The Domain Controller Side

  • Article

The interaction of Windows NT 4.0 System Policy and Windows 2000 Group Policy during migration is described in this section. You can assume that the client computers, meaning all computers other than the domain controllers, run either Windows 2000 Professional or Windows 2000 Server unless the contrary is specifically stated.

For a user to log on to a domain successfully, both the user and the computer must be known to the domain. You need to know what behavior to expect when computer or user accounts, or both, have not yet been upgraded from Windows NT 4.0 to Windows 2000.

Computer and User Accounts Both on Windows NT 4.0 Domain Controllers.

These accounts might be on the same or different domain controllers. There might be Windows 2000 domain controllers on the intranet as well; however, they don't handle these particular accounts. The user and computer are not in Active Directory.

System Startup

Local Group Policy for the computer is applied when the computer starts up.

User Logon

Windows NT 4.0 System Policy for the computer is applied. Then, Windows NT 4.0 System Policy for the user is applied. Then, if local Group Policy has changed since it was last applied, the following policy settings are applied: Local Group Policy for the user, followed by Windows NT 4.0 System Policy for the user.

Computer and User Accounts Both on Windows 2000 Domain Controllers

The user account and computer account are both in Active Directory. There might be Windows NT 4.0 domain controllers on the intranet as well, but they are not involved in the startup/logon negotiation because Windows 2000 clients prefer Windows 2000 domain controllers.

System Startup

Windows 2000–based computer Group Policy is applied at boot time.

User Logon

Windows 2000 user Group Policy is applied when the user logs on.

Computer is Managed in a Windows NT 4.0 Account and User is Managed in a Windows 2000 Account

The user account is in Active Directory, and the computer account is not. The computer account is managed by a Windows NT 4.0 domain controller. This is a common scenario.

System Startup

Local Group Policy for the computer is applied when the computer starts up.

User Logon

When the user logs on, the computer receives System Policy, and then the user receives all Group Policy to which the user is entitled. The user does not receive System Policy.

Upgrading the Computer Accounts

Persistent registry settings can be an issue when upgrading the computer accounts from Windows NT 4.0 to Windows 2000. While the client computer was subject to System Policy, its registry received settings outside the approved Group Policy trees, and these are not removed on the client when the domain controller is upgraded. You should look for unwanted residual effects of System Policy and take corrective steps, such as using Regini.exe, found in %systemroot%/System32/, to remove the old settings.

For example, Windows NT 4.0 has a Logon Banner policy. In Windows 2000, Logon Banner policy is handled differently, in Security Settings rather than using an Administrative Template. If you observe after upgrading the computer account that the Windows NT 4.0 Logon Banner policy is still in force, then reverse that setting on a one-time basis.

It is recommended that you avoid issues such as these by giving the client computer a freshly installed Windows 2000 operating system, rather than an upgrade. If you do this, there are no holdover Windows NT 4.0 registry settings.

User is Managed in a Windows NT 4.0 Account and Computer is Managed in a Windows 2000 Account

The computer account is in Active Directory, and the user account is not. The user account is managed by a Windows NT 4.0 domain controller.

Windows NT 4.0 resource domains (often containing computer accounts, printers, shared folders, and so on.) are often made into Windows 2000 organizational units in Active Directory. In this way, what were several Windows NT 4.0 resource domains can be handled in just one Windows 2000 domain. Because fewer computers are typically needed when upgrading resource domains in this way than when upgrading all the user accounts, this migration status is less common than the previous one.

System Startup

All Group Policy to which the computer is subject is applied to the computer when it boots.

User Logon

System Policy is applied to the user when the user logs on. If the local Group Policy object has changed since it was last processed, the following policy settings are applied: Local Group Policy for the user, followed by Windows NT 4.0 System Policy for the user. Computer System Policy is not applied.

Upgrading the User Accounts

During the time that the user accounts were managed by a Windows NT 4.0 domain controller, the client computers might have had their registries altered outside the approved Group Policy trees. When the domain controller holding the user accounts is upgraded to Windows 2000, these settings remain on the client computers unless the administrator undoes them by means of System Policy or — easier for the administrator — the client computers get fresh installations of Windows 2000.