Microsoft KB Archive/258691

= Guidelines to determine how Windows NT 4.0 System Policy and Windows 2000 Group Policy settings are applied to users and to computers in mixed-mode environments =

Article ID: 258691

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows NT Server 4.0 Enterprise Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



This article was previously published under Q258691



INTRODUCTION
This article describes how Microsoft Windows NT 4.0 System Policy settings and Microsoft Windows 2000 Group Policy settings are applied to users and to computers in mixed-mode environments. An example of a mixed-mode environment is one where a Windows NT 4.0 user logs on to a Windows 2000-based computer that exists in a Windows NT 4.0 domain. Many different combinations of Windows 2000 and of Windows NT 4.0 users and computers can exist in Windows NT 4.0 domains and in Windows 2000 domains.



MORE INFORMATION
Several rules govern how Windows NT 4.0 System Policy settings and Windows 2000 Group Policy settings are applied in mixed-mode environments. Some of these rules are about which settings take effect when both System Policy settings and Group Policy settings affect a user or a computer. Generally, the policy settings that are applied depend on where the user account or the computer account exists, although there are exceptions. Typically, if the user account or the computer account is in a Windows NT 4.0 domain, Windows NT 4.0 System Policy settings are applied. If the user account or the computer account is in a Windows 2000 domain, Windows 2000 Group Policy settings are applied. Sometimes, both the System Policy settings and the Group Policy settings are applied, and sometimes none of them are applied. Note the following rules:  When Windows NT 4.0 System Policy settings and Windows 2000 Group Policy settings both affect a user or a computer, System Policy settings are applied first. Policy settings in the local Group Policy object (GPO), the site GPOs, the domain GPOs, and the organizational unit (OU) GPOs are applied second. Because Group Policy settings are applied last, Group Policy settings take effect if there are conflicts with System Policy settings. System Policy settings are applied to a Windows 2000-based computer that is a member of a Windows NT 4.0 domain. System Policy settings never affect a Windows 2000 user if the user logs on to a Windows 2000-based computer. System Policy settings may be applied to a Windows 2000 user when both of the following conditions are true:  The user logs on to a Window NT 4.0-based computer. An Ntconfig.pol file is available in the Netlogon share of the domain controllers in the account domain.</ul> </li> Group Policy settings are never applied to a Windows NT 4.0-based computer, even if the Windows NT 4.0-based computer is a member of a Windows 2000 domain.</li> A local GPO never affects a Windows NT 4.0-based computer because a local GPO is not available in Windows NT 4.0.</li> The local GPO is always applied to a Windows 2000-based computer, regardless of whether the computer is a member of a Windows NT 4.0 domain or a Windows 2000 domain.</li> Group Policy settings in site GPOs, in domain GPOs, and in OU GPOs never affect a Windows NT 4.0 user.</li> Cached policy settings are applied to a Windows 2000 user or to a Windows 2000-based computer if both of the following conditions are true: <ul> The user or the computer received Group Policy settings in the past.</li> A Windows 2000 domain controller is currently unavailable.</li></ul>

For example, suppose that a mixed-mode domain contains Windows 2000 domain controllers and Windows NT 4.0 backup domain controllers (BDCs). A computer that is running Microsoft Windows 2000 Professional in the domain typically receives Group Policy settings from a Windows 2000 domain controller. Suppose that all the Windows 2000 domain controllers are offline at the same time. Therefore, no Windows 2000 domain controllers are available to supply Group Policy settings. The only domain controllers that are available are Windows NT 4.0 BDCs. In this scenario, Group Policy settings for cached sites, for domains, and for OUs are applied to the Windows 2000 user and to the Windows 2000 Professional-based computer, together with the local GPO.</li></ul>

Sample scenarios
The following table lists eight mixed-mode scenarios and the resultant policy settings.

Note In the following table, &quot;trust&quot; indicates that an established trust relationship exists between a Windows NT 4.0 domain and a Windows 2000 domain, &quot;L&quot; refers to the local GPO, and &quot;LSDOU&quot; refers to the local GPO, the site GPOs, the domain GPOs, and the OU GPOs.

The following scenarios assume that you have neither configured System Policy settings nor have saved the Ntconfig.pol file to the Netlogon share of a Windows 2000 domain controller. If you have done so, System Policy settings may be applied to both the user and the computer when a user logs on to a Windows NT 4.0-based computer that is in a Windows 2000 domain. ==== Scenario 1: Windows NT 4.0 user account, Windows NT 4.0 computer account, Windows NT 4.0 domain

(Pure Windows NT 4.0 domain) ====


 * System Policy settings are applied to both the user and the computer.
 * Because this is a pure Windows NT 4.0 domain, GPOs do not affect the user or the computer.

==== Scenario 2: Windows NT 4.0 user account, Windows NT 4.0 computer account, Windows 2000 native-mode domain

(Established trust between Windows NT 4.0 and Windows 2000 domain) ====


 * System Policy settings are applied to the user because the user has a Windows NT 4.0 account in the trusted Windows NT 4.0 domain.
 * A local GPO does not affect the user because the computer is a Windows NT 4.0-based computer.
 * Site GPOs, domain GPOs, and OU GPOs do not affect the user because the user account is a Windows NT 4.0 user account.
 * System Policy settings do not affect the computer because the computer is a Windows NT 4.0-based computer in a Windows 2000 domain.
 * A local GPO does not affect the computer because the computer is a Windows NT 4.0-based computer.
 * Site GPOs, domain GPOs, and OU GPOs do not affect the computer because Group Policy settings never affect a Windows NT 4.0-based computer.

Scenario 3: Windows NT 4.0 user account, Windows 2000-based computer account, Windows NT 4.0 domain

 * System Policy settings are applied to the user because the user account is a Windows NT 4.0 account in a Windows NT 4.0 domain.
 * The local GPO is applied to the user because the computer is a Windows 2000-based computer.
 * Site GPOs, domain GPOs, and OU GPOs do not affect the user because the user account is a Windows NT 4.0 account in a Windows NT 4.0 domain.
 * System Policy settings are applied to the computer because the computer account is in a Windows NT 4.0 domain, and System Policy settings apply to Windows 2000-based computers.
 * The local GPO is applied to the computer because it is a Windows 2000-based computer.
 * Site GPOs, domain GPOs, and OU GPOs do not affect the computer because the computer account is in a Windows NT 4.0 domain.

==== Scenario 4: Windows NT 4.0 user account, Windows 2000-based computer account, Windows 2000 native-mode domain

(Established trust between Windows NT 4.0 and Windows 2000 domain) ====


 * System Policy settings are applied to the user because the user account is in a trusted Windows NT 4.0 domain.
 * The local GPO is applied to the user because the user account is on a Windows 2000-based computer.
 * Site GPOs, domain GPOs, and OU GPOs are not applied to the user because the user account is in a trusted Windows NT 4.0 domain.
 * System Policy settings do not affect the computer because the computer account is not in a Windows NT 4.0 domain.
 * The local GPO is applied to the computer because it is a Windows 2000-based computer.
 * Site GPOs, domain GPOs, and OU GPOs are applied to the computer because the computer account is in a Windows 2000 domain.

==== Scenario 5: Windows 2000 user account, Windows NT 4.0 computer account, Windows NT 4.0 domain

(Established trust between Windows NT 4.0 and Windows 2000 domain) ====


 * System Policy settings do not affect the user because the user account is a Windows 2000 domain account.

Note This scenario assumes that you have not saved an Ntconfig.pol file to the Netlogon share of a Windows 2000 domain controller.
 * A local GPO does not affect the user because the computer is a Windows NT 4.0-based computer.
 * Site GPOs, domain GPOs, and OU GPOs do not affect the user account because although the user account is in a Windows 2000 domain, the Windows NT 4.0 operating system does not recognize Group Policy settings in these GPOs. Therefore, the settings cannot be applied.
 * System Policy settings are applied to the computer because the computer account is in a Windows NT 4.0 domain.
 * The local GPO, site GPOs, domain GPOs, and OU GPOs do not affect the computer because it is a Windows NT 4.0-based computer in a Windows NT 4.0 domain.

Scenario 6: Windows 2000 user account, Windows NT 4.0 computer account, Windows 2000 native-mode domain

 * System Policy settings do not affect the user because the user account is in a Windows 2000 domain.
 * A local GPO does not affect the user because the computer is a Windows NT 4.0-based computer.
 * Site GPOs, domain GPOs, and OU GPOs settings are not applied to the user because, although the user account is in a Windows 2000 domain, the Windows NT 4.0 operating system does not recognize Group Policy settings in these GPOs. Therefore, the settings cannot be applied.
 * System Policy settings do not affect the computer because no Windows NT 4.0 domain controller exists to provide the policy settings.
 * A local GPO does not affect the computer because it is a Windows NT 4.0-based computer.
 * Site GPOs, domain GPOs, and OU GPOs do not affect the computer because Group Policy settings in these GPOs never apply to a Windows NT 4.0-based computer.

==== Scenario 7: Windows 2000 user account, Windows 2000-based computer account, Windows NT 4.0 domain

(Established trust between Windows NT 4.0 and Windows 2000 domain) ====


 * System Policy settings do not affect the user because the user account is not in a Windows NT 4.0 domain.
 * The local GPO is applied to the user because the computer account is a Windows 2000-based computer account.
 * Site GPOs, domain GPOs, and OU GPOs are applied to the user from the trusted Windows 2000 domain that the user is a member of.
 * System Policy settings are applied to the computer because the computer account is in a Windows NT 4.0 domain.
 * The local GPO is applied to the computer because the computer account is a Windows 2000-based computer.
 * Site GPOs, domain GPOs, and OU GPOs do not affect the computer because the computer account is in a Windows NT 4.0 domain.

==== Scenario 8: Windows 2000 user account, Windows 2000-based computer account, Windows 2000 native-mode domain

(Pure Windows 2000 domain) ====


 * System Policy settings do not affect the user or the computer.
 * The local GPO, site GPOs, domain GPOs, and OU GPOs are applied to both the user and the computer.

<div class="moreinformation_section">

MORE INFORMATION
For additional information about policy setting behavior in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

253672 Expected System and Group Policy behavior with Windows 2000 clients

For additional information about System Policy settings in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

318753 How to create a System Policy setting in Windows 2000

Keywords: kbpubtypekc kbinfo KB258691

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.