Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)
| ||
| ||
|
I've already discussed how Group Policy cannot apply to Windows 9X or Windows NT clients. Group Policy applies only to Windows 2000, Windows XP, and Windows 2003 clients . How ever, the opposite is not true. That is, NT 4 System Policy (whose filename is NTCONFIG.POL ) is perfectly valid and accepted on Windows 2000, Windows XP, and Windows 2003 Server clients. You might have an occasion to use both at the same timetypically if you're in the middle of an NT 4 to Windows 2000 or Windows 2003 migration. If this happens, it's likely you'll have both Windows 2000 Group Policy and legacy NT 4 System Policy on the same network.
If you're trying to migrate from NT to Active Directory, you basically have four major cases:
-
Both computer and user accounts in a Windows NT domain
-
A computer account in Windows NT and a user account in an Active Directory domain
-
A computer account in an Active Directory domain and a user account in Windows NT
-
Both computer and user accounts in Active Directory
You could, if you wanted, have an NT 4 System Policy (named NTCONFIG.POL) file in each and every domainNT 4 or an Active Directory domain. Hopefully, you won't be taking your NTCONFIG.POL files with you when you go to Active Directory, but, if you do, you'll need to know how that calculates into the final RSoP. Additionally, it's important to remember that NT 4 System Policy "tattoos" the machines it touches, meaning that even if you're eventually going to phase out NT 4 System Policy, you'll need a battle plan to specifically reverse the settings in NTCONFIG.POL so that your clients can phase out the settings.
Let's briefly examine what will happen in each of these cases, which are illustrated in Figure 3.9.
Case 1: Both computer and user accounts are contained in the Windows NT domain . When the computer starts up, it first applies any settings in the computer-side of the local GPO. Next, the user logs on to the NT 4 domain and obtains the user-side settings from the NTCONFIG.POL file. If present, the user side of the local GPO applies after the NTCONFIG.POL settings. These settings are added cumulatively, except if there is a conflict. If there is a conflict, most often the NTCONFIG.POL settings win.
Case 2: The computer account is in the Windows NT domain, and the user account is in the Active Directory domain. When the computer starts up, it logs on to the NT 4 domain. If present, the computer side of the local GPO applies. When the user logs on to Active Directory, two things happen:
-
The computer downloads and applies NTCONFIG.POL (from the NT 4 domain).
-
The user processes GPOs normally. First, user-side local GPO settings apply, followed by the user-side Active Directory GPOs. As expected, these Active Directory GPO settings are added cumulatively to the local GPO settings, except if there is a conflict. If there is a conflict, the last written Group Policy setting wins. If there is any NTCONFIG.POL file in the domain where the user's account is located, that old System Policy is ignored for the user.
Warning | In some circumstances, it appears that the local Windows 2000 Group Policy wins, such as when you set a background desktop image. As usual, you'll want to test to make sure that what you want is what you get when you intermix NT 4 System Policy and local GPOs. |
Case 3: The computer account is in an Active Directory domain, and the user account is in the Windows NT domain . When the computer starts up, it first applies any settings in the computer side of the local GPO. Then, after the computer logs on to Active Directory, it receives the computer-side GPOs from the site, domain, and OUs. As expected, these Active Directory GPO settings are added cumulatively to the local GPO settings, except if there is a conflict. If there is a conflict, the last-written Group Policy setting wins. If there is an NTCONFIG.POL file in the domain where the computer's account is located, that old System Policy is ignored for the computer.
Upon logon, if present, the user side of the local GPO applies to the user. Then, the user downloads and applies user-side settings from the NTCONFIG.POL file on the NT domain. These settings are added cumulatively, except if there is a conflict. If there is a conflict, NTCONFIG.POL wins.
Case 4: Both computer and user accounts are in Active Directory . Most of this book is about this case. Both the computer and user apply local GPO settings first, followed by the GPOs from Active Directory: site, domain, and OUs. These Active Directory GPO settings append the local GPO settings, except if there is a conflict. If there is a conflict, the Active Directory GPO settings win over the local GPO settings. No System Policy (NTCONFIG.POL) is downloaded. However, clients that have been tattooed by NTCONFIG.POL will stay tattooed, and it's likely that at least some Registry entries will have to be manually scrubbed. Therefore, it's best to reverse the NTCONFIG.POL settings while you still canbefore both the computer and the user accounts have been migrated . After the migration, neither the user nor the computer will read from the NTCONFIG.POL file.
| ||
| ||
|