System policy for Win2k Pro in an NT domain

Here's a way to get around using local GPOs and to continue using ntconfig.pol in its standard nesting place.

This Content Component encountered an error

Are you rolling out Win2k Pro on the desktop in an NT 4 domain and wondering how you're going to institute local GPOs? Following is a way to get around using local GPOs and to continue using ntconfig.pol in its standard nesting place.

This is a multi-step process but not a difficult one. I've broken it down into Components required and why, .ADM template, and Implementation.

Components

WIN2K.BAT
The purpose of the file is to identify Win2k Pro clients in an NT 4 domain. This is necessary because Win2k Pro clients do not natively use System Policies, i.e., ntconfig.pol to manage the desktop. The file is inserted into an existing login script. If a Win2k Pro client is identified, the batch file copies 2 files to C: These files are regini.exe and win2k.ini.

Contents of Win2k.bat

 @echo off rem *purpose of this batch is to identify Win2k Pro rem machines in an NT 4 Domain rem *once identified it copies the file regini.exe to edit rem the Pro's registry to add a path rem *so it can use ntconfig.pol instead of a gpo which rem requires ADS if not exist c:Documents and Settings goto end if exist c:regini.exe goto end if exist c:Documents and Settings copy server1shareregini.exe c: copy server1shareWin2k.ini c: regini c:win2k.ini del c:win2k.ini goto end :end

REGINI.EXE
Registry editor tool found in NT Res Kit. Required when editing the registry is necessary via an executable or batch file.

WIN2K.INI
This is a registry hack that inserts a DWORD into the registry of Win2k Pro clients with the assistance of regini.exe. This is required because Win2k Pro clients do not natively have a path to use ntconfig.pol.

Contents of Win2k.ini

 RegistryMachineSystemCurrentControlSetControlUpdate NetworkPath = REG_SZ winntsystem32replimportscriptsntconfig.pol

.ADM Template

This is the most difficult aspect of the process. For a more in-depth explanation and how to write one see Q225087. If you're already familiar, here's the short skinny:

.ADM files are still located in %systemroot%Inf with the extension ".adm." Depending on what your needs are there are 10 listed. I used "system.adm." Locate and copy the contents of whichever policy you want to enforce, and paste it into winnt.adm. NOTE: Remove the "EXPLAIN" keyword. Win2k uses it, but NT will not recognize it and will give you an error when trying to load in System Policy Editor. Don't forget to copy those Win2k strings, too.

You'll have to do some serious tweaking to get it just the way you want, but it's great once you get it going.

Implementation

Place regini.exe and win2k.ini in a share on a BDC Amend Win2K.bat to point to the share where regini.exe and win2k.ini copy your .adm template into %systemroot%inf Add .adm to System Policy Editor Create system policies for domain users/groups Save as ntconfig.pol Store in winntsystem32replexportscripts for replication Insert Win2k.bat into a login script

One of our members, Jaap Tempelman, offered some advice:

Your batchfile says:
if not exist c:Documents and Settings goto end

but when a PC is updated from NT4 to Win2000 (most of the cases, especially in a NT domain), it has no such directory (likewise, if Win2000 is installed on another drive it does not have the directory). This script works only on clean-installed Win2000 machines. I think you should use the "ver" command to see if a machine is running Windows 2000.


This was first published in January 2002

Dig deeper on Microsoft Windows Data Backup and Protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close