affects both local and roaming profiles. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!EnableProfileQuota, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!ProfileQuotaMessage, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!MaxProfileSize, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!IncludeRegInProQuota, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!WarnUser, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!WarnUserTimeout
USER Administrative Templates\System\User Profiles Exclude directories in roaming profile At least Microsoft Windows 2000 Lets you add to the list of folders excluded from the user's roaming profile.  This setting lets you exclude folders that are normally included in the user's profile. As a result, these folders do not need to be stored by the network server on which the profile resides and do not follow users to other computers.  By default, the History, Local Settings, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile.  If you enable this setting, you can exclude additional folders.  If you disable this setting or do not configure it, only the default folders are excluded.  Note: You cannot use this setting to include the default folders in a roaming user profile. HKCU\Software\Policies\Microsoft\Windows\System!ExcludeProfileDirs
USER Administrative Templates\System\Scripts Run logon scripts synchronously At least Microsoft Windows 2000 Directs the system to wait for the logon scripts to finish running before it starts the Windows Explorer interface program and creates the desktop.  If you enable this setting, Windows Explorer does not start until the logon scripts have finished running. This setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.  If you disable this setting or do not configure it, the logon scripts and Windows Explorer are not synchronized and can run simultaneously.  This setting appears in the Computer Configuration and User Configuration folders. The setting set in Computer Configuration takes precedence over the setting set in User Configuration. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunLogonScriptSync
USER Administrative Templates\System\Scripts Run legacy logon scripts hidden At least Microsoft Windows 2000 Hides the instructions in logon scripts written for Windows NT 4.0 and earlier.  Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000.  If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier.  Also, see the Run Logon Scripts Visible setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLegacyLogonScripts
USER Administrative Templates\System\Scripts Run logon scripts visible At least Microsoft Windows 2000 Displays the instructions in logon scripts as they run.  Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in the logon script.  If you enable this setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This setting is designed for advanced users.  If you disable this setting or do not configure it, the instructions are suppressed. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLogonScripts
USER Administrative Templates\System\Scripts Run logoff scripts visible At least Microsoft Windows 2000 Displays the instructions in logoff scripts as they run.  Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script.  If you enable this setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This setting is designed for advanced users.  If you disable this setting or do not configure it, the instructions are suppressed. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLogoffScripts
USER Administrative Templates\System\Ctrl+Alt+Del Options Remove Task Manager At least Microsoft Windows 2000 Prevents users from starting Task Manager (Taskmgr.exe).  If this setting is enabled and users try to start Task Manager, a message appears explaining that a policy prevents the action.  Task Manager lets users start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers, including system services; find the executable names of programs; and change the priority of the process in which programs run. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableTaskMgr
USER Administrative Templates\System\Ctrl+Alt+Del Options Remove Lock Computer At least Microsoft Windows 2000 Prevents users from locking the system.  While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it.  Tip:To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock Computer. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableLockWorkstation
USER Administrative Templates\System\Ctrl+Alt+Del Options Remove Change Password At least Microsoft Windows 2000 Prevents users from changing their Windows password on demand.  This setting disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del).  However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableChangePassword
USER Administrative Templates\System\Ctrl+Alt+Del Options Remove Logoff At least Microsoft Windows 2000 Prevents the user from logging off.  This setting does not let the user log off the system by using any method, including programs run from the command line, such as scripts. It also disables or removes all menu items and buttons that log the user off the system.  Also, see the Remove Logoff on the Start Menu setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoLogoff
USER Administrative Templates\System\Logon Run these programs at user logon At least Microsoft Windows 2000 Specifies additional programs or documents that Windows starts automatically when a user logs on to the system.  To use this setting, click Show, click Add, and then, in the text box, type the name of the executable program (.exe) file or document file. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting.  Also, see the Do not process the legacy run list and the Do not process the run once list settings. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run!{1,2,3,...}
USER Administrative Templates\System\Logon Do not process the run once list At least Microsoft Windows 2000 Ignores customized run-once lists.  You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts.  If you enable this setting, the system ignores the run-once list.  If you disable this setting or do not configure it, the system runs the programs in the run-once list.  This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Note: Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.  Also, see the Do not process the legacy run list setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableCurrentUserRunOnce
USER Administrative Templates\System\Logon Do not process the legacy run list At least Microsoft Windows 2000 Ignores the customized run list.  You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows XP Professional, Windows 2000 Professional, Windows NT Workstation 4.0 and earlier. These programs are added to the standard run list of programs and services that the system starts.  If you enable this setting, the system ignores the run list for Windows NT Workstation 4.0, Windows 2000 Professional, and Windows XP Professional.  If you disable or do not configure this setting, Windows 2000 adds any customized run list configured for Windows NT 4.0 and earlier to its run list.  This setting appears in the Computer Configuration and User Configuration folders. If both policies are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Note: To create a customized run list by using a policy, use the Run these applications at startup setting.  The customized run lists for Windows NT 4.0 and earlier are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run. They can be configured by using the Run setting in System Policy Editor for Windows NT 4.0 and earlier.  Also, see the Do not process the run once list setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableCurrentUserRun
USER Administrative Templates\System\Group Policy Group Policy refresh interval for users At least Microsoft Windows 2000 Specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder.  In addition to background updates, Group Policy for users is always updated when users log on.  By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.  You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.  If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the Turn off background refresh of Group Policy setting.  This setting also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly.  Important: If the Turn off background refresh of Group Policy setting is enabled, this setting is ignored.  Note: This setting establishes the update rate for user Group Policies. To set an update rate for computer Group Policies, use the Group Policy refresh interval for computers setting (located in Computer Configuration\Administrative Templates\System\Group Policy).  Tip: Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress. HKCU\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTime, HKCU\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTimeOffset
USER Administrative Templates\System\Group Policy Group Policy slow link detection At least Microsoft Windows 2000 Defines a slow connection for purposes of applying and updating Group Policy.  If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow.  The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links.  To use this setting, in the Connection speed box, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0), indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast.  If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second.  This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.  Also, see the Do not detect slow network connections and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. HKCU\Software\Policies\Microsoft\Windows\System!GroupPolicyMinTransferRate
USER Administrative Templates\System\Group Policy Group Policy domain controller selection At least Microsoft Windows 2000 Determines which domain controller the Group Policy Object Editor snap-in uses.  --  Use the Primary Domain Controller indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain.  --  Inherit from Active Directory Snap-ins indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use.  --  Use any available domain controller indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain controller.  If you disable this setting or do not configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain.  Note: To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click Operations Masters. HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!DCOption
USER Administrative Templates\System\Group Policy Create new Group Policy object links disabled by default At least Microsoft Windows 2000 Creates new Group Policy object links in the disabled state.  This setting creates all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as  Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system.  If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link. HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!NewGPOLinksDisabled
USER Administrative Templates\System\Group Policy Default name for new Group Policy objects At least Microsoft Windows 2000 Sets the default display name for new Group Policy objects.  This setting allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser.  The display name may contain environment variables and can be a maximum of 255 characters long.  If this setting is Disabled or Not Configured, the default display name of New Group Policy object is used. HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!GPODisplayName
USER Administrative Templates\System\Group Policy Enforce Show Policies Only At least Microsoft Windows 2000 Prevents administrators from viewing or using Group Policy preferences.  A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys.  If you enable this setting, the Show Policies Only command is turned on, and administrators cannot turn it off. As a result, Group Policy Object Editor displays only true settings; preferences do not appear.  If you disable this setting or do not configure it, the Show Policies Only command is turned on by default, but administrators can view preferences by turning off the Show Policies Only command.  Note: To find the Show Policies Only command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to View.  In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon. HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!ShowPoliciesOnly
USER Administrative Templates\System\Group Policy Turn off automatic update of ADM files At least Microsoft Windows 2000 Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor.  Administrators may want to use this if they are concerned about the amount of space used on the system volume of a DC.  By default, when you start the Group Policy Object Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the GPO.  If the local files are newer, they are copied into the GPO.  Changing the status of this setting to Enabled will keep any source files from copying to the GPO.  Changing the status of this setting to Disabled will enforce the default behavior.  Files will always be copied to the GPO if they have a later timestamp.  NOTE: If the Computer Configuration policy setting, Always use local ADM files for the Group Policy Object Editor is enabled, the state of this setting is ignored and always treated as Enabled. HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!DisableAutoADMUpdate
USER Administrative Templates\System\Group Policy Disallow Interactive Users from generating Resultant Set of Policy data At least Microsoft Windows XP Professional or Windows Server 2003 family This setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.  By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data.  If this setting is enabled, interactive users cannot generate RSoP data.  If this setting is not configured or disabled, interactive Users can generate RSoP.  Note: This setting does not affect administrators. If this setting is enabled or disabled, by default, administrators can view RSoP data.  Note: To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc  Note: This setting exists as both a User Configuration and Computer Configuration setting.  Also, see the Turn off Resultant set of Policy Logging setting in Computer Configuration\Administrative Templates\System\GroupPolicy. HKCU\Software\Policies\Microsoft\Windows\System!DenyRsopToInteractiveUser
USER Administrative Templates\System\Power Management Prompt for password on resume from hibernate / suspend At least Microsoft Windows XP Professional or Windows Server 2003 family This settings allows you to configure client computers to always lock when resuming from a hibernate or suspend.  If you enable this setting, the client computer is locked when it is resumed from a suspend or hibernate state.  If you disable or do not configure this setting, users can decide if their computer is automatically locked or not after performing a resume operation. HKCU\Software\Policies\Microsoft\Windows\System\Power!PromptPasswordOnResume
USER Administrative Templates\System\Internet Communication Management Restrict Internet communication At least Microsoft Windows XP Professional with SP2 Specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.  If this setting is enabled, all of the the policy settings listed in the Internet Communication settings section will be set to enabled.  If this setting is disabled, all of the the policy settings listed in the 'Internet Communication settings' section will be set to disabled.  If this setting is not configured, all of the the policy settings in the 'Internet Communication settings' section will be set to not configured. HKCU\Software\Policies\Microsoft\InternetManagement!RestrictCommunication, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard, HKCU\Software\Policies\Microsoft\Messenger\Client!CEIP, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith, HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting, HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload, HKCU\Software\Policies\Microsoft\WindowsMovieMaker!CodecDownload, HKCU\Software\Policies\Microsoft\WindowsMovieMaker!WebHelp, HKCU\Software\Policies\Microsoft\WindowsMovieMaker!WebPublish, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard, HKCU\Software\Policies\Microsoft\Messenger\Client!CEIP, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith, HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting, HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload, HKCU\Software\Policies\Microsoft\WindowsMovieMaker!CodecDownload, HKCU\Software\Policies\Microsoft\WindowsMovieMaker!WebHelp, HKCU\Software\Policies\Microsoft\WindowsMovieMaker!WebPublish
USER Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off the Publish to Web task for files and folders At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family Specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web, are available from File and Folder Tasks in Windows folders.  The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the Web.  If you enable this setting, these tasks are removed from the File and Folder tasks in Windows folders.  If you disable or do not configure this setting, the tasks will be shown. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard
USER Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Internet download for Web publishing and online ordering wizards At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family Specifies whether Windows should download a list of providers for the Web publishing and online ordering wizards.  These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing.  By default, Windows displays providers downloaded from a Windows Web site in addition to providers specified in the registry.  If you enable this setting, Windows will not download providers and only the service providers that are cached in the local registry will be displayed.  If you disable or do not configure this setting, a list of providers will be downloaded when the user uses the Web publishing or online ordering wizards.  See the documentation for the Web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
USER Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off the Order Prints picture task At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family Specifies whether the Order Prints Online task is available from Picture Tasks in Windows folders.  The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.  If you enable this setting, the task Order Prints Online is removed from Picture Tasks in Windows Explorer folders.  If you disable or do not configure this setting, the task is displayed. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard
USER Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off the Windows Messenger Customer Experience Improvement Program At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family Specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used.  With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used.  This information is used to improve the product in future releases.  If you enable this setting, Windows Messenger will not collect usage information and the user settings to enable the collection of usage information will not be shown.  If you disable this setting, Windows Messenger will collect anonymous usage information and the setting will not be shown.  If you do not configure this setting, users will have the choice to opt-in and allow information to be collected. HKCU\Software\Policies\Microsoft\Messenger\Client!CEIP
USER Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Internet File Association service At least Microsoft Windows XP Professional or Windows Server 2003 family Specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association.  When a user opens a file that has an extension that is not associated with any applications on the machine, the user is given the choice to choose a local application or use the Web service to find an application.  If you enable this setting, the link and the dialog for using the Web service to open an unhandled file association are removed.  If you disable or do not configure this setting, the user will be allowed to use the Web service. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith
USER Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off printing over HTTP At least Microsoft Windows XP Professional with SP2 Specifies whether to allow printing over HTTP from this client.  Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.  Note: This setting affects the client side of Internet printing only. It does not prevent this machine from acting as an Internet Printing server and making its shared printers available via HTTP.  If you enable this setting, it prevents this client from printing to Internet printers over HTTP.  If you disable or do not configure this setting, users will be able to choose to print to Internet printers over HTTP.  Also see the Web-based Printing setting in Computer Configuration/Administrative Templates/Printers. HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting
USER Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off downloading of print drivers over HTTP At least Microsoft Windows XP Professional with SP2 Specifies whether to allow this client to download print driver packages over HTTP.  To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.  Note: This setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP.  It only prohibits downloading drivers that are not already installed locally.  If you enable this setting, print drivers will not be downloaded over HTTP.  If you disable this setting or do not configure it, users will be able to download print drivers over HTTP. HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
USER Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Windows Movie Maker automatic codec downloads At least Microsoft Windows XP Professional with SP2 Specifies whether Windows Movie Maker automatically downloads codecs.  Windows Movie Maker can be configured so that codecs are downloaded automatically if the required codecs are not installed on the computer.  If you enable this setting, Windows Movie Maker will not attempt to download missing codecs for imported audio and video files.  If you disable or do not configure this setting, Windows Movie Maker might attempt to download missing codecs for imported audio and video files. HKCU\Software\Policies\Microsoft\WindowsMovieMaker!CodecDownload
USER Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Windows Movie Maker online Web links At least Microsoft Windows XP Professional with SP2 Specifies whether links to Web sites are available in Windows Movie Maker. These links include the Windows Movie Maker on the Web and Privacy Statement commands that appear on the Help menu, as well as the Learn more about video filters hyperlink in the Options dialog box and the sign up now hyperlink in the The Web saving option in the Save Movie Wizard.  The Windows Movie Maker on the Web command lets users go directly to the Windows Movie Maker Web site to get more information, and the Privacy Statement command lets users view information about privacy issues in respect to Windows Movie Maker. The Learn more about video filters hyperlink lets users learn more about video filters and their role in saving movies process in Windows Movie Maker.  The sign up now hyperlink lets users sign up with a video hosting provider on the Web.  If you enable this setting, the previously mentioned links to Web sites from Windows Movie Maker are disabled and cannot be selected.  If you disable or do not configure this setting, the previously mentioned links to Web sites from Windows Movie Maker are enabled and can be selected. HKCU\Software\Policies\Microsoft\WindowsMovieMaker!WebHelp
USER Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off Windows Movie Maker saving to online video hosting provider At least Microsoft Windows XP Professional with SP2 Specifies whether users can send a final movie to a video hosting provider on the Web by choosing The Web saving option in the Save Movie Wizard of Windows Movie Maker.  When users create a movie in Windows Movie Maker, they can choose to share it in a variety of ways through the Save Movie Wizard. The Web saving option lets users send their movies to a video hosting provider.  If you enable this setting, users cannot choose The Web saving option in the Save Movie Wizard of Windows Movie Maker and cannot send a movie to a video hosting provider on the Web.  If you disable or do not configure this setting, users can choose The Web saving option in the Save Movie Wizard of Windows Movie Maker and can send a movie to a video hosting provider on the Web. HKCU\Software\Policies\Microsoft\WindowsMovieMaker!WebPublish
USER Administrative Templates\System Turn off Windows Update device driver search prompt At least Microsoft Windows XP Professional with SP2 Specifies whether the administrator will be prompted about going to Windows Update to search for device drivers using the Internet.  Note: This setting only has effect if Turn off Windows Update device driver searching in Administrative Templates/System/Internet Communication Management/Internet Communication settings is disabled or not configured.  If this setting is enabled, administrators will not be prompted to search Windows Update.  If this setting is disabled or not configured and Turn off Windows Update device driver searching is disabled or not configured, the administrator will be prompted for consent before going to Windows Update to search for device drivers. HKCU\Software\Policies\Microsoft\Windows\DriverSearching!DontPromptForWindowsUpdate
USER Administrative Templates\Windows Components\Application Compatibility Prevent access to 16-bit applications At least Microsoft Windows XP Professional with SP1 or Windows Server 2003 family Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running for all users. This setting affects the launching of 16-bit applications in the operating system. By default, the MS-DOS subsystem runs for all users.  You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, ntvdm.exe must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the process is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased.  If the status is set to Enabled, ntvdm.exe is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run.  If the status is set to Disabled, the default setting applies and the MS-DOS subsystem runs for all users.  If the status is set to Not Configured, the default applies and ntvdm.exe runs for all users. However, if an administrator sets the registry DWORD value HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault to 1, the default changes to prevent all 16-bit applications from running.  Note:  This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKCU\Software\Policies\Microsoft\Windows\AppCompat!VDMDisallowed
USER Administrative Templates\Windows Components\Attachment Manager Default risk level for file attachments At least Microsoft Windows XP Professional with SP2 This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments.  High Risk – If the attachment is in the list of high risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file.  Moderate Risk - If the attachment is in the list of moderate risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file.  Low Risk - If the attachment is in the list of low risk file types, Windows will not prompt the user before accessing the file, regardless of the file’s zone information.  If you enable this policy setting you can specify the default risk level for file types.  If you disable this policy setting Windows sets the default risk level to moderate.  If you do not configure this policy setting Windows sets the default risk level to moderate. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!DefaultFileTypeRisk
USER Administrative Templates\Windows Components\Attachment Manager Inclusion list for high risk file types At least Microsoft Windows XP Professional with SP2 This policy setting allows you to configure the list of high risk file types. If the file attachment is in the list of high risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the Medium and Low risk inclusion lists (where an extension is listed in more than one inclusion list.)  If you enable this policy setting you can create a custom list of high risk file types.  If you disable this policy setting Windows uses its built in list of file types that pose a high risk.  If you do not configure this policy setting Windows uses its built in list of high risk file types. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!HighRiskFileTypes
USER Administrative Templates\Windows Components\Attachment Manager Inclusion list for moderate risk file types At least Microsoft Windows XP Professional with SP2 This policy setting allows you to configure the list of moderate risk file types. If the attachment is in the list of moderate risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high risk file types built into Windows and it takes precedence over the Low risk inclusion list but has a lower precedence than the High risk inclusion list (where an extension is listed in more than one inclusion list.)  If you enable this policy setting you can specify file types which pose a moderate risk.  If you disable this policy setting Windows uses its default trust logic.  If you do not configure this policy setting Windows uses its default trust logic. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!ModRiskFileTypes
USER Administrative Templates\Windows Components\Attachment Manager Inclusion list for low file types At least Microsoft Windows XP Professional with SP2 This policy setting allows you to configure the list of low risk file types. If the attachment is in the list of low risk file types, Windows will not prompt the user before accessing the file, regardless of the file’s zone information. This inclusion list overrides the list of high risk file types built into Windows and has a lower precedence than the High or Medium risk inclusion lists (where an extension is listed in more than one inclusion list.)  If you enable this policy setting you can specify file types which pose a low risk.  If you disable this policy setting Windows uses its default trust logic.  If you do not configure this policy setting Windows uses its default trust logic. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!LowRiskFileTypes
USER Administrative Templates\Windows Components\Attachment Manager Trust logic for file attachments At least Microsoft Windows XP Professional with SP2 This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments.  Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don’t trust .txt files.  Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler.  Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options.  If you enable this policy setting you can choose the order in which Windows processes risk assessment data.  If you disable this policy Windows uses its default trust logic which prefers the file handler over the file type.  If you do not configure this policy setting Windows uses its default trust logic which prefers the file handler over the file type. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!UseTrustedHandlers
USER Administrative Templates\Windows Components\Attachment Manager Do not preserve zone information in file attachments At least Microsoft Windows XP Professional with SP2 This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (i.e. restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information Windows cannot make proper risk assessments.  If you enable this policy setting Windows does not mark file attachments with their zone information.  If you disable this policy setting Windows marks file attachments with their zone information.  If you do not configure this policy setting Windows marks file attachments with their zone information. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!SaveZoneInformation
USER Administrative Templates\Windows Components\Attachment Manager Hide mechanisms to remove zone information At least Microsoft Windows XP Professional with SP2 This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file’s property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.  If you enable this policy setting Windows hides the checkbox and Unblock button.  If you disable this policy setting Windows shows the checkbox and Unblock button.  If you do not configure this policy setting Windows shows the checkbox and Unblock button. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!HideZoneInfoOnProperties
USER Administrative Templates\Windows Components\Attachment Manager Notify antivirus programs when opening attachments At least Microsoft Windows XP Professional with SP2 This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer’s e-mail server because further calls would be redundant.   If you enable this policy Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.  If you disable this policy Windows does not call the registered antivirus programs when file attachments are opened.  If you do not configure this policy Windows does not call the registered antivirus programs when file attachments are opened. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!ScanWithAntiVirus
USER Administrative Templates\Windows Components\Windows Explorer Turn on Classic Shell At least Microsoft Windows 2000 This setting allows you to remove the Active Desktop and Web view features. If you enable this setting, it will disable the Active Desktop and Web view. Also, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features.  Note: This setting takes precedence over the Enable Active Desktop setting. If both policies are enabled, Active Desktop is disabled.  Also, see the Disable Active Desktop setting in User Configuration\Administrative Templates\Desktop\Active Desktop and the Remove the Folder Options menu item from the Tools menu setting in User Configuration\Administrative Templates\Windows Components\Windows Explorer. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ClassicShell
USER Administrative Templates\Windows Components\Windows Explorer Removes the Folder Options menu item from the Tools menu At least Microsoft Windows 2000 Removes the Folder Options item from all Windows Explorer menus and removes the Folder Options item from Control Panel. As a result, users cannot use the Folder Options dialog box.  The Folder Options dialog box lets users set many properties of Windows Explorer, such as Active Desktop, Web view, Offline Files, hidden system files, and file types.  Also, see the Enable Active Desktop setting in User Configuration\AdministrativeTemplates\Desktop\Active Desktop and the Prohibit user configuration of Offline Files setting in User Configuration\Administrative Templates\Network\Offline Files. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFolderOptions
USER Administrative Templates\Windows Components\Windows Explorer Remove File menu from Windows Explorer At least Microsoft Windows 2000 Removes the File menu from My Computer and Windows Explorer.  This setting does not prevent users from using other methods to perform tasks available on the File menu. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFileMenu
USER Administrative Templates\Windows Components\Windows Explorer Remove Map Network Drive and Disconnect Network Drive At least Microsoft Windows 2000 Prevents users from using Windows Explorer or My Network Places to map or disconnect network drives.  If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in Windows Explorer and My Network Places and from menus that appear when you right-click the Windows Explorer or My Network Places icons. It also removes the Add Network Place option from My Network Places.  This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box.  Note:  This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives.  Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetConnectDisconnect
USER Administrative Templates\Windows Components\Windows Explorer Remove Search button from Windows Explorer At least Microsoft Windows 2000 Removes the Search button from the Windows Explorer toolbar.  This setting removes the Search button from the Standard Buttons toolbar that appears in Windows Explorer and other programs that use the Windows Explorer window, such as My Computer and My Network Places.  It does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window.  This setting does not affect the Search items on the Windows Explorer context menu or on the Start menu. To remove Search from the Start menu, use the Remove Search menu from Start menu setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hide all context menus, use the Remove Windows Explorer's default context menu setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoShellSearchButton
USER Administrative Templates\Windows Components\Windows Explorer Remove Windows Explorer's default context menu At least Microsoft Windows 2000 Removes shortcut menus from the desktop and Windows Explorer. Shortcut menus appear when you right-click an item.  If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in Windows Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoViewContextMenu
USER Administrative Templates\Windows Components\Windows Explorer Hides the Manage item on the Windows Explorer context menu At least Microsoft Windows 2000 Removes the Manage item from the Windows Explorer context menu. This context menu appears when you right-click Windows Explorer or My Computer.  The Manage item opens Computer Management (Compmgmt.msc), a console tool that includes many of the primary Windows 2000 administrative tools, such as Event Viewer, Device Manager, and Disk Management. You must be an administrator to use many of the features of these tools.  This setting does not remove the Computer Management item from the Start menu (Start, Programs, Administrative Tools, Computer Management), nor does it prevent users from using other methods to start Computer Management.  Tip: To hide all context menus, use the Remove Windows Explorer's default context menu setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoManageMyComputerVerb
USER Administrative Templates\Windows Components\Windows Explorer Allow only per user or approved shell extensions At least Microsoft Windows 2000 This setting is designed to ensure that shell extensions can operate on a per-user basis. If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine.  A shell extension only runs if there is an entry in at least one of the following locations in registry.  For shell extensions that have been approved by the administrator and are available to all users of the computer, there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.  For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!EnforceShellExtensionSecurity
USER Administrative Templates\Windows Components\Windows Explorer Do not track Shell shortcuts during roaming At least Microsoft Windows 2000 Determines whether Windows traces shortcuts back to their sources when it cannot find the target on the user's system.  Shortcut files typically include an absolute path to the original target file as well as the relative path to the current target file. When the system cannot find the file in the current target path, then, by default, it searches for the target in the original path. If the shortcut has been copied to a different computer, the original path might lead to a network computer, including external resources, such as an Internet server.  If you enable this setting, Windows only searches the current target path. It does not search for the original path even when it cannot find the target file in the current target path. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!LinkResolveIgnoreLinkInfo
USER Administrative Templates\Windows Components\Windows Explorer Hide these specified drives in My Computer At least Microsoft Windows 2000 Removes the icons representing selected hard drives from My Computer and Windows Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box.  To use this setting, select a drive or combination of drives in the drop-down list. To display all drives, disable this setting or select the Do not restrict drives option in the drop-down list.  Note: This setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window.  Also, this setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics.  Also, see the Prevent access to drives from My Computer setting.  Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDrives
USER Administrative Templates\Windows Components\Windows Explorer Prevent access to drives from My Computer At least Microsoft Windows 2000 Prevents users from using My Computer to gain access to the content of selected drives.  If you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.  To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the Do not restrict drives option from the drop-down list.  Note: The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action.   Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics.  Also, see the Hide these specified drives in My Computer setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoViewOnDrive
USER Administrative Templates\Windows Components\Windows Explorer Remove Hardware tab At least Microsoft Windows 2000 Removes the Hardware tab.  This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoHardwareTab
USER Administrative Templates\Windows Components\Windows Explorer Remove DFS tab At least Microsoft Windows 2000 Removes the DFS tab from Windows Explorer.  This setting removes the DFS tab from Windows Explorer and from other programs that use the Windows Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the Distributed File System (DFS) shares available from their computer.  This setting does not prevent users from using other methods to configure DFS. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDFSTab
USER Administrative Templates\Windows Components\Windows Explorer Remove Security tab At least Microsoft Windows XP Professional or Windows Server 2003 family Removes the Security tab from Windows Explorer.  If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question.  If you disable or do not configure this setting, users will be able to access the security tab. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSecurityTab
USER Administrative Templates\Windows Components\Windows Explorer Remove UI to change menu animation setting At least Microsoft Windows 2000 Prevents users from selecting the option to animate the movement of windows, menus, and lists.  If you enable this setting, the Use transition effects for menus and tooltips option in Display in Control Panel is disabled.  Effects, such as animation, are designed to enhance the user's experience but might be confusing or distracting to some users. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeAnimation
USER Administrative Templates\Windows Components\Windows Explorer Remove UI to change keyboard navigation indicator setting At least Microsoft Windows 2000 Disables the Hide keyboard navigation indicators until I use the ALT key option in Display in Control Panel.  When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT.  Effects, such as transitory underlines, are designed to enhance the user's experience but might be confusing or distracting to some users. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeKeyboardNavigationIndicators
USER Administrative Templates\Windows Components\Windows Explorer No Computers Near Me in My Network Places At least Microsoft Windows 2000 Removes computers in the user's workgroup and domain from lists of network resources in Windows Explorer and My Network Places.  If you enable this setting, the system removes the Computers Near Me option and the icons representing nearby computers from My Network Places. This setting also removes these icons from the Map Network Drive browser.  This setting does not prevent users from connecting to computers in their workgroup or domain by other commonly used methods, such as typing the share name in the Run dialog box or the Map Network Drive dialog box.  To remove network computers from lists of network resources, use the No Entire Network in My Network Places setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoComputersNearMe
USER Administrative Templates\Windows Components\Windows Explorer No Entire Network in My Network Places At least Microsoft Windows 2000 Removes all computers outside of the user's workgroup or local domain from lists of network resources in Windows Explorer and My Network Places.  If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from My Network Places and from the browser associated with the Map Network Drive option.  This setting does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box.  To remove computers in the user's workgroup or domain from lists of network resources, use the No Computers Near Me in My Network Places setting.  Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!NoEntireNetwork
USER Administrative Templates\Windows Components\Windows Explorer Maximum number of recent documents At least Microsoft Windows 2000 Determines how many shortcuts the system can display in the Documents menu on the Start menu.  The Documents menu contains shortcuts to the nonprogram files the user has most recently opened. By default, the system displays shortcuts to the 10 most recently opened documents. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!MaxRecentDocs
USER Administrative Templates\Windows Components\Windows Explorer Do not request alternate credentials At least Microsoft Windows 2000 Prevents users from submitting alternate logon credentials to install a program.  This setting suppresses the Install Program As Other User dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.  Many programs can be installed only by an administrator. If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly.  If you disable this setting or do not configure it, the Install Program As Other User dialog box appears whenever users install programs locally on the computer.  By default, users are not prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the Request credentials for network installations setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!NoRunasInstallPrompt
USER Administrative Templates\Windows Components\Windows Explorer Request credentials for network installations At least Microsoft Windows 2000 Prompts users for alternate logon credentials during network-based installations.  This setting displays the Install Program As Other User dialog box even when a program is being installed from files on a network computer across a local area network connection.  If you disable this setting or do not configure it, this dialog box appears only when users are installing programs from local media.  The Install Program as Other User dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.  If the dialog box does not appear, the installation proceeds with the current user's permissions. If these permissions are not sufficient, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly.  Note: If it is enabled, the Do not request alternate credentials setting takes precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!PromptRunasInstallNetPath
USER Administrative Templates\Windows Components\Windows Explorer Remove CD Burning features At least Microsoft Windows XP Professional or Windows Server 2003 family Windows Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC.  If you enable this setting, all features in the Windows Explorer that allow you to use your CD writer are removed.  If you disable or do not configure this setting, users are able to use the Windows Explorer CD burning features.  Note: This setting does not prevent users from using third-party applications to create or modify CDs using a CD writer. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!NoCDBurning
USER Administrative Templates\Windows Components\Windows Explorer Do not move deleted files to the Recycle Bin At least Microsoft Windows XP Professional or Windows Server 2003 family When a file or folder is deleted in Windows Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior.  If you enable this setting, files and folders that are deleted using Windows Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted.  If you disable or do not configure this setting, files and folders deleted using Windows Explorer will be placed in the Recyele Bin. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!NoRecycleFiles
USER Administrative Templates\Windows Components\Windows Explorer Display confirmation dialog when deleting files At least Microsoft Windows XP Professional or Windows Server 2003 family Allows you to have Windows Explorer display a confirmation dialog  whenever a file is deleted or moved to the Recycle Bin.  If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user.  If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!ConfirmFileDelete
USER Administrative Templates\Windows Components\Windows Explorer Maximum allowed Recycle Bin size At least Microsoft Windows XP Professional or Windows Server 2003 family Limits the percentage of a volume's disk space that can be used to store deleted files.  If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation.  If you disable or do not configure this setting, users can change the total amount of disk space used by the Recycle Bin.  Note: This setting is applied to all volumes. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!RecycleBinSize
USER Administrative Templates\Windows Components\Windows Explorer Remove Shared Documents from My Computer Only works on Microsoft Windows XP Professional Removes the Shared Documents folder from My Computer.  When a Windows client in is a workgroup, a Shared Documents icon appears in the Windows Explorer Web view under Other Places and also under Files Stored on This Computer in My Computer.  Using this policy setting, you can choose not to have these items displayed.  If you enable this setting, the Shared Documents folder is not displayed in the Web view or in My Computer.  If you disable or do not configure this setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup.  Note:  The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!NoSharedDocuments
USER Administrative Templates\Windows Components\Windows Explorer Turn off caching of thumbnail pictures At least Microsoft Windows XP Professional or Windows Server 2003 family This settings controls whether the thumbnail views are cached.  If you enable this setting, thumbnail views are not cached.  If you disable or do not configure this setting, thumbnail views are cached.  Note: For shared corporate workstations or computers where security is a top concern, you should enable this setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!NoThumbnailCache
USER Administrative Templates\Windows Components\Windows Explorer Turn off Windows+X hotkeys At least Microsoft Windows Server 2003 Turn off Windows+X hotkeys.  Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts Windows Explorer. By using this setting, you can disable these Windows+X shortcut keys.  If you enable this setting, the Windows+X shortcut keys are unavailable.  If you disable or do not configure this setting, the Windows+X shortcut keys are available. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!NoWinKeys
USER Administrative Templates\Windows Components\Windows Explorer Turn off shell protocol protected mode At least Microsoft Windows XP Professional with SP2 This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.  If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files.  If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.  If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PreXPSP2ShellProtocolBehavior
USER Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog Items displayed in Places Bar At least Microsoft Windows XP Professional or Windows Server 2003 family Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar.  The valid items you may display in the Places Bar are:  1) Shortcuts to a local folders -- (ex. C:\Windows)  2) Shortcuts to remote folders -- (\\server\share)  3) Common Shell folders.  The list of Common Shell Folders that may be specified:  CommonDocuments, CommonMusic, CommonPictures, Desktop, MyComputer, MyDocuments, MyFavorites, MyMusic, MyNetworkPlaces, MyPictures, Printers, ProgramFiles, Recent.  If you disable or do not configure this setting the default list of items will be displayed in the Places Bar. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar!Place0, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar!Place1, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar!Place2, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar!Place3, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar!Place4
USER Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog Hide the common dialog places bar At least Microsoft Windows 2000 Removes the shortcut bar from the Open dialog box.  This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs.  To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open.  Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar!NoPlacesBar
USER Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog Hide the common dialog back button At least Microsoft Windows 2000 Removes the Back button from the Open dialog box.  This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs.  To see an example of the standard Open dialog box, run Notepad and, on the File menu, click Open.  Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar!NoBackButton
USER Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog Hide the dropdown list of recent files At least Microsoft Windows 2000 Removes the list of most recently used files from the Open dialog box.  If you disable this setting or do not configure it, the File name field includes a drop-down list of recently used files. If you enable this setting, the File name field is a simple text box. Users must browse directories to find a file or type a file name in the text box.  This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs.  To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open.  Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar!NoFileMru
USER Administrative Templates\Windows Components\Microsoft Management Console Restrict the user from entering author mode At least Microsoft Windows 2000 Prevents users from entering author mode.  This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default.  As a result, users cannot create console files or add or remove snap-ins. Also, because they cannot open author-mode console files, they cannot use the tools that the files contain.  This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users cannot open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also cannot open a blank MMC console window from a command prompt.  If you disable this setting or do not configure it, users can enter author mode and open author-mode console files. HKCU\Software\Policies\Microsoft\MMC!RestrictAuthorMode
USER Administrative Templates\Windows Components\Microsoft Management Console Restrict users to the explicitly permitted list of snap-ins At least Microsoft Windows 2000 Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.  --  If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins.      To explicitly permit a snap-in, open the Restricted/Permitted snap-ins setting folder and enable the settings representing the snap-in you want to permit. If a snap-in setting in the folder is disabled or not configured, the snap-in is prohibited.  --  If you disable this setting or do not configure it, all snap-ins are permitted, except those that you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins.      To explicitly prohibit a snap-in, open the Restricted/Permitted snap-ins setting folder and then disable the settings representing the snap-ins you want to prohibit. If a snap-in setting in the folder is enabled or not configured, the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.  Note: If you enable this setting, and you do not enable any settings in the Restricted/Permitted snap-ins folder, users cannot use any MMC snap-ins. HKCU\Software\Policies\Microsoft\MMC!RestrictToPermittedSnapins
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Active Directory Users and Computers At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{E355E538-1C2E-11D0-8C37-00C04FD8FE93}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Active Directory Domains and Trusts At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{EBC53A38-A23F-11D0-B09B-00C04FD8DCA6}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Active Directory Sites and Services At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{D967F824-9968-11D0-B936-00C04FD8D5B0}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins ADSI Edit At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{1C5DACFA-16BA-11D2-81D0-0000F87A7AA3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins ActiveX Control At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{C96401CF-0E17-11D3-885B-00C04F72C717}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Certificates At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{53D6AB1D-2488-11D1-A28C-00C04FB94F17}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Certification Authority At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{de751566-4cc6-11d1-8ca0-00c04fc297eb}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Certificate Templates At least Microsoft Windows Server 2003 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{A994E107-6854-4F3D-917C-E6F01670F6D3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Wireless Monitor At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{23DC5869-BD9F-46fd-AADD-1F869BA64FC3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Component Services At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{C9BC92DF-5B9A-11D1-8F00-00C04FC2C17B}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Computer Management At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{58221C67-EA27-11CF-ADCF-00AA00A80033}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Device Manager At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{90087284-d6d6-11d0-8353-00a0c90640bf}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Disk Management At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{8EAD3A12-B2C1-11d0-83AA-00A0C92C9D5D}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Disk Defragmenter At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{43668E21-2636-11D1-A1CE-0080C88593A5}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Distributed File System At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{677A2D94-28D9-11D1-A95B-008048918FB1}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Event Viewer At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{975797FC-4E2A-11D0-B702-00C04FD8DBF7}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins FAX Service At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{753EDB4D-2E1B-11D1-9064-00A0C90AB504}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins FrontPage Server Extensions At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{FF5903A8-78D6-11D1-92F6-006097B01056}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Indexing Service At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{95AD72F0-44CE-11D0-AE29-00AA004B9986}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins .Net Framework Configuration At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{18BA7139-D98B-43c2-94DA-2604E34E175D}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Internet Authentication Service (IAS) At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{8F8F8DC0-5713-11D1-9551-0060B0576642}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Internet Information Services At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{A841B6C2-7577-11D0-BB1F-00A0C922E79C}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins IP Security Policy Management At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{DEA8AFA0-CC85-11d0-9CE2-0080C7221EBD}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins IP Security Monitor At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{57C596D0-9370-40C0-BA0D-AB491B63255D}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Link to Web Address At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{C96401D1-0E17-11D3-885B-00C04F72C717}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Local Users and Groups At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{5D6179C8-17EC-11D1-9AA9-00C04FD8FE93}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Performance Logs and Alerts At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins QoS Admission Control At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{FD57D297-4FD9-11D1-854E-00C04FC31FD3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Remote Desktops At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{3D5D035E-7721-4B83-A645-6C07A3D403B7}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Removable Storage Management At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{3CB6973D-3E6F-11D0-95DB-00A024D77700}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Routing and Remote Access At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{1AA7F839-C7F5-11D0-A376-00C04FC9DA04}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Security Configuration and Analysis At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{011BE22D-E453-11D1-945A-00C04FB984F9}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Security Templates At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{5ADF5BF6-E452-11D1-945A-00C04FB984F9}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Services At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{58221C66-EA27-11CF-ADCF-00AA00A80033}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Shared Folders At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{58221C65-EA27-11CF-ADCF-00AA00A80033}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins System Information At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{45ac8c63-23e2-11d1-a696-00c04fd58bc3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Telephony At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{E26D02A0-4C1F-11D1-9AA1-00C04FC3357A}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Terminal Services Configuration At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{B91B6008-32D2-11D2-9888-00A0C925F917}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins WMI Control At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{5C659257-E236-11D2-8899-00104B2AFB46}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins AppleTalk Routing At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{1AA7F83C-C7F5-11D0-A376-00C04FC9DA04}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Authorization Manager At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{1F5EEC01-1214-4D94-80C5-4BDCD2014DDD}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Certification Authority Policy Settings At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{3F276EB4-70EE-11D1-8A0F-00C04FB93753}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Connection Sharing (NAT) At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{C2FE450B-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins DCOM Configuration Extension At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{9EC88934-C774-11d1-87F4-00C04FC2C17B}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Device Manager At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins DHCP Relay Management At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{C2FE4502-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Event Viewer At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{394C052E-B830-11D0-9A86-00C04FD8DBF7}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Extended View (Web View) At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{B708457E-DB61-4C55-A92F-0D4B5E9B1224}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins IAS Logging At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{2E19B602-48EB-11d2-83CA-00104BCA42CF}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins IGMP Routing At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{C2FE4508-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins IP Routing At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{C2FE4500-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins IPX RIP Routing At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{90810502-38F1-11D1-9345-00C04FC9DA04}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins IPX Routing At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{90810500-38F1-11D1-9345-00C04FC9DA04}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins IPX SAP Routing At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{90810504-38F1-11D1-9345-00C04FC9DA04}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Logical and Mapped Drives At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{6E8E0081-19CD-11D1-AD91-00AA00B8E05A}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins OSPF Routing At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{C2FE4506-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Public Key Policies At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{34AB8E82-C27E-11D1-A6C0-00C04FB94F17}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins RAS Dialin - User Node At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Remote Access At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{5880CD5C-8EC0-11d1-9570-0060B0576642}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Removable Storage At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{243E20B0-48ED-11D2-97DA-00A024D77700}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins RIP Routing At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{C2FE4504-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Routing At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{DAB1A262-4FD7-11D1-842C-00C04FB6C218}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Shared Folders Ext At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{58221C69-EA27-11CF-ADCF-00AA00A80033}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Send Console Message At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{B1AFF7D0-0C49-11D1-BB12-00C04FC9A3A3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Service Dependencies At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{BD95BA60-2E26-AAD1-AD99-00AA00B8E05A}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins SMTP Protocol At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{03f1f940-a0f2-11d0-bb77-00aa00a1eab7}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins SNMP At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{7AF60DD3-4979-11D1-8A6C-00C04FC33566}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins System Properties At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{0F3621F1-23C6-11D1-AD97-00AA00B88E5A}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy Group Policy Management At least Microsoft Windows XP Professional with SP1 or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy Group Policy Object Editor At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy Group Policy tab for Active Directory Tools At least Microsoft Windows 2000 Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins.  If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit diplayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this tab is displayed.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users will not have access to the Group Policy tab.      To explicitly permit use of the Group Policy tab, enable this setting. If this setting is not configured (or disabled), the Group Policy tab is inaccessible.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users will have access to the Group Policy tab.      To explicitly prohibit use of the Group Policy tab, disable this setting. If this setting is not configured (or enabled), the Group Policy tab is accessible.  When the Group Policy tab is inaccessible, it does not appear in the site, domain, or organizational unit property sheets. HKCU\Software\Policies\Microsoft\MMC\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy Resultant Set of Policy snap-in At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Administrative Templates (Computers) At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{0F6B957D-509E-11D1-A7CC-0000F87571E3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Administrative Templates (Users) At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{0F6B957E-509E-11D1-A7CC-0000F87571E3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Folder Redirection At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Internet Explorer Maintenance At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{FC715823-C5FB-11D1-9EEF-00A0C90347FF}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Remote Installation Services At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{3060E8CE-7020-11D2-842D-00C04FA372D4}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Scripts (Logon/Logoff) At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{40B66650-4972-11D1-A7CA-0000F87571E3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Scripts (Startup/Shutdown) At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{40B6664F-4972-11D1-A7CA-0000F87571E3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Security Settings At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Software Installation (Computers) At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{942A8E4F-A261-11D1-A760-00C04FB9603F}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Software Installation (Users) At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Wireless Network (IEEE 802.11) Policies At least Microsoft Windows 2000 Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{2DA6AA7F-8C88-4194-A558-0D36E7FD3E64}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions Administrative Templates (Computers) At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{B6F9C8AE-EF3A-41C8-A911-37370C331DD4}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions Administrative Templates (Users) At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{B6F9C8AF-EF3A-41C8-A911-37370C331DD4}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions Folder Redirection At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{c40d66a0-e90c-46c6-aa3b-473e38c72bf2}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions Internet Explorer Maintenance At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{d524927d-6c08-46bf-86af-391534d779d3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions Scripts (Logon/Logoff) At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{40B66661-4972-11d1-A7CA-0000F87571E3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions Scripts (Startup/Shutdown) At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{40B66660-4972-11d1-A7CA-0000F87571E3}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions Security Settings At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{fe883157-cebd-4570-b7a2-e4fe06abe626}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions Software Installation (Computers) At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{7E45546F-6D52-4D10-B702-9C2E67232E62}!Restrict_Run
USER Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions Software Installation (Users) At least Microsoft Windows XP Professional or Windows Server 2003 family Permits or prohibits use of this snap-in.  If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.  If this setting is not configured, the setting of the Restrict users to the explicitly permitted list of snap-ins setting determines whether this snap-in is permitted or prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is enabled, users cannot use any snap-in except those explicitly permitted.      To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.  --  If Restrict users to the explicitly permitted list of snap-ins is disabled or not configured, users can use any snap-in except those explicitly prohibited.      To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.  When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. HKCU\Software\Policies\Microsoft\MMC\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}!Restrict_Run
USER Administrative Templates\Windows Components\Task Scheduler Hide Property Pages At least Microsoft Windows 2000 Prevents users from viewing and changing the properties of an existing task.  This setting removes the Properties item from the File menu in Scheduled Tasks and from the context menu that appears when you right-click a task. As a result, users cannot change any properties of a task. They can only see the properties that appear in Detail view and in the task preview.  This setting prevents users from viewing and changing characteristics such as the program the task runs, its schedule details, idle time and power management settings, and its security context.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Tip: This setting affects existing tasks only. To prevent users from changing the properties of newly created tasks, use the Remove Advanced Menu setting. HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Property Pages
USER Administrative Templates\Windows Components\Task Scheduler Prevent Task Run or End At least Microsoft Windows 2000 Prevents users from starting and stopping tasks manually.  This setting removes the Run and End Task items from the context menu that appears when you right-click a task. As a result, users cannot start tasks manually or force tasks to end before they are finished.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Execution
USER Administrative Templates\Windows Components\Task Scheduler Prohibit Drag-and-Drop At least Microsoft Windows 2000 Prevents users from adding or removing tasks by moving or copying programs in the Scheduled Tasks folder.  This setting disables the Cut, Copy, Paste, and Paste shortcut items on the context menu and the Edit menu in Scheduled Tasks. It also disables the drag-and-drop features of the Scheduled Tasks folder.  As a result, users cannot add new scheduled tasks by dragging, moving, or copying a document or program into the Scheduled tasks folder.  This setting does not prevent users from using other methods to create new tasks, and it does not prevent users from deleting tasks.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!DragAndDrop
USER Administrative Templates\Windows Components\Task Scheduler Prohibit New Task Creation At least Microsoft Windows 2000 Prevents users from creating new tasks.  This setting removes the Add Scheduled Task item that starts the New Task Wizard. Also, the system does not respond when users try to move, paste, or drag programs or documents into the Scheduled Tasks folder.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Important: This setting does not prevent administrators of a computer from using At.exe to create new tasks or prevent administrators from submitting tasks from remote computers. HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Creation
USER Administrative Templates\Windows Components\Task Scheduler Prohibit Task Deletion At least Microsoft Windows 2000 Prevents users from deleting tasks from the Scheduled Tasks folder.  This setting removes the Delete command from the Edit menu in the Scheduled Tasks folder and from the menu that appears when you right-click a task. Also, the system does not respond when users try to cut or drag a task from the Scheduled Tasks folder.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.  Important: This setting does not prevent administrators of a computer from using At.exe to delete tasks. HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Deletion
USER Administrative Templates\Windows Components\Task Scheduler Hide Advanced Properties Checkbox in Add Scheduled Task Wizard At least Microsoft Windows 2000 This setting removes the Open advanced properties for this task when I click Finish checkbox from the last page of the Scheduled Task Wizard.  This policy is only designed to simplify task creation for beginning users.  The checkbox, when checked, instructs Task Scheduler to automatically open the newly created task's property sheet upon completion of the Add Scheduled Task wizard.  The task's property sheet allows users to change task characteristics such as: the program the task runs, details of its schedule, idle time and power management settings, and its security context.  Beginning users will often not be interested or confused by having the property sheet displayed automatically.  Note that the checkbox is not checked by default even if this setting is Disabled or Not Configured.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Disable Advanced
USER Administrative Templates\Windows Components\Task Scheduler Prohibit Browse At least Microsoft Windows 2000 Limits newly scheduled to items on the user's Start menu, and prevents the user from changing the scheduled program for existing tasks.  This setting removes the Browse button from the Schedule Task Wizard and from the Task tab of the properties dialog box for a task. Also, users cannot edit the Run box or the Start in box that determine the program and path for a task.  As a result, when users create a task, they must select a program from the list in the Scheduled Task Wizard, which displays only the tasks that appear on the Start menu and its submenus. Once a task is created, users cannot change the program a task runs.  Important: This setting does not prevent users from creating a new task by pasting or dragging any program into the Scheduled Tasks folder. To prevent this action, use the Prohibit Drag-and-Drop setting.  Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Allow Browse
USER Administrative Templates\Windows Components\Terminal Services Start a program on connection At least Microsoft Windows XP Terminal Services Configures Terminal Services to run a specified program automatically upon connection.  You can use this setting to specify a program to run automatically when a user logs on to a remote computer.  By default, Terminal Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the Start Program settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off.  To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the terminal server connection fails with an error message.   If the status is set to Enabled, Terminal Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program.   If the status is set to Disabled or Not Configured, Terminal Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See Computer Config\Administrative templates\Windows Components\System\Logon\Run these programs at user logon setting.)   Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!InitialProgram, HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WorkDirectory, HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fInheritInitialProgram
USER Administrative Templates\Windows Components\Terminal Services\Client Do not allow passwords to be saved At least Microsoft Windows XP Professional with SP2 or Windows Server 2003 family with SP1 Controls whether a user can save passwords using a Terminal Services client.  If you enable this setting the password saving checkbox in Terminal Services clients will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using the Terminal Services client and saves his settings, any password that previously existed in the RDP file will be deleted.  If you disable this setting or leave it not configured, the user will be able to save passwords using the Terminal Services client. HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DisablePasswordSaving
USER Administrative Templates\Windows Components\Terminal Services\Sessions Set time limit for disconnected sessions At least Microsoft Windows XP Terminal Services Specifies a time limit for disconnected Terminal Services sessions.   You can use this setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Terminal Services allows users to disconnect from a remote session without logging off and ending the session.   When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.   If the status is set to Enabled, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never.   If the status is set to Disabled or Not Configured, time limits for disconnected sessions are not specified at the Group Policy level.   Note: This setting does not apply to console sessions such as Remote Desktop sessions with computers running Windows XP Professional. Also note that this setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime VALUE 0, HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime
USER Administrative Templates\Windows Components\Terminal Services\Sessions Sets a time limit for active Terminal Services sessions At least Microsoft Windows XP Terminal Services Specifies a time limit for active Terminal Services sessions.   You can use this setting to specify the maximum amount of time a Terminal Services session can be active before it is automatically disconnected.  To use this setting, select Enabled, and then select the desired limit in the Active session limit drop-down list. By default, Terminal Services allows sessions to remain active for an unlimited time.   If the status is set to Enabled, Terminal Services ends active sessions after the specified amount of time. The user receives a two-minute warning before the Terminal Services session ends, which allows the user to save open files and close programs.   If the status is set to Disabled or Not Configured, time limits for active sessions are not specified at the Group Policy level. However, an administrator can specify time limits for active sessions in the Terminal Services Configuration tool.   Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. Active session limits do not apply to the console session. To specify user sessions to be terminated at time-out, enable the Terminate session when time limits are reached setting. HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxConnectionTime
USER Administrative Templates\Windows Components\Terminal Services\Sessions Sets a time limit for active but idle Terminal Services sessions At least Microsoft Windows XP Terminal Services Specifies a time limit for active but idle Terminal Services sessions.   You can use this setting to specify the maximum amount of time that an active session can be idle (that is, no user input) before it is automatically disconnected. By default, Terminal Services allows active sessions to remain idle for an unlimited time.   To use this setting, select Enabled, and then select the desired time limit in the Idle session limit drop-down list.   If the status is set to Enabled, active but idle sessions are automatically disconnected after the specified amount of time. The user receives a two-minute warning before the session ends, which allows the user to press a key or move the mouse to keep the session active.   If the status is set to Disabled or Not Configured, the time limit for active but idle sessions is not specified at the Group Policy level. However, an administrator can specify time limits for idle sessions in the Terminal Services Configuration tool.   Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. Idle session limits do not apply to the console session. To specify that user sessions are terminated at time-out, enable the  Terminate session when time limits are reached setting. HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxIdleTime
USER Administrative Templates\Windows Components\Terminal Services\Sessions Allow reconnection from original client only At least Microsoft Windows XP Terminal Services Specifies whether to allow users to reconnect to a disconnected Terminal Services session using a computer other than the original client computer.   You can use this setting to prevent Terminal Services users from reconnecting to the disconnected session using a computer other than the client computer from which they originally created the session. By default, Terminal Services allows users to reconnect to disconnected sessions from any client computer.   If the status is set to Enabled, users can reconnect to disconnected sessions only from the original client computer. If a user attempts to connect to the disconnected session from another computer, a new session is created instead.   If the status is set to Disabled, users can always connect to the disconnected session from any computer.   If the status is set to Not Configured, session reconnection from the original client computer is not specified at the Group Policy level.   Important: This option is only supported for Citrix ICA clients that provide a serial number when connecting; this setting is ignored if the user is connecting with a Windows client. Also note that this setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fReconnectSame
USER Administrative Templates\Windows Components\Terminal Services\Sessions Terminate session when time limits are reached At least Microsoft Windows XP Terminal Services Specifies whether to terminate a timed-out Terminal Services session instead of disconnecting it.   You can use this setting to direct Terminal Services to terminate a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Terminal Services disconnects sessions that reach their time limits.   Time limits are set locally by the server administrator or in Group Policy. See the Sets a time limit for active Terminal Services sessions and Sets a time limit for active but idle Terminal Services sessions settings.   If the status is set to Enabled, Terminal Services terminates any session that reaches its time-out limit.   If the status is set to Disabled, Terminal Services always disconnects a timed-out session, even if specified otherwise by the server administrator.   If the status is set to Not Configured, Terminal Services disconnects a timed-out session, unless specified otherwise in local settings.   Note: This setting only applies to time-out limits that are deliberately set (in the Terminal Services Configuration tool or Group Policy Object Editor), not to time-out events that occur due to connectivity or network conditions. Also note that this setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fResetBroken
USER Administrative Templates\Windows Components\Terminal Services Sets rules for remote control of Terminal Services user sessions At least Microsoft Windows XP Terminal Services Specifies the level of remote control permitted in a Terminal Services session. Remote control can be established with or without the session user's permission.   You can use this setting to select one of two levels of remote control: View Session permits the remote control user to watch a session, Full Control permits the remote control user to interact with the session.   If the status is set to Enabled, administrators can remotely interact with a user's Terminal Services session according to the specified rules. To set these rules, select the desired level of control and permission in the Options list. To disable remote control, select No remote control allowed.   If the status is set to Disabled or Not Configured, remote control rules are determined by the server administrator using the Terminal Services Configuration tool (tscc.msc). By default, remote control users can have full control with the session user's permission.   Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!Shadow
USER Administrative Templates\Windows Components\Windows Installer Always install with elevated privileges At least Microsoft Windows 2000 Directs Windows Installer to use system permissions when it installs any program on the system.  This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.  If you disable this setting or do not configure it, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.  Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders.  Caution: Skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. HKCU\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated
USER Administrative Templates\Windows Components\Windows Installer Search order At least Microsoft Windows 2000 Specifies the order in which Windows Installer searches for installation files.  By default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL).  To change the search order, enable the setting, and then type the letters representing each file source in the order that you want Windows Installer to search.:  --   n represents the network;  --   m represents media;  --   u represents URL, or the Internet.  To exclude a file source, omit or delete the letter representing that source type. HKCU\Software\Policies\Microsoft\Windows\Installer!SearchOrder
USER Administrative Templates\Windows Components\Windows Installer Prohibit rollback At least Microsoft Windows 2000 Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.  This setting prevents Windows Installer from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.  This setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this setting unless it is essential.  This setting appears in the Computer Configuration and User Configuration folders. If the setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. HKCU\Software\Policies\Microsoft\Windows\Installer!DisableRollback
USER Administrative Templates\Windows Components\Windows Installer Prevent removable media source for any install At least Microsoft Windows 2000 Prevents users from installing programs from removable media.  If a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears, stating that the feature cannot be found.  This setting applies even when the installation is running in the user's security context.  If you disable this setting or do not configure it, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.  Also, see the Enable user to use media source while elevated setting in Computer Configuration\Administrative Templates\Windows Components\Windows Installer.  Also, see the Hide the 'Add a program from CD-ROM or floppy disk' option setting in User Configuration\Administrative Templates\Control Panel\Add or Remove Programs. HKCU\Software\Policies\Microsoft\Windows\Installer!DisableMedia
USER Administrative Templates\Windows Components\Windows Messenger Do not allow Windows Messenger to be run At least Microsoft Windows XP Professional or Windows Server 2003 family Allows you to disable Windows Messenger.  If you enable this setting, Windows Messenger will not run.  If you disable or do not configure this setting, Windows Messenger can be used.  Note: If you enable this setting, Remote Assistance also cannot use Windows Messenger.  Note: This setting is available under both Computer Configuration and User Configuration. If both are present, the Computer Configuration version of this setting takes precedence. HKCU\Software\Policies\Microsoft\Messenger\Client!PreventRun
USER Administrative Templates\Windows Components\Windows Messenger Do not automatically start Windows Messenger initially At least Microsoft Windows XP Professional or Windows Server 2003 family Windows Messenger is automatically loaded and running when a user logs on to a Windows XP computer. You can use this setting to stop Windows Messenger from automatically being run at logon.  If you enable this setting, Windows Messenger will not be loaded automatically when a user logs on.  If you disable or do not configure this setting, the Windows Messenger will be loaded automatically at logon.  Note: This setting simply prevents Windows Messenger from running intially. If the user invokes and uses Windows Messenger from that point on, Windows Messenger will be loaded.  The user can also configure this behavior on the Preferences tab on the Tools menu in the Windows Messenger user interface.  Note: If you do not want users to use Windows Messenger, enable the Do not allow Windows Messenger to run setting.  Note: This setting is available under both Computer Configuration and User Configuration. If both are present, the Computer Configuration version of this setting takes precedence. HKCU\Software\Policies\Microsoft\Messenger\Client!PreventAutoRun
USER Administrative Templates\Windows Components\Windows Update Remove access to use all Windows Update features At least Microsoft Windows XP Professional or Windows Server 2003 family This setting allows you to remove access to Windows Update.  If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver updates from the Windows Update Web site. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate!DisableWindowsUpdateAccess
USER Administrative Templates\Windows Components\Windows Update Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box At least Microsoft Windows XP Professional with SP2 This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Windows dialog box.  If you enable this policy setting, 'Install Updates and Shut Down' will not appear as a choice in the Shut Down Windows dialog box, even if updates are available for installation when the user selects the Shut Down option in the Start menu.  If you disable or do not configure this policy setting, the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu. HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUShutdownOption
USER Administrative Templates\Windows Components\Windows Update Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box At least Microsoft Windows XP Professional with SP2 This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog.  If you enable this policy setting, the user's last shut down choice (Hibernate, Restart, etc.) is the default option in the Shut Down Windows dialog box, regardless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list.  If you disable or do not configure this policy setting, the 'Install Updates and Shut Down' option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option in the Start menu.  Note that this policy setting has no impact if the User Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled. HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUAsDefaultShutdownOption
USER Administrative Templates\Windows Components\Windows Movie Maker Do not allow Windows Movie Maker to run At least Microsoft Windows XP Professional with SP2 Specifies whether Windows Movie Maker can run.  Windows Movie Maker is a feature of the Windows XP operating system that can be used to capture, edit, and then save video as a movie to share with others.  If you enable this setting, Windows Movie Maker will not run.  If you disable or do not configure this setting, Windows Movie Maker can be run. HKCU\Software\Policies\Microsoft\WindowsMovieMaker!MovieMaker