NT 4.0 System Policies VS. Win2k Group Policies

NT 4.0 System Policies VS. Win2k Group Policies

November 28, 2000

Nathan Reynolds

If you used system policies in NT 4.0, things have changed quite a bit in Windows 2000. Group Policy can unlock the secrets to security, lower TCO, and a plethora of other benefits with Windows 2000. All you need to do, is understand the technology and where to apply it.

Microsoft introduced system policies in NT 4.0. The System Policy Editor allowed you to configure user and computer configurations that were a conglomerate of registry settings. Using the System Policy Editor you could control the environment that your users received each day as they logged onto the system. With Windows 2000 comes additional features and a new tool to implement them.

For starters, Policies can apply to many more diverse groups in Windows 2000. Using Windows 2000's ability to create security groups which allow computers as well as users to be members, you can create these groups, and through the use of security ACLS you can apply group policy to them.

Secondly, you can apply policies in a hierarchical system. With NT 4's flat domain structure, all policies were implemented in a single file, with all settings for all computers contained in this policy. Now you can still do it this way in win2k, however you have the ability to utilize the structure of the active directory for policy application "What does this mean"? you ask? Well, this means that you can apply one policy for security settings over an OU called servers, which would have all of you servers in it. While implementing another policy over workstations, perhaps prohibiting the startup of the RRAS service. The possibilities for this application are endless.

Third, policies are now stored in 2 parts. You used to have that policy file in the Netlogon share on your NT domain controllers. It's still there, but now you have a piece of it stored in the Active Directory. This piece is one that contains information about where the policy applies, to who it applies (ACLS), and the location of the actual file with all of the policy settings. The actual policy file, stored in:

\\mydomain.com\sysvol\mydomain.com\Policies\{GUID of POLICY in the AD}

In this section you have 2 folders. One is for computer settings, one is for user settings There is also a file called GPT.INI, which contains version information for your policy.

Policies are now replicated through the new File Replication Service, which is an entirely new rewrite of the old LMRepl. The new File Replication Service is much more configurable and more fault tolerant than the NT 4.0 Replicator. FRS is now a multithreaded application, which allows it to handle multiple tasks simultaneously.

In addition, some of you remember the pain that NT 4.0 System Policies caused us when we tried to remove them. When you specified a setting in NT 4.0, this setting persisted in the registry, until you explicitly changed it. This caused settings to exist beyond their useful lifetime. Windows 2000 policies no longer live past their usefulness. Windows writes them to a special portion of the registry, and removes them when a policy no longer applies. The locations are:




When a policy no longer applies, Windows 2000 simply clears the registry entries placed by the policy.

Windows 2000 Group Policy functions much differently from NT 4.0 System Policies. I think you'll all agree that these were some much needed changes in order to minimize TCO on Windows based systems.