Sign in with
Sign up | Sign in
Your question

NT system policy applied to Win 2000 clients after 2K DC u..

Last response: in Windows 2000/NT
Share
May 13, 2004 2:11:04 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have upgraded the Primary domain controller from NT 4.0 to Win 2000 with AD & DNS running smoothly now (still using old NETBIOS domain name) but clients (already 2000 Pro) are still being affected by NT system policy.
I took the BDC offline prior to upgrade. I removed the NTconfig.pol file from Repl folder on the PDC prior to upgrade. I now have a new machine as a 2000 BDC and old NT BDC still offline. I cannot locate the old NTconfig.pol file on the 2000 DC and don't know why it is still being applied to clients. How can I remove it?
Anonymous
May 13, 2004 7:10:23 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

It is located in the Netlogon share of the 2k DC. That is at
c:\winnt\sysvol\sysvol\<domainname>\scripts

The old NT policies tattoo, so they are there until you remove them.

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"Pete" <anonymous@discussions.microsoft.com> wrote in message
news:B9D50335-42C7-4D3F-A8AC-A2D1D61B93DD@microsoft.com...
> I have upgraded the Primary domain controller from NT 4.0 to Win 2000 with
AD & DNS running smoothly now (still using old NETBIOS domain name) but
clients (already 2000 Pro) are still being affected by NT system policy.
> I took the BDC offline prior to upgrade. I removed the NTconfig.pol file
from Repl folder on the PDC prior to upgrade. I now have a new machine as a
2000 BDC and old NT BDC still offline. I cannot locate the old NTconfig.pol
file on the 2000 DC and don't know why it is still being applied to clients.
How can I remove it?
May 14, 2004 4:31:05 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks Derek, for the reply. However, as I mentioned, I removed the NTConfig.pol file before the upgrade - it is not there...I just checked. Furthermore, I configured a couple of settings on the Default Domain Policy and they are filtering down to the users perfectly now. The only problem is, they are filtering down to domain admins (with whom I belong) and I do not want that (even though permission check box for domain admins for Apply Policy is unchecked). I have created an OU called Users, but do not know how to add those users to the OU - I get an option to move groups but not users. Any advise?

----- Derek Melber [MVP] wrote: -----

It is located in the Netlogon share of the 2k DC. That is at
c:\winnt\sysvol\sysvol\<domainname>\scripts

The old NT policies tattoo, so they are there until you remove them.

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"Pete" <anonymous@discussions.microsoft.com> wrote in message
news:B9D50335-42C7-4D3F-A8AC-A2D1D61B93DD@microsoft.com...
> I have upgraded the Primary domain controller from NT 4.0 to Win 2000 with
AD & DNS running smoothly now (still using old NETBIOS domain name) but
clients (already 2000 Pro) are still being affected by NT system policy.
> I took the BDC offline prior to upgrade. I removed the NTconfig.pol file
from Repl folder on the PDC prior to upgrade. I now have a new machine as a
2000 BDC and old NT BDC still offline. I cannot locate the old NTconfig.pol
file on the 2000 DC and don't know why it is still being applied to clients.
How can I remove it?
Anonymous
May 14, 2004 11:54:03 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Here is what you need to do:

1) removet those settings from the domain GPO.
2) create an OU (you can use the one you have, named users)
3) link a NEW GPO to this OU
4) configure the GPO with the settings you had in the domain GPO
5) move all users that you want to receive the policy settings to this OU
(NOT GROUPS!!!!!)
you are done!

As for the nt policies, they will remain there until you set them to
something else. They are tattooed

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"Pete" <anonymous@discussions.microsoft.com> wrote in message
news:E62DADED-0689-4E63-90D7-BAC3CC9CEA0A@microsoft.com...
> Thanks Derek, for the reply. However, as I mentioned, I removed the
NTConfig.pol file before the upgrade - it is not there...I just checked.
Furthermore, I configured a couple of settings on the Default Domain Policy
and they are filtering down to the users perfectly now. The only problem is,
they are filtering down to domain admins (with whom I belong) and I do not
want that (even though permission check box for domain admins for Apply
Policy is unchecked). I have created an OU called Users, but do not know how
to add those users to the OU - I get an option to move groups but not users.
Any advise?
>
> ----- Derek Melber [MVP] wrote: -----
>
> It is located in the Netlogon share of the 2k DC. That is at
> c:\winnt\sysvol\sysvol\<domainname>\scripts
>
> The old NT policies tattoo, so they are there until you remove them.
>
> --
> Derek Melber
> BrainCore.Net
> derekm@braincore.net
> "Pete" <anonymous@discussions.microsoft.com> wrote in message
> news:B9D50335-42C7-4D3F-A8AC-A2D1D61B93DD@microsoft.com...
> > I have upgraded the Primary domain controller from NT 4.0 to Win
2000 with
> AD & DNS running smoothly now (still using old NETBIOS domain name)
but
> clients (already 2000 Pro) are still being affected by NT system
policy.
> > I took the BDC offline prior to upgrade. I removed the NTconfig.pol
file
> from Repl folder on the PDC prior to upgrade. I now have a new
machine as a
> 2000 BDC and old NT BDC still offline. I cannot locate the old
NTconfig.pol
> file on the 2000 DC and don't know why it is still being applied to
clients.
> How can I remove it?
>
>
>
May 16, 2004 1:31:34 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Pete,

FYI, once you set a policy using the ntconfig.pol it will tatto the
registry. If you remove the .pol file, this will not reverse the policy
settings. You will need to put the .pol file back in and reverse the
settings in the policy.


FYI on GPO's, the default permissions on policies are authenticated users
read and apply group policy. Even tho your account is a domain admin it is
still an authenticated user and the policy will apply. You can move the
users you want the policy to apply to in an OU or you can simply mark the
current policy for a deny read for the domain admins.


--
Mark Ramey [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.





"Pete" <anonymous@discussions.microsoft.com> wrote in message
news:B9D50335-42C7-4D3F-A8AC-A2D1D61B93DD@microsoft.com...
> I have upgraded the Primary domain controller from NT 4.0 to Win 2000 with
AD & DNS running smoothly now (still using old NETBIOS domain name) but
clients (already 2000 Pro) are still being affected by NT system policy.
> I took the BDC offline prior to upgrade. I removed the NTconfig.pol file
from Repl folder on the PDC prior to upgrade. I now have a new machine as a
2000 BDC and old NT BDC still offline. I cannot locate the old NTconfig.pol
file on the 2000 DC and don't know why it is still being applied to clients.
How can I remove it?
!