Microsoft Windows NT 4.0 manual Policy Replication, How Policies Are Applied

Page 44

this change must be made individually to each workstation.

When a user of a Windows NT 4.0-based workstation logs on, if the Windows NT 4.0-based machine is working in Automatic mode (which is the default), the workstation checks the NETLOGON share on the validating do- main controller (DC) for the NTconfig.pol file. If the workstation finds the file, it downloads it, parses it for the user, group, and computer policy data, and ap- plies it if appropriate. If a user logs on to a machine that has a computer account in a resource domain, the search for the NTconfig.pol file is redirected to the validating domain controller in the account domain. In this situation, the Windows NT 4.0-based workstation has a secure communication channel es- tablished to a domain controller of the resource domain. The Windows NT- based workstation sends the user’s logon request over this communication channel, and expects a response the same way. The domain controller in the resource domain receives this request, forwards it to a domain controller in the user’s account domain, and waits for a response. Once the domain controller in the resource domain receives this response from the account domain’s DC, it returns the authentication request to the client machine, including the vali- dating domain controller’s name from the account domain. The Windows NT- based workstation now knows where to look for the NTconfig.pol file.

Policy Replication

If you implement a System Policy file for Windows NT users and computers and you intend to use the default behavior of Windows NT, be sure that direc- tory replication is occurring properly among all domain controllers that participate in user authentication. With Windows NT, the default behavior is for the computer to check for a policy file in the NETLOGON share of the validat- ing domain controller. If directory replication to a domain controller fails and a Windows NT-based workstation does not find a policy file on that server, no policy will be applied and the existing settings will remain, possibly leaving the user with a nonstandard environment or more capabilities than you want that particular user to have.

How Policies Are Applied

Once located, policies are applied as follows:

If the policy file includes settings for the specific user account, those are applied to the HKEY_CURRENT_USER registry key. Other group settings are discarded, even if the user is a member of the group, because the user settings take precedence.

If a user-specific policy is not present, and Default User settings exist, the Default User settings are applied to the HKEY_CURRENT_USER registry key.

If no user specific settings are present, and group settings exist, the user’s group membership in each of those groups is checked. If the user is a member of one or more groups, the settings from each of the groups— starting with the lowest priority and continuing through the highest priority— are applied to the HKEY_CURRENT_USER key in the registry.

36 Microsoft Windows NT Server White Paper

Image 44
Contents Server Operating System Page Windows NT 4.0 documentation and Resource Kits AbstractUser environment than they have ever had before Page Contents System Policy An Introduction System Policy EditorPage For More Information Appendix a -Flowcharts User Profile Flowcharts System Policy FlowchartAutorun Start Banner Appendix C Usage NotesTCO and the User Profiles, Policies, and the Zero Administration KitIntroduction What are User Profiles and System Policies? Before You Begin32-bit version of the Registry Editor Key TerminologyTechnical Notes ComputerUser Profile Structure Creating and Administering User ProfilesEstablishing User Profiles AN Overview Configuration Preferences Stored in the Registry Hive Configuration Preferences Stored in Profile DirectoriesWindows NT 4.0 and Windows User Profile Differences Windows NT 4.0 fileList, is checked for an existing entry for that user Equivalent Windows 95 fileSetting Permissions for User Profiles User Profile Planning and ImplementationEncoding Permissions in the User Profile Selecting a Location to Save User ProfilesSetting Persistent Connections Delete the network connection and reconnect Working Around Slow Network LinksTo create a new roaming user profile Creating and Maintaining User ProfilesCreating a New Roaming User Profile for Windows NT Microsoft Windows NT Server White Paper ∙ To copy a template profile manually to a number of users Copy the profile appropriate to your implementation∙ To copy an existing user’s profile to another user Creating a New Mandatory User Profile for Windows NT To create a new mandatory User ProfileCalled TemplateUser Making a Roaming Profile Mandatory Windows NT Changing the User’s Ability to Modify a ProfileEnforcing the Use of the Server-based Profile Creating a New Roaming User Profile for a Windows 95 User To create a roaming user profile for a Windows 95 userCreating a New Mandatory User Profile for Windows To create a mandatory user profile for a Windows 95 userDeleting Profiles \\computername DdaysDetermining Which Profile Is Displayed Copying Profiles Microsoft Windows NT Server White Paper Log Files Used by Profiles All Users Shared ProfileDefault User Template Profiles Profile Names and Storage in the RegistryManually Administering a User Profile through the Registry To manually customize a User ProfileModifying the Default User Profile Microsoft Windows NT Server White Paper To create a mandatory profile from the old profile To create the profile from an existing template profileCreating Profiles Without User-Specific Connections To change the profileStart REGEDT32 and locate the following path Troubleshooting User Profiles with the UserEnv.log FileTo enable logging Sample Log =========================================================System Policy AN Introduction System Policy FilesThis change must be made individually to each workstation Policy ReplicationHow Policies Are Applied Additional Implementation Considerations Microsoft Windows NT Server White Paper Installing the System Policy Editor on a Windows 95 Computer System Policy EditorUpdating the Registry with the System Policy Editor System Policy Editor Template .Adm FilesConfiguring Policy Settings Your Own Custom .Adm File,later in this documentSetting Folder Paths Back to Defaults To restore the defaultsCreating a System Policy To create a new System PolicyTem Policy Editor Setting Up Shortcuts for Server-based Profiles Creating Alternate Folder PathsTo create shared folders and alternate folder paths To resolve links correctlyDeploying Policies for Windows NT 4.0 Machines To retrieve the policy file from a specific locationTo deploy policies for a Windows 95-based computer Update mode box, select Manual use specific pathDeploying Policies for Windows 95 Machines To create a policy file for stand-alone workstations Modifying Policy Settings on Stand-Alone WorkstationsTo change policy settings remotely To create a custom .adm file To change policy settings locallyCreating a Custom .Adm File Remember that the Valuename needs to be within a Part if Would useThese can be nested to create sub-categories as follows END Part Save and test your file Type REGEXPANDSZ, for example∙ MAXLEN- Specifies the maximum length of text, for example Configuring System Policies Based on Geographic Location Building Fault Tolerance for Custom Shared FoldersClearing the Documents Available List Each time the System Policy Editor startsMicrosoft Windows NT Server White Paper Default User Settings Selection Remove Run command from Start menu Description Selection Color scheme KeySelection Remove Find command from Start menu Description Selection No Entire Network in Network Neighborhood Key Selection Hide drives in My Computer DescriptionSelection Hide Network Neighborhood Description Selection No workgroup contents in Network Neighborhood Key Selection Hide all items on desktop DescriptionSelection Disable Shut Down command Description Selection Dont save settings at Exit DescriptionSelectionDisable registry editing tools Category SystemSelection Run only allowed Windows applications Description Selection Custom Program folder Description Selection Custom desktop icons DescriptionSelection Custom Network Neighborhood Description Selection Hide Start menu subfolders DescriptionSelection Custom Startup folder Description \CurrentVersion \Explorer \User Shell Folders Selection Custom Start menu DescriptionAs part of the Start menu Selection Only use approved shell extensions KeySelection Selection Disable context menus for the Taskbar DescriptionSelection Remove File menu from Explorer Description Work Drive options Selection Disable link file tracking Description Selection Run logon scripts synchronously DescriptionSelection Disable Task Manager Description Selection Show welcome tips at logon DescriptionDefault Computer Settings Selection Remote update Description\Explorer \TipsSelection Permitted managers Key Selection Run Description Selection Create hidden drive shares server Description Selection Scheduler priority KeySelection Beep for error enabled Description Error occurs on a print serverCategoryWindows NT Remote Access SelectionMax number of unsuccessful authentication retriesSelectionWait interval for callback SelectionAuto disconnectRAS Call-back Interval RAS Auto-disconnectCustom shared folders Selection Custom shared Programs folder DescriptionStart menu Selection Custom shared desktop icons DescriptionSelection Logon banner Selection Custom shared Start menu DescriptionSelection Custom shared Startup folder Description Enables or disables display of the last logged on user With textDialog window Logon dialog is displayedTion, this value takes precedence File system\System \CurrentControlSet \Control \FileSystem Selection Allow extended characters in 8.3 file namesLast access time. This increases the file system’s PerformanceCategoryWindows NT User Profiles SelectionDelete cached copies of roaming profilesSelectionAutomatically detect slow network connections SelectionSlow network connection timeoutSelectionTimeout for dialog boxes Registry Value Registry Data Description Registry Entries not Included in the System Policy Editor Registry Value Registry Data Description NoStartBanner For More Information Appendix a Flowcharts User Profile FlowchartsWill the user be mandated to receive the profile for logon? Available? See Apply System Policy Save settings to Registry Call made to check Check for .man extension Server profile System Policy Flowchart Do Group PoliciesAppendix B Implementing User Profiles Existing Windows NT 3.5x Roaming ProfileCreating a New Windows NT 4.0 Roaming Profile Creating a New Windows NT 4.0 Mandatory ProfileChanging a Roaming Profile to a Mandatory Profile Recent Updates to Profiles Since Retail Release Appendix C Usage NotesRecent Updates to Policies Since Retail Release Policies Appendix D Related Knowledge Base ArticlesProfiles Q156432

Windows NT 4.0 specifications

Microsoft Windows NT 4.0, released on July 29, 1996, marked a significant milestone in the evolution of Microsoft's operating systems. As the successor to Windows NT 3.51, this version brought a range of enhancements and features that appealed to both enterprise users and consumers.

One of the standout characteristics of Windows NT 4.0 was its introduction of the Windows 95 user interface, which significantly improved user experience and accessibility. This graphical interface made it easier for users to navigate the operating system, transitioning from the more complex interfaces of previous NT versions. The integration of familiar elements such as the Start menu and taskbar helped bridge the gap between professional and personal computing environments.

Windows NT 4.0 was built on a robust and secure architecture. It utilized the NT kernel, which provided improved multitasking and stability compared to its predecessors. This operating system was designed to handle multiple user sessions simultaneously, making it suitable for servers as well as workstations. The inherent stability of NT 4.0 made it a favorite in enterprise environments, particularly for critical applications and systems.

Another defining feature of NT 4.0 was its support for a wide range of hardware, making it versatile across various machine configurations. It included compatibility with numerous devices and peripherals, which facilitated its adoption in diverse settings.

In addition to user interface enhancements and hardware compatibility, Windows NT 4.0 introduced powerful networking capabilities. The operating system supported TCP/IP natively, alongside NetBEUI and IPX/SPX protocols. This meant that it could seamlessly integrate into existing network environments, providing essential services for file and printer sharing, domain management, and remote access through features like Remote Access Service (RAS).

Security was another key focus area for Windows NT 4.0. Built around security principles, it employed a discretionary access control system, allowing administrators to define user permissions and manage access to resources effectively. This was particularly appealing to businesses that needed to enforce strict security policies.

Windows NT 4.0 also included improved support for backup and recovery, through the inclusion of the NT Backup utility. The operating system allowed for the creation of scheduled backups and simplified data recovery processes, enhancing data integrity and reliability.

As NT 4.0 entered its later years, it laid the groundwork for future Windows operating systems, influencing the design of later versions, particularly Windows 2000. It combined user-friendly features with enterprise-level robustness, ultimately shaping expectations for modern operating systems across various industries.