Security·4,716 discussions

Group Policy

Locked

I run a 2000 Active directory domain, with a mix of NT 4.0/2000/XP clients. We currently have Security setup using sytem policy editor, which is used to restrict user access to PCs. Since we have started adding XP machines to the network (upgrades and new installs) i have found that some of the settings in the policy are not taking affect. I would like to use group policy, but understand it does not work in mixed mode – is there a way i can apply group poilcy to just the XP machines on the network?

(I don’t want to use local policy, as i still need admin access to the PCs)

Any help would be great

E

Topic

Reply To: Group Policy

In reply to Group Policy

Gproup policy does work in mixed mode.To apply GP to on the XP boxes, you’ll need to use Active Directory and Organizational Units (OU). I know of no other way to apply Microsoft’s GP to only a sub set of boxes. Novell does offer a directory service that will do what you want, but I’m unsure if it will work with Win 2003. Microsoft will stop active support for NT shortly, so maybe you should look into Windows 2003.

Reply To: Group Policy

In reply to Group Policy

Group Policy will work in a Mix Mode domain, and with a mixed client environment. NT 4 PC’s do not see the Active Directory Group Policy, but as you have found Win2K and WinXP can read the NTCONFIG.pol from the Netlogon share. To use group policy in this type of mixed environment, you will want to change the file name that the NT PC’s are looking for from NTCONFIG.pol to xxx.POL. Then you can set your Active Directory Group Policies to manage Win2K and WinXP. Be prepared to import the .ADM files into AD to extend the functionality. You should to reset the default behavior on both Win2K and WinXP with the built in local policy template and use group policy to manage the settings. Poledit tattoo’s a machines registry to get it’s functionality and can be difficult to remove a setting. Also the hints are against the default setting machine.

I suspect the policies that are not applying are policies that WinXP uses different registry keys to manage.

Reply To: Group Policy

In reply to Group Policy

Neutralize NT4 Emulator

You can configure computers that run Windows 2000 SP2 or Windows XP to inform the Windows 2000- and Windows Server 2003-based DCs that have NT4 emulation mode not to use NT4 emulation when they respond to requests from those computers. That is, you can neutralize NT4 emulation:
1. Start Registry Editor (Regedt32.exe).
2. Locate or create the NeutralizeNT4Emulator value under the following key in the registry:
HKLM/System/CCS/Services/Netlogon/Parameters
3. On the Edit menu, click REG_DWORD, type 0x1, and then click OK.
4. Quit Registry Editor.
Note that you do not need to configure this registry key value on the DCs because the DCs always behave as if they are configured with this key.
If your domain is in mixed mode this will work and only 2000/XP boxes will receive GPO’s as long as they are in correct OU’s to which a policy applies.

Reply To: Group Policy

In reply to Reply To: Group Policy

I have implemented this and it works fine. Once I’m finished upgrading all NT4 to XP all I have to do is to “flip” this switch on the DC.

[Author]

Replies