[THIN] Re: POLEDIT policy in an Active Directory

  • From: Frank Monroe <Frank.Monroe@xxxxxxxxxxx>
  • To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
  • Date: Wed, 17 Jul 2002 07:20:00 -0400

Yes.  Because your terminal server is Windows 2000 and its computer account
is in a Windows 2000 domain, it will get its machine policy at boot up from
the Windows 2000 AD.  Since the user is in Windows 2000 as well, the users
will get their policy from AD and not from the downlevel policy file.

-----Original Message-----
From: Sullivan, Glenn [mailto:GSullivan@xxxxxxxxxxxxxx]
Sent: Wednesday, July 17, 2002 7:18 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: POLEDIT policy in an Active Directory


Ah, so you are saying that, because my Terminal Server is in the 2000
domain, it will get it's machine policy from Group Policy, and because the
user accounts are in the 2000 domain (same domain) it will only get its user
policy from Group Policy as well?

Just trying to understand you correctly, that's all.

Glenn Sullivan, MCSE+I  MCDBA
David Clark Company Inc. 

-----Original Message-----
From: Frank Monroe [mailto:Frank.Monroe@xxxxxxxxxxx]
Sent: Tuesday, July 16, 2002 6:02 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: POLEDIT policy in an Active Directory


I believe this article is in error.  And I have also discussed this with MS
before and they agree.  Native mode does not change the way policies are
applied.

With that said, Windows 2000 clients apply policies based on the what type
of domain the authenticating account is in.  In other words, if the NT 4.0
primary domain controller that holds the computer account (not the user
account) has been upgraded to Windows 2000, the system's machine policies
are processed by AD.  If the USER account's primary domain controller was
upgraded to Windows 2000 than AD will be used there as well.

-----Original Message-----
From: Ryan Gorman [mailto:Ryan@xxxxxxxxxxxxxx]
Sent: Tuesday, July 16, 2002 1:46 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: POLEDIT policy in an Active Directory


I can't see me previous post about "did you change your AD mode to Native"
just yet but check the last line of the following extract (I've posted this
before - it's a good document)


<extract>

How Policies Apply to Clients with Different Operating Systems
If you have a Windows NT 4.0 client in a workgroup or a domain, the only
policies that can apply are downlevel Windows NT 4.0 policy (POL) file
policies. 

If you have a standalone Windows 2000 client or member server, policies are
evaluated in the following order: 

Downlevel Windows NT 4.0 policy (POL) file 
Windows 2000 local GPO 
If you have a Windows 2000 client or member server in a mixed-mode domain,
policies are evaluated in the following order: 

Downlevel Windows NT 4.0 policy (POL) file 
Windows 2000 local GPO 
Site GPOs in priority order 
Domain GPOs in priority order 
Organizational Unit GPOs in priority order, applied in a hierarchical
fashion down the tree ending with the Organizational Unit that the computer
or user resides in 
As this extends the LSDOU process to include Windows NT 4.0 system policies,
this process is commonly written as 4LSDOU. 

If you have a Windows 2000 client or member server in a native-mode domain,
policies are evaluated in LSDOU order. 
</extract>

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechn
ol/windows2000serv/maintain/gpo.asp

Ryan, not even a MCP but NT since 1996

-----Original Message-----
From: Sullivan, Glenn [mailto:GSullivan@xxxxxxxxxxxxxx] 
Sent: 16 July 2002 14:56
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] POLEDIT policy in an Active Directory


I am pulling my hair out here...

I had an NT4 domain.  My Win2K terminal server was happily pulling a unique
policy file from my file server, from a non-NETLOGON share.

Upgrade the NT4 domain to Active Directory...

Now it appears that the policy files in this unique location are not being
applied.  I double checked the NetworkPath and UpdateMode entries in the
registry, and they still point to the correct location, and UpdateMode is
still 2 (manual update).  But the policy is not being applied.

I turned on auditing on the folder where the policy file lives, and there
aren't even any failed Object Access audits; it is just ignoring the
registry settings completely!

Frankly, I intend to replace these with Group Policy, but wanted to do so
carefully, so I wanted to continue with my "Tried and tested" .POL files for
now.  Anyone have any suggestions?

BTW, I have not modified the default domain policy at all, and this TS is
currently in the "Computers" OU, with no special GPO's applied.  Vanilla
Active Directory install...

Thanks in advance,

Glenn Sullivan, MCSE+I  MCDBA
David Clark Company Inc.


________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________



===================================
This weeks Sponsor:
triCerat, Inc
ScrewDrivers fxp: Self Configuring Printer Driver with Bandwidth Control
Learn more at:
http://www.tricerat.com/?page=products&product=sdfxp

===================================
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm



===================================
This weeks Sponsor:
triCerat, Inc
ScrewDrivers fxp: Self Configuring Printer Driver with Bandwidth Control
Learn more at:
http://www.tricerat.com/?page=products&product=sdfxp

===================================
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm



===================================
This weeks Sponsor:
triCerat, Inc
ScrewDrivers fxp: Self Configuring Printer Driver with Bandwidth Control
Learn more at:
http://www.tricerat.com/?page=products&product=sdfxp

===================================
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm



===================================
This weeks Sponsor:
triCerat, Inc
ScrewDrivers fxp: Self Configuring Printer Driver with Bandwidth Control
Learn more at:
http://www.tricerat.com/?page=products&product=sdfxp

===================================
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm

Other related posts: