In this lesson, you will examine the effect of Windows NT and Windows 2000 policies in a mixed migrated environment.
After this lesson, you will be able to
Estimated lesson time: 40 minutes
In their own environments, both Windows NT and Windows 2000 policies offer tremendous benefits in locking down (preventing users from changing) and maintaining a user's environment. However, in a migration environment, you might experience inconsistencies and your users or your help desk will need to know how to handle them.
One aspect of Windows NT system policies is that no "Undo" feature exists. Once a policy has been applied, it's difficult to reverse the effects without prior knowledge of every workstation whose registry settings were affected by the policy change. Because Windows NT registry changes made by policies are permanent, it is known as tattooing.
Windows 2000 policies can be removed from Windows 2000 client systems simply by removing the relevant GPOs from the containers. Their policy settings are saved in two new special areas of the registry that don't exist in Windows NT.
Computer settings are maintained in these two registry keys:
User settings are maintained in these two registry keys:
Because Windows NT uses tattooing, if a Windows 2000 client is validated by a Windows NT server, the policies in the Ntconfig.pol file are also tattooed on the Windows 2000 client. Windows 2000 can replicate this behavior by changing the following setting found in the domain GPO policy.
Object: Domain GPO Policy Location: Computer Configuration/Administrative Templates/System/Group Policy Valuename: Disable System Policy Value: 1 (default) or 0 (to enable Windows NT, Ntconfig.pol-like system policies for Windows 2000 client systems)
If you have any Ntconfig.pol style files then these will be applied to Windows 2000 systems also and can make troubleshooting very difficult, so use the setting sparingly.
Tattooing is an excellent feature when you want to make certain registry settings permanent. For example, you might want a logon banner to appear even when a user is validated by his or her local machine instead of just the domain. Another positive effect of tattooing is when you want to ensure consistency between Windows NT and Windows 2000 client systems. However, tattooing is disadvantageous when you need to undo settings or change settings regularly.
How policies from Windows NT will migrate to Windows 2000 must be considered when planning the migration because you might not want to have tattooing on the registries of Windows 2000 clients by Windows NT policies. Consider the following five scenarios.
As shown in Figure 7.5, when a Windows NT client is authenticated by an upgraded Windows 2000 domain controller, it isn't affected by any GPOs. Instead, the settings in any migrated Ntconfig.pol files held on the upgraded Windows 2000 domain controller are applied.
Ntconfig.pol and, indeed, all the aforementioned logon scripts and any other resident files are copied from the %Systemroot%\System32\Repl\Import\Scripts folder into the new Netlogon folder, which is now the %Systemroot%\Sysvol\ %Userdnsdomain%\Scripts folder (assuming you've accepted the default values for the system volume). In contrast, a Windows 2000 client will receive its settings from any GPOs set for the user and computer objects in the Active Directory of the Windows 2000 domain controller.
Figure 7.5 Policy processing for Windows NT and Windows 2000 clients when the user names are held on a Windows 2000 domain
TIP
You can find out the %Systemroot% and %Userdnsdomain% folders by typing set at a command prompt.
As shown in Figure 7.6, Windows NT clients and Windows 2000 clients that log on to Windows NT domain controllers will receive their settings from the Ntconfig.pol file on the Windows NT domain controller. If an upgraded Windows 2000 controller is in the domain, the Windows 2000 client will try to be authenticated by the Windows 2000 controller and hence, get its user and computer settings from the GPO mechanism instead of from the Ntconfig.pol file.
Figure 7.6 Policy processing for Windows NT and 2000 clients when the user names are held on a Windows NT domain controller
However, if for any reason the Windows 2000 client can't be authenticated by a Windows 2000 domain controller, and it was authenticated by a Windows NT domain controller, the Ntconfig.pol file settings will be permanently tattooed into the Windows 2000 client's registry. In other words, the setting from the Ntconfig.pol file will remain in the Windows 2000 registry even if a GPO is assigned that changes the effective setting. Once the GPO is removed, the setting from the Ntconfig.pol file will return because it is held in a different registry key.
Figure 7.7 shows a new scenario in which a Windows NT accounts domain has been upgraded to Windows 2000. The resource domain is still a Windows NT domain with a one-way trust to the upgraded domain.
Figure 7.7 Policy processing for Windows NT and Windows 2000 clients when user accounts are held on a trusted Windows 2000 domain
If a user logs on via a Windows NT workstation in the Windows NT resource domain, the resource domain will pass through the authentication to the Windows 2000 domain holding all the user accounts. The workstation will use both the user and computer settings in the Ntconfig.pol file held on the Windows 2000 domain controller. However, if a user logs on via a Windows 2000 workstation in the Windows NT resource domain, the Windows 2000 workstation will use any GPOs set for the user from the trusted Windows 2000 domain and combine those with the computer policy settings from the Ntconfig.pol file held on the Windows NT resource domain controller (if one exists).
Figure 7.8 shows two users split across the domains. If User1 and User2 log on via the same Windows NT workstation, the workstation will have computer settings from the Ntconfig.pol file in the resource domain and settings from the Ntconfig.pol file on the accounts domain. Any policies that contain conflicts will be overwritten by whichever user's Ntconfig.pol is being used at the time of logon.
Figure 7.8 Policy processing for Windows NT clients using accounts held in both a Windows NT domain and a trusted Windows 2000 accounts domain
Figure 7.9 is the same scenario as Figure 7.8 except that now the access is from Windows 2000 clients. This scenario is discussed in Lesson 3, "Migration Environments," of Chapter 1. It is relatively stable compared to the previously discussed scenarios and is an advantage when considering upgrading the Windows NT workstations to Windows 2000 prior to any upgrade of domain controllers.
Computer policies are received from the Ntconfig.pol file in the Windows NT domain. User registry settings are received from the GPOs if the user is authenticated by the Windows 2000 domain or from the Ntconfig.pol file if the Windows NT domain validates the user.
Figure 7.9 Policy processing for Windows 2000 clients when user accounts are held in both a Windows NT domain and a trusted Windows 2000 accounts domain
Figure 7.10 shows a final scenario. This scenario could represent a complete trust relationship or might be part of a multiple master domain situation in which one of the accounts domains has already been upgraded to Windows 2000. In this case, User1 is held on the Windows NT accounts domain that is awaiting upgrade.
Figure 7.10 Policy processing for Windows 2000 clients using a trusted Windows NT accounts domain
As you can see from Figure 7.10, User1 receives the user settings from the Ntconfig.pol file held on the Windows NT accounts domain (where User1's account resides), but the computer settings come from any GPOs set on the computer object in the Windows 2000 domain controller. User2's situation is simpler: because this user account is held on the Windows 2000 domain controller, all policies for the user and computer are determined by GPOs on the Windows 2000 domain controller.
As you've seen, how the policies are assigned depends on where the user is authenticated, and with roaming users, this can vary from one session to the next. The scenarios become even more complicated when you consider that these examples have used pure Windows NT and Windows 2000 domains. Consider the problems if each of the domains shown contain both Windows NT and Windows 2000 domain controllers. Policy processing issues must be addressed in the migration planning process.
After an upgrade, all the users and security groups in the source domain are placed in the Users container object in the new Active Directory. You can create OUs in the upgraded domain to
Windows 2000 OUs are managed by the Active Directory Users And Computers administrative tool. In the next practice, you'll create an OU and apply a GPO to it.
In this practice, you'll create Windows NT system policy settings and Windows 2000 GPOs and verify that they work. Both MIGKIT1 and MIGKIT2 will be involved in this practice. You'll then see the effect of running the Windows NT Ntconfig.pol and Windows 2000 operating system policies in a mixed environment.
To create an Ntconfig.pol policy file on MIGKIT2
Options for the Restrict Display setting will appear in the bottom half of the dialog box.
Your screen should look like that shown in Figure 7.11.
Figure 7.11 Finance group policy settings
The user Migkitfin1 is a member of the migkit Finance group, so this policy should apply to Migkitfin1.
To create a group policy object on MIGKIT1
You will now create a group policy object and assign it to the Finance OU.
NOTE
If Migkit1 doesn't appear in the Domain Controllers OU, look for it instead in the Computers OU.
Answers
Prior to completing your upgrade analysis of policies and profiles, you might want to make your own investigations. If you have the time, experiment. To help you learn, create a table of users and workstation types and then do some or all of the following:
In this lesson, you learned about the differences between the Ntconfig.pol configuration file and GPOs. You saw that the Windows NT policy file causes tattooing on the Windows NT and Windows 2000 clients if they are validated by a Windows NT domain controller. Authentication by a Windows NT controller can occur if the system is in a Windows NT resource domain with a trust relationship to a Windows 2000 domain that holds the user accounts or if no Windows 2000 domain controllers are available at logon in a mixed-mode environment. If the Windows NT BDC authenticates the logon, the system policies based on Ntconfig.pol are applied. This can lead to problems for users who might see different environments, depending on which system authenticates their logons.