Solved

Win2000 Group Policy and WinNT Workstations

Posted on 2002-05-03
6
395 Views
Last Modified: 2008-02-01
I have a Windows 2000 Domain with approximately 35 Windows NT 4.0 SP6 workstations.  I am trying to apply Windows 2000 Group Policy to the workstations to prevent update of Temporary Internet Files and such from being copied with the roaming profiles, however the policy is not working.

When I check the settings, it shows the Default Domain Policy is in effect, with no override, and with the settings desired.

One other point... the workstations still show a "legal notice" screen from before the domain was updated from a Win NT 4.0 domain to a Windows 2000 Active Directory.  The Win 2000 server is the only server on the domain.

Any advice?  Thanks in advance!
0
Comment
Question by:kwhitelaw
6 Comments
 
LVL 4

Expert Comment

by:EricWestbo
Comment Utility
easy way to do this roaming profile... keep the policy in place for the profile & add a policy for logoff script to delete temporary internet files, etc.  No files, no update.

as for the legal notice... does this happen at logon or prior?  could it be a local startup script?

/ew
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
I would also look at

By default, the History, Local Settings, Temp, and Temporary Internet Files folders are excluded from a user's  profile. This means that these folders are not stored on the network and do not follow the user from PC to PC.

  You can exclude addition folders by ADDing the Default Domain Policy to the MMC and setting Exclude
  directories in roaming profile, by navigating through User Configuration\Administrative
  Templates\System\Logon/Logoff.

  There is no way to use this policy to include the folders that are excluded by default.

  The results of the GPO are stored in the registry at:

  HKEY_CURRENT_UsER\Software\Policies\Microsoft\Windows\System\ExcludeProfileDirs. The
  ExcludeProfileDirs value name is a REG_SZ data type, that stores the additional excluded folders in
  Folder-name[;Folder-name...] format.

  If you subsequently disable the policy, or set it to Not configured, Group Policy deletes the ExcludeProfileDirs
  value name.

  NOTE: If you add ExcludeProfileDirs, you must also add it at:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
  Objects\LocalUser\Software\Policies\Microsoft\Windows\System

---------------------
excluding folders from roaming profiles.
In Windows 2000, the default value of ExcludeProfileDirs at
  HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon is Local
  Settings;Temporary Internet Files;History;Temp;Local Settings\Application Data\Microsoft\Outlook.

  The Exclude directories in roaming profile Group Policy at User Configuration\Administrative
  Templates\System\Logon/Logoff lets you add to the list of folders which are excluded from your roaming profile.
  The additional folders that you configure are stored in the ExcludeProfileDirs value name, as a string variable
  (REG_SZ), at HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System.

  NOTE: You could reduce the number of Days to keep pages in history on the General tab of Internet Options,
  and check the Empty temporary Internet Files when browser is closed box on the Advanced tab.
3712 » Excluded profile folders are being uploaded to your Windows 2000 profile?

  Even though you have excluded some directories from your profile (tips 3868 and 3543), these excluded folders are
  uploaded to your profile when you log off?

  When Windows 2000 retrieves the ExcludeProfileDirs value, it writes the data to Ntuser.ini. If the data exceeds 260
  characters, a buffer overflow occurs and the entire string is considered to be NULL.

  To resolve the issue, limit the total length of the exclusion list to 260 characters.
-------------------------------
and


From: snirh   Date: 03/28/2001 12:39AM PST Group policy planning with screen shots
                 
      http://www.microsoft.com/WINDOWS2000/library/planning/management/groupsteps.asp

http://www.microsoft.com/WINDOWS2000/library/planning/management/groupsteps.asp
                                   http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp

 Windows 2000 Group Policy White Paper
                                         http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

Step by Step Guide to Managing the Group Policy Feature Set
                                         http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol_zbgy.asp

"Troubleshooting Group Policy in Windows 2000"
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/support/tshootgp.asp
------------

I hope this helps !

0
 
LVL 13

Accepted Solution

by:
ocon827679 earned 200 total points
Comment Utility
I don't think that group policies will apply to Win NT or 9x machines due to registry differences.  My understanding is that you need to use the System Policy Editor to create an NTCONFIG.POL (or use the one from when the NT domain was in place) and put this file in the Netlogon share located at c:\winnt\SYSVOL\sysvol\domainname\scripts, where domainname is the FQDN.  
I'm assuming that your legal notice on the NT machines is different then the one that you have in W2K group policies??  It may have been applied during the WS build directly to the registry and since W2K group policies won't appl to Win NT machines you still see it.  Remember in NT system policies you were limited to the number of characters you could place in the policy for HKLM-Software- Microsoft- WindowsNT-Current Version-Winlogon- LegalNoticeText.  We had that problem and therefore made the notice part of the WS build process.  
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 4

Expert Comment

by:MFK
Comment Utility
ocon827679 is right 2000 policies do not apply to NT....Do as he says
0
 

Expert Comment

by:mariusk
Comment Utility
Group policies works only on win2k/xp machines.
WinNT has other type of policy that you can edit using "poledit" and templates that comes with the OS.
It's not sophisticated as gpo's, but that's what you can do on an NT.
0
 

Author Comment

by:kwhitelaw
Comment Utility
Thanks for the answer.  Nice work.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
FortiGate problem 8 72
Cisco layer 3 ring topology 1 50
Wireshark 7 52
Homegroup issues 6 34
Let’s list some of the technologies that enable smooth teleworking. 
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now