This lesson recaps the mechanics of the Windows NT system policies and Windows 2000 group policies. You also examine what happens in a mixed upgraded environment consisting of Windows 2000 and Windows NT servers and workstations.
After this lesson, you will be able to
Estimated lesson time: 25 minutes
Windows NT policies allow administrators to tailor the environment of their users by using a program called the System Policy Editor. It is used to define the policies applied to users when they log on. For example, you can hide Network Neighborhood from the users as a policy. By default, these settings are held in the Netlogon shared folder on each server in a Windows NT network in a file called Ntconfig.pol. As shown in Figure 7.1, this file can contain settings for the user (for example, Benjy), the group (for example, finance), and the computer (for example, migkit1) that the user is logging on at.
Figure 7.1 System Policy Editor containing user, group, and computer settings
Windows 2000 has a powerful and flexible policy scheme known as group policy objects (GPOs). These look similar to the Windows NT system policies. They can be applied to the site, domain, and OU, and multiple GPOs might apply at different levels when a user logs on. Policies are applied in the following order:
Barring the existence of the Ntconfig.pol file, the policy flow for Windows 2000 clients is often referred to as the LSDOU mode (Local+Site+Domain+OU). If an NTconfig.pol file exists and a Windows 2000 client has been enabled to use the Windows NT policy file, then the policy flow would be L4SDOU (where 4=NT4 policy file). By default, Windows 2000 clients are not enabled to use Ntconfig.pol files located on Windows 2000 domain controllers.
The policies can interact in many different ways. By default, policies are aggregated unless there's a conflict. When a conflict occurs, the last policy to be applied will override the settings inherited from a GPO applied to a parent or grandparent container object. This behavior can be changed by using Block Inheritance and No Override settings. Block Inheritance prevents parent container settings from being passed to the current level. No Override prevents Block Inheritance settings from being applied and enforces the inherited policy setting even if a lower GPO is in conflict. An example of when to use the No Override setting is when you need to enforce a security setting or a policy that requires efficient use of the WAN.
CAUTION
It is best to use Block Inheritance and No Override settings sparingly because they're difficult to trace and troubleshoot.
Remember the following points concerning GPOs:
Figure 7.2 shows the group policies for migkit.microsoft.com. The property information for a GPO is accessed from the Active Directory Users And Computers administrative tool. The GPOs Migkit Domain Controllers Policy and Migkit Domain Security Policy have been applied to the domain.
Figure 7.2 Assigning a group policy object to a domain
This assignment mechanism is similar for sites and OUs, in that their properties also have an entry for Group Policy assignment. Settings in Default Domain Controllers Policy and Default Domain Policy might conflict. In this case, the ordering of the policy objects in the list is used to determine precedence. The higher objects have the highest precedence, so in Figure 7.2, the settings for Default Domain Controllers Policy will override those for Default Domain Policy.
To assign a group policy object
Now you'll see a dialog box similar to the one shown in Figure 7.3.
NOTE
When a Windows 2000 client logs on, each GPO is located and applied. Therefore, you should try to limit the number of group policy objects that are used at each level.
During the Active Directory design phase, the settings to be enforced and actions to be performed by each of the GPOs will be planned. During the restructure, you'll need to create the objects and assign them according to your design. The properties of a GPO are edited using the Group Policy snap-in of the MMC.
Figure 7.3 Editing a GPO
Figure 7.3 shows a Default Domain Controllers GPO being edited. Note the wide range of options shown in Figure 7.3 that can be configured for this object. It's also possible to configure logon and logoff batch files and to control the installation of software for a particular user.
In this practice, you examine how a Windows 2000 group policy works. Figure 7.4 shows the migkit.microsoft.com domain with group policies set on the domain and on the OUs.
In the domain above a number of values have been assigned as registry keys for use in the domain. The keys have been given the names A, B, C, D, and E. At different levels in the domain group policy objects are used to set particular values to some of these keys; for example, in the Europe GPO the value of A is set to 41. In the Publicity GPO the values of C and E are set, but other keys are not changed. The actual keys in themselves could represent anything such as A being the percentage of bandwidth allowed and B being the number of objects in a database. The important point of the practice is that you check your understanding of how GPOs work and how to ascertain the final settings for any OU. Working through the practice will also give you a better feel for why it is not a good idea to have very deep OUs with a policy assigned on each OU because this is the exact path that your systems will have to traverse for your entire active set of user accounts.
Figure 7.4 Domain and OU structure and GPOs
Figure 7.4 shows five registry keys represented as A, B, C, D, and E. The values of each registry key set in the GPOs on the objects are shown in the figure and in the following table format.
Registry Keys | |||||
---|---|---|---|---|---|
Objects | A | B | C | D | E |
migkit.microsoft.com domain | 63 | 19 | 6 | 25 | |
Europe OU | 41 | 8 | 16 | ||
Publicity OU | 7 | 31 | |||
Press OU | 91 | 31 |
Registry Keys | |||||
---|---|---|---|---|---|
Objects | A | B | C | D | E |
migkit.microsoft.com domain | 63 | 19 | 6 | 25 | |
Europe OU | 41 | 8 | 16 | ||
Publicity OU | 7 | 31 | |||
Press OU | 91 | 31 |
Registry Keys | |||||
---|---|---|---|---|---|
Objects | A | B | C | D | E |
migkit.microsoft.com domain | 63 | 19 | 6 | 25 | |
Europe OU | 41 | 8 | 16 | ||
Publicity OU | 7 | 31 | |||
Press OU | 91 | 31 |
Registry Keys | |||||
---|---|---|---|---|---|
Objects | A | B | C | D | E |
migkit.microsoft.com domain | 63 | 19 | 6 | 25 | |
Europe OU | 41 | 8 | 16 | ||
Publicity OU | 7 | 31 | |||
Press OU | 91 | 31 |
In this lesson, you learned how the Windows NT system policies, based around the Ntconfig.pol file, have been replaced in Windows 2000 by a more powerful regime based on group policy objects that are applied at multiple levels in an organization.