Migrating Policy-Enabled Clients from Windows NT 4.0 to Windows 2000 or Windows Server 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This section discusses behavior of Group Policy and System Policy in relation to migration to Windows 2000 or Windows Server 2003.
Windows NT 4.0 and Windows 2000 Policy Setting Comparison
Group Policy differs greatly from System Policy in Windows NT 4.0. Although Group Policy does include the functionality from Windows NT 4.0 System Policy, it also provides policy settings for scripts, software installation, security settings, Internet Explorer maintenance, folder redirection, and Remote Installation Services.
In Windows NT 4.0 (and Windows 95 and Windows 98), System Policies:
Are applied to domains.
May be further controlled by user membership in security groups.
Are not secure.
Persist in users' profiles (this is sometimes referred to as tattooing the registry), as explained earlier in this paper This means that after a registry setting is set using Windows NT 4.0 System Policies, the setting persists until the specified policy is reversed or the user edits the registry.
Are limited to desktop lockdown.
In Windows 2000 and Windows Server 2003, Group Policy:
Represents the primary method for enabling centralized Change and Configuration Management. You can use Group Policy to manage registry-based policy, software installation options, security settings, scripts (for computer startup and shutdown, and for user logon and logoff), Internet Explorer maintenance, folder redirection, and Remote Installation Services.
Can be linked to sites, domains, and organizational units.
Affects all users and computers in the specified Active Directory container (site, domain, or organizational unit) by default.
May be further controlled by user or computer membership in security groups.
May be further controlled by use of WMI filtering.
Settings are secure.
Default policy settings do not persist in the registry.
Can be used for tightly managed desktop configurations and to enhance the user's computing environment.
The Windows NT 4.0 effect of persistent registry settings can be problematic when a user's group membership is changed. An advantage of Windows 2000Group Policy is that this does not occur. When a GPO no longer applies, registry settings written to the following secure registry locations are removed:
HKLM\Software\Policies
HKLM\Software\MS\Windows\CurrentVersion\Policies
HKCU\Software\Policies
HKCU\Software\MS\Windows\CurrentVersion\Policies
Migrating to Windows 2000 or Windows Server 2003
Migrating Windows NT 4.0-based clients and servers to Windows 2000 or Windows Server 2003 in various combinations causes different behavior for Group Policy. In a pure Windows 2000 or later environment where both the user and computer accounts are in a Windows 2000 or later domain, Windows 2000 or later clients process only Group Policy. System Policy is not processed. However, Windows 2000 or Windows XP clients can process System Policy in cases where either the user account and/or the computer account is not located in a Windows 2000 or Windows Server 2003 domain.
In many organizations it may be impractical to upgrade all Windows NT 4.0-based servers and client computers simultaneously to Windows Server 2003 and Windows XP. In this case, it is important that you know how Group Policy and Windows NT 4.0 System Policy are affected during and after the migration process. This section presents information about the effects of migration on Group Policy.
Client Computers
Group Policy applies only to computers running Windows 2000 or later. There is no mechanism to process Group Policy on clients running Windows NT 4.0, Windows 95, Windows 98, and Windows Millennium Edition.
Upgrading Computer or User Accounts from Windows NT 4.0 to Windows Server 2003
When migrating from Windows NT 4.0, it's recommended to perform a clean installation of Windows Server 2003. To facilitate a clean installation, you can use the User State Migration Tool to migrate the users' data and settings to the new installation.
For more information about migrating from Windows NT 4 System Policy, see Windows 2000 Group Policy white paper at https://go.microsoft.com/fwlink/?linkid=203.
Using Group Policy in a Mixed Environment of Windows 2000 and Windows XP Clients
Active Directory with Windows 2000 and Windows XP Clients
This section explains issues to consider when using Group Policy in a Windows 2000 Server or Windows Server 2003 environment where some or all of the clients are running Windows XP Professional or Windows 2000.
Comparing IntelliMirror Features on Windows 2000 and Windows XP
The following tables show how IntelliMirror features compare on computers running Windows 2000 Professional and Windows XP Professional.
Comparing Clients under Windows Server 2003 Active Directory
| Feature | Supported in Windows 2000 Client | Supported in Windows XP Client |
|---|---|---|
Group Policy |
Yes |
Yes |
GPMC |
No. But Windows 2000 clients can be managed with GPMC running on Windows Server 2003 |
Yes |
Local Group Policy |
Yes |
Yes |
System policy |
Yes |
Yes |
Roaming profiles |
Yes |
Yes |
Folder redirection |
Yes (No home directory redirect) |
Yes |
Software installation |
Yes |
Yes |
Internet Explorer Maintenance |
Yes |
Yes |
Security Settings |
Yes |
Yes |
Software restriction policies |
No |
Yes |
Comparing clients under Windows 2000 Active Directory
| Feature | Supported in Windows 2000 | Supported in Windows XP |
|---|---|---|
Group Policy |
Yes |
Yes |
GPMC |
No. But Windows 2000 clients in a Windows 2000 domain can be managed with GPMC installed on a computer running Windows XP or a member server running Windows Server 2003. |
Yes |
Local Group Policy |
Yes |
Yes |
System policy |
Yes |
Yes |
Roaming profiles |
Yes |
Yes |
Folder redirection |
Yes (No home directory redirect) |
Yes |
Software installation |
Yes |
Yes |
Internet Explorer Maintenance |
Yes |
Yes |
Security Settings |
Yes |
Yes |
Software restriction policies |
No |
Yes (via Local Group Policy Object) |
Comparing Clients Under Windows NT Server 4.0
| Feature | Supported in Windows 2000 | Supported in Windows XP |
|---|---|---|
System policy |
Yes |
Yes |
Group Policy |
No |
No |
Local Group Policy |
Yes |
Yes |
Roaming profiles |
Yes |
Yes |
Folder redirection |
No |
No |
Software installation |
No |
No |
Internet Explorer Maintenance |
Yes, with Internet Explorer Administration Kit (IEAK) |
Yes, with IEAK. |
Security Settings |
No |
No |
Software restriction policies |
No |
No |
Folder Redirection and Software Installation
Because background refresh is the default behavior in Windows XP, Folder Redirection and Software Installation may require as many as three logons to apply changes.
This behavior exists because Folder Redirection and Software Installation cannot apply during an asynchronous or background application of policy. Folder Redirection can only apply when processed synchronously.
Here is a sample scenario showing how polices are applied:
An administrator deploys a software package to User A.
User A logs on fast and receives a background (asynchronous) application of policy.
Because the policy application was asynchronous, the software that was set to be installed cannot be installed at this time. Instead the machine is tagged, indicating that software needs to be installed.
The next time the user logs on, the machine instead logs on the user synchronously to allow the software package to be installed. (This is the same behavior as Windows 2000). This results in one extra logon for the software to be installed.
In the case of Advanced folder redirection, because policy is evaluated based on security group membership three logons will be required: the first logon to update the cached user object (and security group membership), the second logon for policy to detect the change in security group membership and require a foreground policy application, and the third logon to actually apply folder redirection policy in the foreground.
Note
When a client running Windows XP logs onto a Windows 2000 or Windows Server 2003 Active Directory, all Software Installation policy settings for Windows 2000 clients will be applied and work successfully on the Windows XP client.
Internet Explorer Maintenance
There are no changes in Internet Explorer Maintenance across Windows XP and Windows 2000.
Roaming Profiles
Users with roaming profiles can roam between Windows 2000 and Windows XP-based workstations without any changes in behavior. The new profile registry policy settings only work on Windows XP. If you apply these settings to a client running Windows 2000, they will have no effect.
Security Settings
Software Restrictions Policies were introduced in Windows XP. If you apply software restriction policy to a client running Windows 2000 it will have no effect. The software restriction policy registry settings will be written to the registry, but the Windows 2000 client will not know how to interpret them.
64 bit Integration Issues
If you apply a 64-bit package to Windows 2000 or a 32-bit version of Windows XP, it will not be advertised by default; however, you can override this behavior using the 64-bit deployment options in the Application Deployment Editor (ADE). If you apply a 64-bit package to a 64-bit version of Windows XP, it will be successfully advertised.