Lesson 2: Windows NT and Windows 2000 Policies

This lesson recaps the mechanics of the Windows NT system policies and Windows 2000 group policies. You also examine what happens in a mixed upgraded environment consisting of Windows 2000 and Windows NT servers and workstations.

After this lesson, you will be able to

  • Explain how Windows NT and Windows 2000 system policy mechanisms differ.
  • Understand the problems associated with policies in a mixed environment.

Estimated lesson time: 25 minutes

Windows NT Policies

Windows NT policies allow administrators to tailor the environment of their users by using a program called the System Policy Editor. It is used to define the policies applied to users when they log on. For example, you can hide Network Neighborhood from the users as a policy. By default, these settings are held in the Netlogon shared folder on each server in a Windows NT network in a file called Ntconfig.pol. As shown in Figure 7.1, this file can contain settings for the user (for example, Benjy), the group (for example, finance), and the computer (for example, migkit1) that the user is logging on at.

click to view at full size.

Figure 7.1 System Policy Editor containing user, group, and computer settings

Windows 2000 Group Policy Objects

Windows 2000 has a powerful and flexible policy scheme known as group policy objects (GPOs). These look similar to the Windows NT system policies. They can be applied to the site, domain, and OU, and multiple GPOs might apply at different levels when a user logs on. Policies are applied in the following order:

  1. Ntconfig.pol. This file is used by Windows NT to implement policies. It is stored on the Netlogon share on each domain controller. In a pure Windows 2000 environment, Ntconfig.pol will cause a number of problems, as you'll see shortly. It should be migrated to a group policy object as soon as possible and applied at the appropriate level.
  2. Local Computer. These policies are set on the local computer.
  3. Site. These policies are set for the site. They tend to address the needs of the WAN links, such as network bandwidth settings.
  4. Domain. These policies are set for the domain. They tend to be security-related, such as a policy that requires all users to have a password length of seven or more characters.
  5. Organizational Unit. These policies are set for the OU containing the account. These policies are more concerned about the users and the computers in their environment. For example, these policies might determine which options are available to users on the Start menu, or whether users in an OU can see the My Computer icon on their desktops.

Barring the existence of the Ntconfig.pol file, the policy flow for Windows 2000 clients is often referred to as the LSDOU mode (Local+Site+Domain+OU). If an NTconfig.pol file exists and a Windows 2000 client has been enabled to use the Windows NT policy file, then the policy flow would be L4SDOU (where 4=NT4 policy file). By default, Windows 2000 clients are not enabled to use Ntconfig.pol files located on Windows 2000 domain controllers.

GPO Basics

The policies can interact in many different ways. By default, policies are aggregated unless there's a conflict. When a conflict occurs, the last policy to be applied will override the settings inherited from a GPO applied to a parent or grandparent container object. This behavior can be changed by using Block Inheritance and No Override settings. Block Inheritance prevents parent container settings from being passed to the current level. No Override prevents Block Inheritance settings from being applied and enforces the inherited policy setting even if a lower GPO is in conflict. An example of when to use the No Override setting is when you need to enforce a security setting or a policy that requires efficient use of the WAN.


It is best to use Block Inheritance and No Override settings sparingly because they're difficult to trace and troubleshoot.

Remember the following points concerning GPOs:

  • GPOs are assigned to containers.
  • Avoid large numbers of GPOs at a container. As a rough guide more than eight GPOs at an OU is a clear indication something is wrong and the design should be revised.
  • GPO computer settings are installed at reboot for the machine.
  • GPO User settings are installed at logon for the user.
  • The user has to log on to remove a GPO.
  • GPOs are applied in full at first reboot and logon. Subsequent settings are only applied if the GPO changes.

Assigning a Group Policy Object

Figure 7.2 shows the group policies for migkit.microsoft.com. The property information for a GPO is accessed from the Active Directory Users And Computers administrative tool. The GPOs Migkit Domain Controllers Policy and Migkit Domain Security Policy have been applied to the domain.

Figure 7.2 Assigning a group policy object to a domain

This assignment mechanism is similar for sites and OUs, in that their properties also have an entry for Group Policy assignment. Settings in Default Domain Controllers Policy and Default Domain Policy might conflict. In this case, the ordering of the policy objects in the list is used to determine precedence. The higher objects have the highest precedence, so in Figure 7.2, the settings for Default Domain Controllers Policy will override those for Default Domain Policy.

To assign a group policy object

  1. From a Windows 2000 domain controller, open Active Directory Users And Computers from the Administrative Tools menu.
  2. Right-click a container object and select Properties.
  3. From the container's Properties dialog box, click the Group Policy tab.
  4. Click New to add a GPO or select an assigned GPO, as shown in Figure 7.2, and click the Edit button.

    Now you'll see a dialog box similar to the one shown in Figure 7.3.


When a Windows 2000 client logs on, each GPO is located and applied. Therefore, you should try to limit the number of group policy objects that are used at each level.

During the Active Directory design phase, the settings to be enforced and actions to be performed by each of the GPOs will be planned. During the restructure, you'll need to create the objects and assign them according to your design. The properties of a GPO are edited using the Group Policy snap-in of the MMC.

click to view at full size.

Figure 7.3 Editing a GPO

Figure 7.3 shows a Default Domain Controllers GPO being edited. Note the wide range of options shown in Figure 7.3 that can be configured for this object. It's also possible to configure logon and logoff batch files and to control the installation of software for a particular user.

Practice: Working with Group Policies

In this practice, you examine how a Windows 2000 group policy works. Figure 7.4 shows the migkit.microsoft.com domain with group policies set on the domain and on the OUs.

In the domain above a number of values have been assigned as registry keys for use in the domain. The keys have been given the names A, B, C, D, and E. At different levels in the domain group policy objects are used to set particular values to some of these keys; for example, in the Europe GPO the value of A is set to 41. In the Publicity GPO the values of C and E are set, but other keys are not changed. The actual keys in themselves could represent anything such as A being the percentage of bandwidth allowed and B being the number of objects in a database. The important point of the practice is that you check your understanding of how GPOs work and how to ascertain the final settings for any OU. Working through the practice will also give you a better feel for why it is not a good idea to have very deep OUs with a policy assigned on each OU because this is the exact path that your systems will have to traverse for your entire active set of user accounts.

click to view at full size.

Figure 7.4 Domain and OU structure and GPOs

Figure 7.4 shows five registry keys represented as A, B, C, D, and E. The values of each registry key set in the GPOs on the objects are shown in the figure and in the following table format.

  1. Complete the table by entering in each blank cell the effective settings for these keys on each of the containers assuming normal inheritance.
    Registry Keys
    migkit.microsoft.com domain 6319625
    Europe OU 41816
    Publicity OU 731
    Press OU 9131
  2. Now block inheritance on the Europe OU and complete the table again.
    Registry Keys
    migkit.microsoft.com domain 6319 625
    Europe OU 41 816
    Publicity OU 731
    Press OU 9131
  3. Now block inheritance on the Publicity OU and complete the table again.
    Registry Keys
    migkit.microsoft.com domain 6319625
    Europe OU 41 816
    Publicity OU 7 31
    Press OU 9131
  4. Finally, block inheritance on the Press OU and complete the table once more.
    Registry Keys
    migkit.microsoft.com domain 63196 25
    Europe OU 418 16
    Publicity OU 731
    Press OU 9131

Lesson Summary

In this lesson, you learned how the Windows NT system policies, based around the Ntconfig.pol file, have been replaced in Windows 2000 by a more powerful regime based on group policy objects that are applied at multiple levels in an organization.

MCSE Training Kit (Exam 70-222. Migrating from Microsoft Windows NT 4. 0 to Microsoft Windows 2000)
MCSE Training Kit (Exam 70-222): Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 (MCSE Training Kits)
ISBN: 0735612390
EAN: 2147483647
Year: 2001
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net