Defining Client Administration and Configuration Standards

Comparing Windows NT 4.0 System Policy and Windows 2000 Group Policy

In Windows NT 4.0, Microsoft introduced System Policy Editor, which was used to specify user and computer configurations that are stored in the Windows NT registry. With the System Policy Editor, you could create a system policy to control the user work environment and to enforce system configuration settings for all computers running either Windows NT 4.0 Workstation or Windows NT 4.0 Server.

There are 72 policy settings in Windows NT 4.0 (and Microsoft® Windows® 95 and Microsoft® Windows® 98). These settings are:

Limited to setting the values of registry entries based on .adm files.
Applied to domains.
Further controlled by user membership in security groups.
Not secure.
Persistent in users' profiles until the specified policy is reversed or until the user edits the registry.
Used primarily to lock down desktops.
Extensible only by using .adm files.

In Windows 2000, Group Policy settings are the administrator's primary method for enabling centralized change and configuration management. You can use Group Policy to create a specific desktop configuration for a particular group of users and computers. Customize Group Policy to accomplish this goal by using the Microsoft Management Console (MMC) Group Policy snap-in. The Group Policy snap-in replaces the Windows NT 4.0 System Policy Editor and gives you greater control over configuration settings for groups of computers and users.

With more than 100 security-related settings and more than 450 registry-based settings, Windows 2000 Group Policy provides you with a broad range of options for managing the user's computing environment. Windows 2000 Group Policy:

Can be based on Active Directory or defined locally.
Can be extended using Microsoft Management Console (MMC) or .adm files.
Is secure.
Does not leave settings in the users' profiles when the effective policy is changed.
Can be applied to users or computers in a specified Active Directory container (sites, domains, and OUs).
Can be further controlled by user or computer membership in security groups.
Can be used to configure many types of security settings. (For more information about security settings, see "Planning Distributed Security"in this book.)
Can be used to apply logon, logoff, startup, and shutdown scripts.
Can be used to install and maintain software.
Can be used to redirect folders (such as My Documents and Application Data).
Can be used to perform maintenance on Microsoft® Internet Explorer.

The Group Policy settings that you create are contained in Group Policy objects that are linked with selected Active Directory sites, domains, and OUs. Group Policy uses a document-centered approach to creating, storing, and associating policy settings. Just as Microsoft® Word stores information in .doc files, Group Policy stores settings in Group Policy objects.

In addition, you can precisely adjust your organization's use of Group Policy on computers and users by using security groups to filter Group Policy objects. This ensures faster processing of Group Policy.

Applying Windows NT 4.0 Policies to Windows 2000

Moving Windows NT 4.0–based clients and servers to Windows 2000 will alter the way your policies behave. Base your migration strategy on whether the user account objects and computer account objects are located on a Windows NT 4.0 Server–based server or on a Windows 2000 Server–based server with Active Directory. Table 23.3 assumes that there is a Windows 2000–based client. All clients that receive Windows NT 4.0 system policy obtain it from the Netlogon share of the user logon server.

Table 23.3 Expected Behaviors of Server Operating Systems

Environment	Account Object Location	What Affects the Client
Pure Windows NT 4.0	Computer: Windows NT 4.0	At computer startup: Computer local Group Policy (only if changed). Every time the user logs on: Computer system policy .
	Computer refresh	Before Control-Alt-Delete: Computer local Group Policy only. After the user logs on: Computer local Group Policy and computer system policy.
	User: Windows NT 4.0	When the user logs on: User system policy. If local Group Policy changes: User local Group Policy and user system policy.
	User refresh	User local Group Policy and user system policy.
Mixed (migration)	Computer: Windows NT 4.0	At computer startup: Computer local Group Policy (only if changed). Every time the user logs on: Computer system policy.
	Computer refresh	Before Control-Alt-Delete: Computer local Group Policy only. After the user logs on: Computer local Group Policy and computer system policy.
	User: Windows 2000	When the user logs on: Group Policy is processed after computer system policy.
	User refresh	User Group Policy.
Mixed (migration)	Computer: Windows 2000	During system startup: Group Policy.
	Computer refresh	Computer Group Policy
	User: Windows NT 4.0	When the user logs on: User system policy. If local Group Policy changes: User local Group Policy and user system policy.
	User refresh	User local Group Policy and user system policy.
Windows 2000	Computer: Windows 2000	During computer startup and when the user logs on: Group Policy.
	User: Windows 2000
Without Active Directory	Local	Local Group Policy only.

Note

When the computer account object exists in a Windows NT 4.0 domain and the user account object exists in a Windows 2000 domain, computer system policy is processed when the user logs on. You can do this by using the NTConfig.pol file from the Netlogon share of the Windows 2000–based domain controller that is used to authenticate the user, rather than the Windows NT 4.0–based domain controller. It is recommended that you move out of this mixed processing mode and into a pure Windows 2000 mode as quickly as possible.

There are no options available to modify this behavior. To simplify administration in your organization, consider replacing Windows NT 4.0 system policies with Windows 2000 Group Policy as quickly as possible.