Group policies without Active Directory, part 2

Follow this procedure to replicate local machine policies to standardize Win2k machines without AD.

This tip was submitted to the searchWin2000 Tip Exchange by member Douglas Palmer. Let other users know how useful it is by rating the tip below.


When rolling out new W2K machines in a mixed, non-native mode environment, perhaps you have configured some computer/group policies on one, initial desktop which you would like to 'replicate' to each computer. The Group policies without Active Directory tip suggested that you use the old NT4 Policy Editor to install some of the older carryover settings, but many W2K settings are not configurable using this method. You've tried secedit, but it's only for security-based templates, not local user/computer templates.

You've tried Sysdiff, but since W2K policies do not 'tattoo' the registry as NT4 does, the policies are still not engaged.

In order to resolve the issue of local policies and how to replicate local machine policies to standardize W2K machines without AD, you need to dig deeper. First, you need to see ALL the system folders and files. Open My Computer and go to the Menu Item 'Tools'. Choose 'Folder Options', then click the 'View' tab. Click the radio button next to 'Show all files and folders' and uncheck the box next to 'Hide protected operating system files', answering 'Yes' to the windows prompt. Now you're ready.

Go to 'Run' in the Start Menu and type 'MMC' then press Enter. When the Management console appears, go to 'Console' in the Menu Toolbar and choose 'Add/Remove snap-in...' . In the Add/Remove Snap-in window, click the 'Add' button and in the Add Stand-alone Snap-in pop-up window, double-click on 'Group Policy'. when the Select Group Policy window appears, click 'Finish'. Click 'Close' on the Add Stand-alone Snap-in window, then click 'OK' in the Add/Remove Snap-in window. Save this MMC console as something like 'PolEdit' and save it to a location that is convenient to reach, such as the Start Menu in your profile. Now we go deeper.

There's a hidden folder in winnt/system32 called 'GroupPolicy'. This folder contains 2 folders - machine and user. In each folder is a registry.pol file. Once the Group Policy snap-in is added in the MMC, another folder is added, adm, which contains the templates system, winnt, etc. These adm's are the templates that require modification if, for instance, you wanted to hide specific drives on the local computer other than A,B,C or D. As an example, we created an 'F' drive specifically to hold the page file and since we don't want users to place any data on this drive, and the drive needs to be used exclusively as a pagefile, we elected to hide the drive. Therefore, we had to modify the system.adm template.

Having said that, the other item that appears in the hidden GroupPolicy folder is an ini file called gpt.ini. After adding the Group Policy snap-in, this file contains:
- the GUID for the machine
- the GUID for the user
- a version number, for which the default = 2.

After making changes through the mmc to the local policies, this version number changes, depending on which policies are enabled, disabled or not configured. It turns out that this version number is a decimal representation of a binary number, which turns on or off the various policies, depending on whether or not you've enabled or disabled those policies.

By configuring a 'standard' machine with the policy settings you desire to replicate to other machines, you can copy the version number from the 'standardized' machine's gpt.ini file to any gpt.ini file and those same policies will be applied to subsequent machines. Interestingly enough, there are several policy settings that do NOT transpose, such as logon banners. That is because these settings were also available in NT4 Policy Editor and W2K policies are a layered combination of old-style NT4 policies, which can be transposed by importing a reg file, and the new gpt.ini NT5 policies layered on top.

In the end, with a combination of reg files or the old NT4 Policy Editor, along with a gpt.ini version number, you can quickly replicate local policy settings from one machine to the next. Beware, however, that these are local settings for the machine and the user, meaning that these user settings are applied to ALL users, including the administrators, both network and local. That's why it's a handy idea to store/save your console to the start menu of the administrator profile, for easy access to turning on or off a particular setting for administrative purposes.


This was first published in February 2002

Dig deeper on Microsoft Group Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close