NT system policy applied to Win 2000 clients after 2K DC upgrade

[Guest]

I have upgraded the Primary domain controller from NT 4.0 to Win 2000 with AD & DNS running smoothly now (still using old NETBIOS domain name) but clients (already 2000 Pro) are still being affected by NT system policy
I took the BDC offline prior to upgrade. I removed the NTconfig.pol file from Repl folder on the PDC prior to upgrade. I now have a new machine as a 2000 BDC and old NT BDC still offline. I cannot locate the old NTconfig.pol file on the 2000 DC and don't know why it is still being applied to clients. How can I remove it?

 

[Derek Melber [MVP]]

It is located in the Netlogon share of the 2k DC. That is at
c:\winnt\sysvol\sysvol\<domainname>\scripts

The old NT policies tattoo, so they are there until you remove them.

--
Derek Melber
BrainCore.Net
(e-mail address removed)

I have upgraded the Primary domain controller from NT 4.0 to Win 2000 with

AD & DNS running smoothly now (still using old NETBIOS domain name) but
clients (already 2000 Pro) are still being affected by NT system policy.

I took the BDC offline prior to upgrade. I removed the NTconfig.pol file

from Repl folder on the PDC prior to upgrade. I now have a new machine as a
2000 BDC and old NT BDC still offline. I cannot locate the old NTconfig.pol
file on the 2000 DC and don't know why it is still being applied to clients.
How can I remove it?

 

[Derek Melber [MVP]]

Here is what you need to do:

1) removet those settings from the domain GPO.
2) create an OU (you can use the one you have, named users)
3) link a NEW GPO to this OU
4) configure the GPO with the settings you had in the domain GPO
5) move all users that you want to receive the policy settings to this OU
(NOT GROUPS!!!!!)
you are done!

As for the nt policies, they will remain there until you set them to
something else. They are tattooed

--
Derek Melber
BrainCore.Net
(e-mail address removed)

Thanks Derek, for the reply. However, as I mentioned, I removed the

NTConfig.pol file before the upgrade - it is not there...I just checked.
Furthermore, I configured a couple of settings on the Default Domain Policy
and they are filtering down to the users perfectly now. The only problem is,
they are filtering down to domain admins (with whom I belong) and I do not
want that (even though permission check box for domain admins for Apply
Policy is unchecked). I have created an OU called Users, but do not know how
to add those users to the OU - I get an option to move groups but not users.
Any advise?

 

[Mark]

Pete,

FYI, once you set a policy using the ntconfig.pol it will tatto the
registry. If you remove the .pol file, this will not reverse the policy
settings. You will need to put the .pol file back in and reverse the
settings in the policy.


FYI on GPO's, the default permissions on policies are authenticated users
read and apply group policy. Even tho your account is a domain admin it is
still an authenticated user and the policy will apply. You can move the
users you want the policy to apply to in an OU or you can simply mark the
current policy for a deny read for the domain admins.


--
Mark Ramey [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

I have upgraded the Primary domain controller from NT 4.0 to Win 2000 with

AD & DNS running smoothly now (still using old NETBIOS domain name) but
clients (already 2000 Pro) are still being affected by NT system policy.

I took the BDC offline prior to upgrade. I removed the NTconfig.pol file

from Repl folder on the PDC prior to upgrade. I now have a new machine as a
2000 BDC and old NT BDC still offline. I cannot locate the old NTconfig.pol
file on the 2000 DC and don't know why it is still being applied to clients.
How can I remove it?