Will the effects of the old NT system policies be removed with GP?

  • Thread starter Thread starter Dave Niemeyer
  • Start date Start date
D

Dave Niemeyer

I didn't have a chance to remove the effects of the old NT system policies
on each user's local profile on each of every 250 machines we manage before
we changed from NT to 2003 AD. We're going to start researching and
applying GP next week.

Question: Will the effects of the old NT system policies on the local
registry be removed with the application of Group Policy for each and every
user at every machine that the policy applies to?

For instance: A certain user has no rights to go to START, RUN right now
on every NT and 2000 machine that pointed to the old system policies. When
we apply the GP to allow START, RUN for him, will that over-ride the
existent registry setting for him?

Sounds like a dumb question, I know, but I'm new at this...

Thanks for the help.

Dave Niemeyer
 
Dave if you have used local policies on Windows 2000/XP the domain/site
group policy(ies) will override (Proving they have been set).
 
Dave Niemeyer said:
I didn't have a chance to remove the effects of the old NT system policies
on each user's local profile on each of every 250 machines we manage before
we changed from NT to 2003 AD. We're going to start researching and
applying GP next week.

Question: Will the effects of the old NT system policies on the local
registry be removed with the application of Group Policy for each and every
user at every machine that the policy applies to?
Click to expand...

Dave,

If you have old ntconfig.pol files then these have effectively "tattooed"
the registry with their changes. If you wish to "undo" them then you need
to deploy a new ntconfig.pol file to reset them back the default values
(ideally you should have documented all the settings you make in the
ntconfig.pol file and what the original/default values were to facilitate
such an "undo").
Windows 2000/XP/2003 Group Policy does cause these problems (unless you
deploy a direct registry edit) and thus are easy to undo as a machine moves
out of scope of a GPO.

--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups
 
Now I think I'm getting 2 different stories from 2 different Microsoft
experts on 2 different issues:

1. If the Group policy is written to affect the same right, like "no start
run or allow start run" as the old system policy, wouldn't the GP have an
erasing effect over the system policy? Or if it indeed appears to over ride
is it just temporary because Group policies don't have permanent tattooing
effects as you mention?

2. How in the world can I do anything now in system policies anyway? People
have told me that now that I've added the machines to the AD the system
policies have NO effect. Is there a way to still have the AD but
temporarily tell the AD or the local machines not to look for any GP but use
the system policy instead, if only temporarily???? I've tried messing
with the old system policies and since the machines were moved over to AD,
the system policies have NO effect. Or is there a way to get the system
policies to have an effect again, if only for the sake of removing the old
"tatoos" on the registry?? I'd like to know a way, the only way I know of
right now is to remove the box from the domain, point the machines system
policy to a local policy like on the hard drive, have the user log in with a
policy giving him complete rights, do that for EVERY user that has a profile
on that machine, and then add that machine back onto the AD, doing that for
each of 250 machines. Sounds like a LOT of work.... Know of a better way
if I indeed have to remove the old effects of the system policies?

Dave N
 
Dave ,

1. Yes - the GPO will temporarily override the local registrty setting, for
the reason you assume.

2. You can re-enable a Windows 2000/XP machine to use the old style
ntconfig.pol file if you wish to use it to undo the previous one. See
Chapter 5 of the Windows XP Resource Kit. This is available online.
Ideally you should not use a machine in an AD that has had local policy
applied previously.
If possible a refresh of the OS would be preferred.

--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups
 
Dave,

Your old NT (ntconfig.pol) policies are written to the same exact registry
keys as the new AD polices. They are based on (basically) the same ADM
templates, and the OS and apps look for them in the same places regardless
of how they get there. The POL format is different and the way they are
applied is different, and the way they are removed is different, but the end
result on a per-policy basis is the same.

NT policies are written and removed on a per-policy basis. They have to be
explicitly removed or they remain, even if you delete the ntconfig.pol.

GPO Registry Policy "manages" policy in four different registry locations
(two per user/computer). It's my understanding that locations are
completely wiped out as a function of policy processing, and then policies
are applied to the clean sections. This is why registry values written
outside of the four locations are considered "preferences" - because they
"tattoo" (or get left behind even if they are no longer being applied).

This tells me that if you move your machines to AD, you will lose your
policies if you take no other action. If they were in one of these four
sections, they get wiped out by GPO Registry Policy, which is applied when
on AD by default, if only as a result of the default domain GPO. This first
happens for users as each logs on, and for the computer as it boots. This
would be easy to test and verify, just manually write a policy value for a
user then log off/on to the domain and check to see if policy was applied
and if the key is gone.

I would recommend you run a simple test to confirm they'll be gone, and if
not delete the four sections. Then reconfigure your policies in GPO(s) as
you are planning - and make sure you no longer have the ntconfig.pol out
there, just in case.

If you write all of the same polices in GPO that you had before in
ntconfig.pol , it really shouldn't matter.

Eric Voskuil
Policy Maker
http://www.autoprof.com/policy
 
Worked beautifully. The new GPO's overwrote the old system policies just
exactly as I hoped for. I can customize or undo or redo the same exact
policy entries and the machines and users don't skip a beat. No need to
go get the old registry entries out of the systems as far as I can tell.

Now I got another question, which I'll probably post in another new message:
How do these GPO's stay in effect when you unplug the network cable. Just
for an experiment, we unplugged the network cable to a machine, shut down
and restarted, logged in as a user that had just had some unique GPO applied
to him, and we predicted that the policy would be removed, but it wasn't, it
was still applied. BUT I thought that GPO's don't "tatoo" themselves into
the registry. So how did the policies stay in effect???

Dave Niemeyer

Dave Niemeyer
 
Back
Top