Complete NT4-level WinVNC policy template now available

Andrew van der Stock ajv "at" greebo.net
Fri, 08 Mar 2002 17:03:27 +0000


GPO's are applied like this:

Machine boots

* local registry made available to the system fairly early on (parts are
available (HKLM\System) or created (HKLM\Hardware) in the DOS-mode
portion of the boot process)

All the devices and services start, GUI fires up, and soon (on Win2k)
you'll see a dialog saying "Applying computer settings". WinXP* doesn't
display the dialog - it skips straight to allowing the user to log on.
By the time the user has logged on, the following four steps will have
been applied:

* all local computer and user GPOs applied
* Site computer GPOs applied
* Domain computer GPOs applied
* OU computer GPOs applied

User can log in (ie GINA logon dialog or FUS is available)

* Site user GPOs applied
* Domain user GPOs applied
* OU user GPOs applied

If a registry setting is overwritten by multiple writers, the last
setting applied wins. For example, you apply a group policy object in
the default domain policy, and have a further GPO down in a "Training
OU" which sets the "no shared" registry key, the no shared setting
wins... unless the "No Override" bit is set on the Default Domain
Policy, even if the "Block inheritance" flag is set on the Training OU's
GPO. 

If a machine is moved from one OU to another, the GPO for the new OU
applies. If a user belongs to a different OU, then that OU's user GPO's
are applied before the user can use Explorer. 

GPO is checked (and refreshed if necessary) about once every 90 minutes
+/- 30 minutes random interval. 

The main thing to remember is that the underlying registry settings
stored locally are *not* changed by GPO. The computer is affected by GPO
as if it were the resultant set of policy is a union of registry and
GPO. If a machine is removed from a domain or has the local GPO removed,
the original underlying registry settings remain. 

Andrew

* On WinXP, the user is allowed to log on as quickly as possible - XP
boots in about 10 seconds on my Dell PIII/800 and I can generally use
the WinXP desktop in about 15 seconds after the machine has been turned
on. GPO are applied asynchronously (and as necessary). It usually
happens fairly quickly, and as XP has a completely new registry database
engine, which is a great deal faster and robust than Win2k's (or 98's or
ME's), the GPO seems to have been applied by the user, even though it is
happening in the background. Very snazzy and fast. 

http://www.microsoft.com/hwdev/driver/XP_kernel.asp#Registry

-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com] On Behalf Of Alex
Angelopoulos
Sent: Saturday, 9 March 2002 2:44 AM
To: vnc-list "at" uk.research.att.com
Subject: Re: Complete NT4-level WinVNC policy template now available

Daniel's is structurally identical (albeit longer - much longer). I
don't
recall all the ins and outs of how the ADM files work across platforms,
but I had been under the impression that the key difference was the
method of
deployment - the GPO settings are "remembered" as changes, so it is
possible
to back them out.
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------