Windows NT 4.0 Clients
Windows 2000 has heightened security so that the local system of Windows NT 4.0 clients cannot read user security group information from the Active Directory. Prior to Service Pack 6, Windows NT 4.0 clients requested System Policies in the local system context, which means they will not get any System Policies based on security groups. Clients running Windows NT 4.0 Service Pack 6 (or later) or Windows 2000 impersonate the user rather than running in local system context when requesting System Policy. The most likely occurrence of this is in an upgrade of a Windows NT 4.0 Server to Windows 2000. The Windows NT 4.0 clients still get any user-specific or the default domain policies. If a user was previously getting policies based on group membership, and default policies exist, the client now processes only the default policies.
For detailed information on Windows 2000 security, see the Security Services white papers at: http://www.microsoft.com/windows2000/library/technologies/security/default.asp.
Zero Administration Kit (ZAK) for Windows to Windows 2000 Upgrades
This section presents information on upgrading ZAK-based servers and clients to Windows 2000.
Information on the Zero Administration Kit for Windows is available at http://www.microsoft.com/windows/zak.
ZAK Upgrades
The following table highlights the results of upgrading domain controllers from Windows NT 4.0 to Windows 2000, or upgrading clients from Windows NT 4.0 ZAK and Windows 98 ZAK to Windows 2000, and Windows 2000 installations and upgrades in various combinations.
Domain Controller
|
Client
|
Results
|
Windows NT 4.0
|
Windows NT 4.0 ZAK upgrade to Windows 2000
|
The upgraded ZAK client functions in the same way as the pre-upgrade ZAK client. All System Policy is applied to the client.
|
Windows NT 4.0
|
Windows 98 ZAK upgrade to Windows 20001.
|
In order to get policy, the client will require Windows NT 4.0-style System Policy.
|
Windows NT 4.0
|
Clean Windows 2000 install
|
Client setup will not correspond to that of a ZAK-style client2.
|
Windows NT 4.0 upgrade to Windows 2000
|
Windows NT 4.0 ZAK
|
The client gets ZAK-style System Policy.
|
Windows NT 4.0 upgrade to Windows 2000
|
Windows 98 ZAK
|
The client gets ZAK-style System Policy.
|
Windows NT 4.0 upgrade to Windows 2000
|
Windows 2000 upgrade
|
In order to get policy, the client will require Group Policy.
|
Windows NT 4.0 upgrade to Windows 2000
|
Clean Windows 2000 install
|
The client gets Group Policy.
|
Windows NT 4.0 upgrade to Windows 2000
|
Install Windows NT 4.0 ZAK client
|
The client gets ZAK-style System Policy.
|
Windows NT 4.0 upgrade to Windows 2000
|
Install Windows 98 ZAK client
|
The client gets ZAK-style System Policy.
|
1 Clients upgraded from Windows 98 ZAK to Windows 2000 require Windows NT 4.0-style System Policies. This is because the Windows 2000 client looks for Ntconfig.pol file in the Netlogon share. Installing ZAK support for Windows NT 4.0 is recommended. It is also possible to manually copy the policy file(s) using the Zero Administration Kit for Windows instructions for Manual TaskStation or AppsStation setup.
2 If administrators want to have ZAK-like functionality in a Group Policy environment, they can either install ZAK and then upgrade to Windows 2000, or use Group Policy and Folder Redirection to create a ZAK client. For more information, see the upcoming section called Adding New Windows 2000 Client Computers to a ZAK Environment.
The following section summarizes the results of upgrading Windows 98 ZAK clients and Windows NT 4.0 ZAK servers and clients to Windows 2000:
Windows NT 4.0 ZAK Client Upgrades
Windows 2000 upgrade clients that are managed by a Windows NT 4.0 domain controller continue to get System Policy. ZAK policies will work correctly; all functionality as a ZAK client is preserved.
Windows 98 ZAK Client Upgrades
Windows 2000 upgrade clients that are managed by a Windows NT 4.0 domain controller will not get their previous Windows 98 policy. Windows 2000 clients in a Windows NT 4.0 domain do not recognize the Config.pol file but instead look for the Ntconfig.pol file in the Netlogon share. You can ensure these clients continue to get System Policy by creating an NTconfig.pol file that has the same settings that were contained in the Config.pol file.
Primary Domain Controller Upgrade to Windows 2000 Domain Controller
The upgrade and promotion to domain controller processes work seamlessly, but because the domain is now Windows 2000, any Windows 2000 ZAK upgrade clients will cease processing System Policy and will need to have equivalent Group Policy applied. See the section called ZAK in Group Policy for the GPO-based policy settings required.
Adding New Windows 2000 Client Computers to a ZAK Environment
A clean installed Windows 2000 computer joined to a Windows NT 4.0 ZAK domain will not be set up correctly to be a ZAK-style client. If administrators want a Windows 2000 ZAK-style client, they can install Windows NT 4.0 ZAK client software first, and then upgrade the client to Windows 2000.
Alternatively, administrators can set up a clean install Windows 2000 computer as a ZAK client by redirecting the Start menu and Programs folders to point to the Netapps share on the ZAK server. It is also necessary to apply the Group Policy settings specified in the upcoming section called ZAK in Group Policy. In addition, the user account for this new computer should be set up in accordance with the instructions given in the Administrator's Guide for the Zero Administration Kit (found at http://www.microsoft.com/windows/zak/getzak.htm), in the section called Organizing Files, Shares and User Accounts on the Server. Finally, it is also necessary to redirect AppData to the Users account share. ZAK in Group Policy
In the case of a domain controller being upgraded to Windows 2000 with upgraded clients, it will be necessary to create a Group Policy object to specify policy settings.
To prevent all users in the domain from getting these policy settings, it is recommended that administrators create a security group for the targeted users and computers, and then use this group to filter the application of the GPO to the group members.
Group Policy Settings Required to Emulate a ZAK Installation
To emulate a ZAK installation, administrators must enable the Group Policy settings listed in this section.
Component and
Group Policy snap-in namespace location
|
Policy settings to be enabled
|
Internet Explorer: Internet Control Panel Settings
Located under User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Control Panel node
|
Disable the General Page
Disable the Security Page
Disable the Contents Page
Disable the Connections Page
Disable the Programs Page
Disable the Advanced Page
|
Internet Explorer: Toolbars Settings
Located under User Configuration\Administrative Templates\Windows Components/Internet Explorer\Toolbars node
|
Disable Customizing Browser Toolbar buttons
Disable Customizing Browser Toolbars
|
Windows Explorer Settings
Located under User Configuration\Administrative Templates\Windows Components\Windows Explorer node
|
Enable Classic Shell
Remove Folder Options menu item from the Tools Menu
Remove “Map Network Drive” and “Disconnect Network Drive”
Disable Windows Explorer Default context menu
Hide the manage item on the Windows Explorer context menu
Hide these specified drives on My Computer [Hide all Drives]
Hide hardware tab
No “Computers near me” in My Network Places
No “Entire Network” in My Network Places
|
Component and
Group Policy snap-in namespace location
|
Policy settings to be enabled
|
Task Scheduler Settings
Located under User Configuration\Administrative Templates\Windows Components\Task Scheduler node
|
Hide Property Pages
Prevent Task Run or End
Disable Drag-and-Drop
Disable New Task Creation
Disable Task Deletion
Disable Advanced Menu
Prohibit Browse
|
Start Menu and Taskbar Settings
Located under User Configuration\Administrative Templates\Start Menu & Taskbar node
|
Remove Users folder from Start Menu
Disable and Remove Links to Windows Update
Remove Common Program Groups from Start Menu
Disable Programs in Settings Menu
Remove Network & Dialup Connections from Start Menu
Remove Favorites from Start Menu
Remove Search menu from Start Menu
Remove Run menu from Start Menu
Disable and Remove Shutdown Command
Disable Drag-and-Drop context menus on the Start Menu
Disable Changes to Taskbar & Start Menu Settings
Disable Context menus for the Taskbar
Disable Personalized Settings
Disable User Tracking
Disable Add “Run in separate memory space” checkbox to Run Dialog box
|
Active Desktop Settings
Located under User Configuration\Administrative Templates\Desktop\Active Desktop node
|
Hide All Items
|
Desktop Settings
Located under User Configuration\Administrative Templates\Desktop node
|
Hide all icons on Desktop
Prohibit User from changing My Documents path
Disable adding, dragging, dropping and closing the Taskbar Toolbars
Don’t save setting on exit
|
Control Panel: Add/Remove Programs Settings
Located under User Configuration\Administrative Templates\Control Panel\Add/Remove Programs node
|
Disable Add/Remove Programs
|
Component and
Group Policy snap-in namespace location
|
Policy settings to be enabled
|
Control Panel: Display Settings
Located under User Configuration/Administrative Templates/Control Panel/Display node
|
Disable Display in Control Panel
|
Control Panel: Regional Options Settings
Located under User Configuration\Administrative Templates\Control Panel\Regional Options node
|
Restrict Selection of Windows 2000 Menus and Dialogs Language
|
System: Logon/Logoff Settings
Located under User Configuration\Administrative Templates\System\Logon/Logoff node
|
Disable Task Manager
Run Logon Scripts Synchronously
|
Task Scheduler Settings
Located under Computer Configuration\Administrative Templates\Windows Components\Task Scheduler node
|
Hide property page
Prohibit Browse
|
Appendix A: Security Settings and User Rights
This appendix lists the Security Settings that are defined by default in the Default Domain Policy GPO. This GPO is created when the first domain controller in the domain is installed by DCPromo. If this first domain controller is upgraded from a Windows NT 4.0 domain controller, then the values defined for the Windows NT 4.0 domain are used instead.
These domain-wide account policy settings (Password Policy, Account Lockout Policy and Kerberos Policy) are enforced by the domain controller computers in the domain; therefore, all domain controllers always retrieve the values of these account policy settings from the Default Domain Policy GPO.
For a detailed description of each policy setting, refer to the Windows 2000 Server Resource Kit Online Help file for Group Policy, GP.CHM.
Policy
|
Default Value
|
Comment
|
Password Policy
|
Enforce password history
|
1 password remembered
|
|
Maximum password age
|
42 days
|
|
Minimum password age
|
0 days
|
|
Minimum password length
|
0 characters
|
|
Passwords must meet complexity requirements
|
Disabled
|
|
Store password using reversible encryption for all users in the domain
|
Disabled
|
|
Account Lockout Policy
|
Account Lockout Threshold
|
0
|
|
Kerberos Policy
Since Kerberos support was not available in previous versions of Windows NT, the following Kerberos policies are always defined for the first domain controller of a Windows 2000 domain, regardless of whether it was upgraded or not.
|
Enforce user logon restrictions.
|
Enabled
|
|
Maximum lifetime that a user ticket can be renewed
|
7 days
|
|
Maximum user ticket lifetime
|
10 hours
|
|
Maximum service ticket lifetime
|
60 minutes
|
|
Maximum tolerance for synchronization of computer clocks
|
5 minutes
|
|
Security Options
|
Automatically logoff users when logon time expires
|
Disabled
|
This is a domain-wide setting even though it appears under the Security Options area.
|
Security Settings in the Default Domain Controllers Policy
This section lists the Security Settings that are defined by default in the Default Domain Controller Policy GPO. This GPO is created when the first domain controller in the domain is installed via DCPromo. If this first domain controller is upgraded from a Windows NT 4.0 domain controller, then the values defined for the Windows NT 4.0 domain are used instead.
By default, these settings apply to all domain controllers in the domain. For a detailed description of each policy setting, refer to the Windows 2000 Server Resource Kit Online Help file for Group Policy, GP.CHM.
Policy
|
Default Value
|
Comment
|
Security Options
|
Digitally sign server-side communication when possible
|
Enabled
|
|
Audit Policy
|
Audit Account Logon events
|
No Auditing
|
|
Audit Account Management
|
No Auditing
|
|
Audit Directory Service Access
|
No Auditing
|
|
Audit Logon Events
|
No Auditing
|
|
Audit Object Access
|
No Auditing
|
|
Audit Policy Change
|
No Auditing
|
|
Audit Privilege Use
|
No Auditing
|
|
Audit Process Tracking
|
No Auditing
|
|
Audit System Events
|
No Auditing
|
|
User Rights Policy
|
Access this computer from the network
|
Administrators, Authenticated Users, Everyone
|
If the following groups were given this right prior to running DCPromo, then they are removed: Backup Operators, Guests, Guest, and Users.
If a Windows NT 4.0 domain controller is upgraded as the first Windows 2000 domain controller using a slipstreamed setup of Windows 2000 + Service Pack 1, then the Authenticated Users group is automatically given this right.
|
Act as part of the operating system
|
|
|
Add workstations to the domain
|
Authenticated Users
|
This User Right is for the support of legacy APIs. You can also allow users to create computer accounts by using this User Right. Authenticated Users can only create 10 computer accounts using this User Right.
|
Back up files and directories
|
Administrators, Backup Operators, Server Operators
|
|
Bypass traverse checking
|
Administrators, Authenticated Users, Everyone
|
If the following groups were given this right prior to running DCPromo, then they are removed: Backup Operators, Users.
|
Change the system time
|
Administrators, Server Operators
|
|
Create a pagefile
|
Administrators
|
|
Create a token object
|
|
|
Create permanent shared objects
|
|
|
Debug programs
|
Administrators
|
|
Force shutdown from a remote system
|
Administrators, Server Operators
|
|
Generate security audits
|
|
|
Increase quotas
|
Administrators
|
|
Increase scheduling priority
|
Administrators
|
|
Load and unload device drivers
|
Administrators
|
|
Lock pages in memory
|
|
|
Log on as a batch job
|
|
|
Log on as a service
|
|
|
Log on locally
|
Account Operators, Administrators, Backup Operators, Server Operators, Print Operators
|
If the following groups were given this right prior to running DCPromo, then they are removed: Authenticated Users, Guests, Guest, Users, and Everyone.
|
Manage auditing and security log
|
Administrators
|
|
Modify firmware environment variables
|
Administrators
|
|
Profile single process
|
Administrators
|
|
Profile system performance
|
Administrators
|
|
Replace a process-level token
|
|
|
Restore files and directories
|
Administrators, Backup Operators, Server Operators
|
|
Shut down the system
|
Account Operators, Administrators, Backup Operators, Server Operators, Print Operators
|
If the following groups were given this right prior to running DCPromo, then they are removed: Authenticated Users, Guests, Guest, Users, and Everyone.
|
Take ownership of files or other objects
|
Administrators
|
|
Deny Logon Locally
|
|
|
Deny logon as a batch job
|
|
|
Deny logon as a service
|
|
|
Deny Access to this computer from network
|
|
|
Remove Computer from Docking Station
|
Administrators
|
If the following groups were given this right prior to running DCPromo, then they are removed: Users.
|
Synchronize directory service data
|
|
|
Enable computer and user accounts to be trusted for delegation
|
Administrators
|
If the following groups were given this right prior to running DCPromo, then they are removed: Users.
|
|
