36 Microsoft Windows NT Server White Paper
this change must be made individually to each workstation.
When a user of a Windows NT 4.0-based workstation logs on, if the
Windows NT 4.0-based machine is working in Automatic mode (which is the
default), the workstation checks the NETLOGON share on the validating do-
main controller (DC) for the NTconfig.pol file. If the workstation finds the file, it
downloads it, parses it for the user, group, and computer policy data, and ap-
plies it if appropriate. If a user logs on to a machine that has a computer
account in a resource domain, the search for the NTconfig.pol file is redirected
to the validating domain controller in the account domain. In this situation, the
Windows NT 4.0-based workstation has a secure communication channel es-
tablished to a domain controller of the resource domain. The Windows NT-
based workstation sends the user’s logon request over this communication
channel, and expects a response the same way. The domain controller in the
resource domain receives this request, forwards it to a domain controller in the
user’s account domain, and waits for a response. Once the domain controller
in the resource domain receives this response from the account domain’s DC,
it returns the authentication request to the client machine, including the vali-
dating domain controller’s name from the account domain. The Windows NT-
based workstation now knows where to look for the NTconfig.pol file.
Policy Replication
If you implement a System Policy file for Windows NT users and computers
and you intend to use the default behavior of Windows NT, be sure that direc-
tory replication is occurring properly among all domain controllers that
participate in user authentication. With Windows NT, the default behavior is for
the computer to check for a policy file in the NETLOGON share of the validat-
ing domain controller. If directory replication to a domain controller fails and a
Windows NT-based workstation does not find a policy file on that server, no
policy will be applied and the existing settings will remain, possibly leaving the
user with a nonstandard environment or more capabilities than you want that
particular user to have.
How Policies Are Applied
Once located, policies are applied as follows:
• If the policy file includes settings for the specific user account, those are
applied to the HKEY_CURRENT_USER registry key. Other group settings
are discarded, even if the user is a member of the group, because the
user settings take precedence.
• If a user-specific policy is not present, and Default User settings exist, the
Default User settings are applied to the HKEY_CURRENT_USER registry
key.
• If no user specific settings are present, and group settings exist, the user’s
group membership in each of those groups is checked. If the user is a
member of one or more groups, the settings from each of the groups—
starting with the lowest priority and continuing through the highest
priority—are applied to the HKEY_CURRENT_USER key in the registry.
