[win2kforum] Re: Repost of order of Policies and profiles

• From: "L.W. Kramer" <lwkramer@xxxxxxxxxx>
• To: win2kforum@xxxxxxxxxxxxx
• Date: Thu, 03 May 2001 11:35:16 -0700

Search for white papers on GPO's on msdn.microsoft.com.
Remember that nt4 and 9x machines behave exactly as they did before - Group 
policies do not apply to them. They use the old system policies on the 
NETLOGON share. Some exceptions to this are the IE settings which are 
picked up as if you had used the IEAK to set up IE configurations.

Also remember that "Nested" OU's (and thus hierarchical inheritance of 
GPO's) are not in effect until you switch the system to Native mode. Along 
those lines, bear in mind that the MS-recommended topology for Exchange 
2000 to support nt/9x users is to put the ex2000 box in it's own CHILD 
domain in Native mode, and let it trust the parent mixed mode domain which 
can support ex5.0 boxes that do not understand distribution groups... 
pretty hokey.

For your 9x clients you MUST still use the old 'system policies' (poledit), 
and the 9x policies MUST be created on a 9x box. the only advantage to 
using an 2k server is that the Netlogon share is now part of the sysvol, as 
far as replication is concerned. This simplifies some of the admin 
nightmare, and you can more safely use %LOGONSERVER% as the path to the 
profiles if you place the profiles directory in the sysvol as well.

L.



>I posted this some time ago. Someone suggested that I past it again since I
>did not get a response and it might have been missed.
>
>
>
>From: "Robert Davis" <sniper_lt@xxxxxxxxxxx>
>Subject: [win2kforum] Order of priority between Polices and profiles
>Date: Fri, 27 Apr 2001 20:15:08 -0000
>
>
>I run a network with a win2k server connected to a 100Base-T network with 25
>win98 clients. I have set a the registry of all the clients to validate user
>logons to the network with the server.
>
>I have been trying to set up group policies for my users. I followed the
>instructions at www.elkanter.net/security/security.htm. This is and
>excellent tutorial on using system policy editor written by Stacey
>Anderson-Redick.
>
>She start by saying that you need to edit the registry of each machine to
>allow remote updates.
>
>I did that to 3 test machines.
>
>Then enable user profiles on each machines.
>
>I did that.
>
>Then she suggest creating and test user with only one setting that is to set
>the windows wallpaper to sandstone.bmp. Then save that to a config.pol file
>and copy it to the netlogon share of the server. This is just to test that
>the config.pol file is being copied to the registry of the client. Then log
>on as that test user to see if the wallpaper changed to sandstone.bmp
>
>I did that.
>
>The problem is that when I logged on as that test user. The wallpaper
>changed briefly to sandstone. then changed back to the default light green
>wall paper that I have every machine set to.
>
>I thought that maybe that user policy was being overridden but something
>else.
>
>At www.globetrotting.com/winnt.pol.html  its says the the "pecking order"
>for Systems Policies is.
>" 1. Machine, Machine Policies can over wrote the User/Group setting"
>" 2. User, User Policies completely bypass Group policies( no precedence,
>just replacement)"
>" 3. Group..."
>" 4. All of these can overide Profile Settings."
>
>Can someone tell me if this order is true?
>
>If this is true might it be that something in the local machine registry is
>overiding the test users' policy and that is why the wallpaper is changing
>back to light green default?
>
>I checked the local machine setting with systems policy editor and there is
>no setting (check mark) for wall paper in the local machine setting.
>
>So I am stumped.
>
>TIA. Doing this is imperative so I can keep the users of my machines from
>"customizing" the machines to there preferences and then another user in
>another class comes along and his whole setup is different from the
>teachers' machine.
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>-----
>
>To unsubscribe, send a message to win2kforum-request@xxxxxxxxxxxxx and put 
>"unsubscribe" in the subject of the message.
>To reach the administrator(s), send a message to 
>win2kforum-admins@xxxxxxxxxxxxxx


-----

To unsubscribe, send a message to win2kforum-request@xxxxxxxxxxxxx and put 
"unsubscribe" in the subject of the message.
To reach the administrator(s), send a message to 
win2kforum-admins@xxxxxxxxxxxxxx

• Follow-Ups:
  • [win2kforum] Re: Repost of order of Policies and profiles
    • From: Mitch

• References:
  • [win2kforum] Repost of order of Policies and profiles
    • From: Robert Davis

Other related posts:

• » [win2kforum] Repost of order of Policies and profiles
• » [win2kforum] Re: Repost of order of Policies and profiles
• » [win2kforum] Re: Repost of order of Policies and profiles

1. Home
2. win2kforum
3. Archive
4. 05-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---