RE: Moving from NT4 policy to Group Policy
- From: mtstream <mtstream@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 13 Feb 2007 15:19:01 -0800
You are correct. The mixed environment of Group policies and System policies
is very difficult to manage. Even after applying the registry fixes you may
still run into odd things due to left over system policy settings (these were
a mess under NT4). Things will improve as your old machines are replace with
new or clean installs.
"SchoolTech" wrote:
As it may have been noted in other posts I made, we moved from an NT4.
policy environment to WS2003 at the start of this year.
One of the challenges we are facing is inconsistent application of
policies and it seems likely this is due to conflict between the NT4
policies which are permanently applied in the registry and Group Policy
which works differently.
Sometimes the later ADM files for NT4 System Policy files will write
into the same registry area as Group Policy uses i.e. Policies subtree
which can be in two different places in the registry, including HKLM and
HKCU.
For example last year with the introduction of XP SP2 with the Windows
Firewall I obtained an ADM file for NT4 System Policy that allows the
firewall settings to be configured so we could define exceptions.
Another example is WSUS, which is all documented by MS for non GPO
environments as to the values which need to be written in specific keys
for the computers to connect to the local updates server. These are
hardcoded values.
The WSUS group gave me advice that those hardcoded keys would need to be
removed before the GPO would take effect and so I applied a one time
registry patch to all machines to delete the keys and this has resulted
in successful application of the GPO to the machines.
I did not do this for the Windows Firewall settings and these are still
in most cases running the old policy based on the former NT4 system
policy rather than the settings from the GPO.
The above applies to machines that were running on the previous NT4
domain environment (actually Samba). With newly set up machines with a
clean registry we are seeing that these machines are applying GPOs
consistently with for example the Windows Firewall GPO settings being
applied.
I am presuming that it will be necessary to remove all the hardcoded
Policies subkeys and values using a one-time patch and that this course
of action will allow GPOs to propagate correctly to machines so that we
have the advantage of being able to use the GPO environment across our
network in the future.
- References:
- Moving from NT4 policy to Group Policy
- From: SchoolTech
- Moving from NT4 policy to Group Policy
- Prev by Date: Re: 64-Bit Domain Controller and Global Catalog Server
- Next by Date: Re: 64-Bit Domain Controller and Global Catalog Server
- Previous by thread: Moving from NT4 policy to Group Policy
- Next by thread: Re: Restoring AD from a different/healthy DC
- Index(es):
Relevant Pages
|
