Brian_Blair
asked on
System Policies vs. Group Policies
Network : W2k professional workstations + 11 W2k server domain controllers. Last fall the servers were upgraded from NT4.
I inherited this setup and my experience is largely W2k.
If I type start/run/poledit the system ploicy editor opens up.
If I click File/Open Policy and browse to a domain controller netlogon share, there is an ntconfig.pol file which I can of course click on and see a few users and their system policies properties.
I can see all users and computers in the network in Active directory Users and Computers.
It is my understanding that in this environment, policies from the system policy editor are ignored right?? Group Policy is the way to restrict/ manage things right??
However..
It seems like some of the settings in system policy editor are being applied to the users in the ntconfig.pol file. How can this be???
I inherited this setup and my experience is largely W2k.
If I type start/run/poledit the system ploicy editor opens up.
If I click File/Open Policy and browse to a domain controller netlogon share, there is an ntconfig.pol file which I can of course click on and see a few users and their system policies properties.
I can see all users and computers in the network in Active directory Users and Computers.
It is my understanding that in this environment, policies from the system policy editor are ignored right?? Group Policy is the way to restrict/ manage things right??
However..
It seems like some of the settings in system policy editor are being applied to the users in the ntconfig.pol file. How can this be???
ASKER
Thank you for your comments.
So if nothing is specifically set on the domain policy, then policies defined in the old system policy editor will be applied?
I always thought it was the local security policy defined in administrative tools on the local machine that gets applied when nothing is defined in the domain policy.
So if nothing is specifically set on the domain policy, then policies defined in the old system policy editor will be applied?
I always thought it was the local security policy defined in administrative tools on the local machine that gets applied when nothing is defined in the domain policy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The Policy Hierarchy goes something like Domain Policy --> OU Group Policy --> Local Policy.
What this means is that if you SPECIFICALLY set a certain policy as "Enabled" or "Disabled", then the policy will pass on to the next one in the hierarchy. However, if you choose not to do anything with the policy, then effectively speaking, you are letting the next group decide.
For example, if you set a policy to "Disable non-Administrative shutdown of system" on the Domain level, then nobody should be able to shutdown the computer unless they are Administrators. However, if you set it to "Disable", then EVERYBODY will be able to shut it down.
The part you are having trouble with, I believe, is when nothing is set on the Domain policy, then that the local policy will take over. This is by design.
- Info