Microsoft Windows NT 4.0 User Manual

36 Microsoft Windows NT Server White Paper

this change must be made individually to each workstation.

When a user of a Windows NT 4.0-based workstation logs on, if the

Windows NT 4.0-based machine is working in Automatic mode (which is the

default), the workstation checks the NETLOGON share on the validating do-

main controller (DC) for the NTconfig.pol file. If the workstation finds the file, it

downloads it, parses it for the user, group, and computer policy data, and ap-

plies it if appropriate. If a user logs on to a machine that has a computer

account in a resource domain, the search for the NTconfig.pol file is redirected

to the validating domain controller in the account domain. In this situation, the

Windows NT 4.0-based workstation has a secure communication channel es-

tablished to a domain controller of the resource domain. The Windows NT-

based workstation sends the user’s logon request over this communication

channel, and expects a response the same way. The domain controller in the

resource domain receives this request, forwards it to a domain controller in the

user’s account domain, and waits for a response. Once the domain controller

in the resource domain receives this response from the account domain’s DC,

it returns the authentication request to the client machine, including the vali-

dating domain controller’s name from the account domain. The Windows NT-

based workstation now knows where to look for the NTconfig.pol file.

Policy Replication

If you implement a System Policy file for Windows NT users and computers

and you intend to use the default behavior of Windows NT, be sure that direc-

tory replication is occurring properly among all domain controllers that

participate in user authentication. With Windows NT, the default behavior is for

the computer to check for a policy file in the NETLOGON share of the validat-

ing domain controller. If directory replication to a domain controller fails and a

Windows NT-based workstation does not find a policy file on that server, no

policy will be applied and the existing settings will remain, possibly leaving the

user with a nonstandard environment or more capabilities than you want that

particular user to have.

How Policies Are Applied

Once located, policies are applied as follows:

•

If the policy file includes settings for the specific user account, those are

applied to the HKEY_CURRENT_USER registry key. Other group settings

are discarded, even if the user is a member of the group, because the

user settings take precedence.

•

If a user-specific policy is not present, and Default User settings exist, the

Default User settings are applied to the HKEY_CURRENT_USER registry

key.

•

If no user specific settings are present, and group settings exist, the user’s

group membership in each of those groups is checked. If the user is a

member of one or more groups, the settings from each of the groups—

starting with the lowest priority and continuing through the highest

priority— are applied to the HKEY_CURRENT_USER key in the registry.