Local Policy and Group Policy

Policies form the basis on environment and security configuration in Windows 2000. In very broad terms, two types of policies exist – Local Policy (which is set on an individual computer) and Group Policy (which can be applied to multiple computers and users according to settings in Active Directory). Without Active Directory, only Local Policies can be applied. First we’ll look at Local Policies, followed by an introduction to Group Policy.

Local security policy controls security-related settings on an individual Windows 2000 system. Settings found in the Local Security Settings tool relate to three major areas – Account Policy, Local Policy, and Public Key Policy.

Account Policies control settings such as password policy (password uniqueness, age, etc) and account lockout policy (lockout threshold, duration, etc) for local accounts. That is, these settings only apply to accounts contained within the system’s Security Accounts manager (SAM) database, and not to domain accounts.

Local Policies contains settings relating to the Audit policy on the local system, the assignment of user rights, and security options. Audit Policy includes options for types of events you wish to audit, such a file and object access over this particular system. User Rights assignment is where you would give users or groups rights to perform system tasks, such as the right to change system time, or the right to back up files and folders. Note that this is different that in NT 4.0, where rights were given using the User Manager tool. The Security Options section of Local Policies allows you to control security-sensitive settings on the local machine, such as disabling the Ctrl+Alt+Del requirement for logon, clearing the pagefile on shutdown, and so forth.

Public Key Policies in the Local Security Settings tool allow you to set the EFS recovery agent, which by default will be the local administrator account.

Although local policy settings give you a strong degree of control, they are still fairly inflexible in that they must be configured locally on each machine. Note that it is possible to export policy settings to a file, and then import those local settings on to another system. Windows 2000 also includes a snap-in called Security Configuration and Analysis. This tool allows you to save policy settings to a database file, and then compare changes to security settings against this database. It is a useful tool in determining the impact that a change to a policy setting will have. This tool also allows you to save the database to a template file (.inf file), which can then be applied to other systems. For more details about the Security Configuration and Analysis tool, click here.

Desktop and Accessibility Options

Windows 2000 contains a number of small changes to the desktop environment in terms of both interaction and accessibility features. The desktop settings that can be controlled by a user include settings relating to the keyboard, mouse, display, sound, toolbars, and the start menu. These settings are all stored as part of the user’s profile, and are outlined individually below.

Keyboard – The keyboard applet in Control Panel controls settings relating to keyboard functionality including cursor blink rate, character repeat rate and delay, as well as another place from which to control input locales, as discussed earlier.

Mouse – Allows you to control hand-orientation of the mouse, as well as pointer, motion, double-click speed, and hardware.

Display – Allows configuration of the background display, screen savers, window appearance, active desktop, effects (such as fade or scroll) as well as color configuration and screen area resolution.

Sounds and Multimedia – Allows configuration of system sounds, volume, and schemes.

Toolbars – Windows 2000 allows you to show additional toolbars from the taskbar at the bottom of the screen. Right-click the taskbar and choose the toolbars option to allow you to view a number of different toolbars including links, an address bar, a desktop bar, the quick-launch bar (onto which you can drag shortcuts to programs you use most often), and others that you define.

Start Menu – The Start menu is Windows 2000 can be changed by dragging items on or off of it. Furthermore, the Start Menu can ‘learn’ from you, and will display only those items that you use most frequently. This feature is called personalized menus, and can be turned off. The configuration of the Start menu is handled via the Taskbar and Start menu program, found under the Settings option on the Start menu. This allows advanced menu configuration, including the ability to show or hide the Administrative tools, as well as the ability to expand shortcuts such as Control Panel, in order to be able to also view the tools within from the menu.

Windows 2000 also supports a variety of accessibility options for users with visual, hearing, and motion impairments. These settings can be controlled from a two different places – the Accessibility menu and Control Panel. The Accessibility Options applet in Control Panel allows you to set the options relating to the keyboard, sound, display, and mouse. Each is looked at below, according to tab:

Keyboard – Contains options for setting Sticky keys (where you can press combinations of keys, such as CTRL+ALT+DEL, one key at a time), Filter Keys (which will ignore brief or repeated keystrokes), and Toggle Keys (which provides a tone when you hit CapsLock, NumLock or ScrollLock).

Sounds – Contains options for setting Sound Sentry (which will display a box onscreen when the system makes a sound) and Show Sounds (which will have programs display captions for any speech or sounds made).

Display – Contains an option to display the screen fonts and colors in High Contrast, making things easier to read.

Mouse – Contains an option to set Mouse Keys, which allows your keyboard’s numeric keypad to control the pointer.

General – The General tab contains settings that allow you to control accessibility features, such as turning off features after 5 minutes of not being used, or making the settings applicable to all users on a system.
Windows 2000 also provides a few new tools on the Accessibility menu, as outlined below:

Narrator – This tool actually speaks the contents of things like menu items, text, and so forth.

On-Screen Keyboard – This tool displays the keyboard on-screen, allowing users to press buttons with the mouse instead of the physical keyboard.

Magnifier – This tool actually magnifies part of the screen by splitting it into two panes. The upper pane displays a magnified version of whatever the mouse is currently pointing at in the lower pane.

Accessibility Wizard – Essentially, this tool allows you to create a custom accessibility profile for a user, using any of the accessibility options discussed. These options can also be saved to an .acw file, and then be distributed to other uses that need a similar configuration.

Note that by default, the saved acw file will have an associated access control list that gives the user who created it and the administrator access. If you want any other users to use this acw file, you will need to modify the permissions associated with it.

Windows Installer Packages

Windows 2000 includes a new service called the Windows Installer Service that is responsible for managing the installation and removal of applications. The Windows Installer service works in conjunction with a new application package format, the .msi file. An msi file is a package that contains all the necessary instructions to install an application on a computer. This includes which registry entries should be added or changed, which files should be copied to which locations, which shortcuts should be created, and so forth. This technology can allow an application to be deployed without any user intervention whatsoever. Note that the msi file doesn’t actually contain all of the files to be deployed. Instead, it contains the instructions for how the application is to be deployed. Benefits of the msi and Windows Installer method of installing software include self-healing and resilience of applications. That is, if a user were to accidentally delete or remove files associated with a deployed application, the application will go back to it’s installation source (assuming it is available), and will automatically fix itself.

Many applications are now distributed with setup.msi files. However, you can also create your own msi packages using a variety of software packages. The Windows 2000 CD provides a Veritas repackaging application, WinInstall LE, which can be used to create msi-based application packages.

If you have Windows 2000 Active Directory installed, packages can be distributed via group policy to either users or computers. Although I’ll reserve going into all the details until the Server portion of the series, here are the basic details for now:

  • Packages distributed via group policy (using Active Directory) do not need elevated privileged to be installed. As such, a regular user can invoke the installation of a package without needing to be an administrator, for example.
  • Packages can be assigned or published to users or computers via group policy. If assigned to a computer, the package is installed when the computer reboots. If assigned to a user, the package is not installed, but appears to be (as a shortcut on the start menu). When the user clicks the shortcut, the package is installed. If published to a user, the software is available to be installed via Add/Remove programs (or automatically when the user clicks on a file extension associated with that program). Packages cannot be published to a computer.
  • If a program cannot be repackaged, it can still be deployed via group policy with a .zap file. A zap file is a text file that contains instructions on how to install an application. A user needs elevated privileges to install an application deployed with a zap file. A zap file can only be used to publish an application to a user.

User Profiles

Windows 2000 maintains a user’s desktop configuration and environment settings in what is called a user profile. Settings found in a user profile include things like the wallpaper the user has set, the placement of the icons on their desktop, mouse settings and so forth. In Windows 2000, a user’s profile can be found under the folder Documents and Settings, in a folder that maps to their user name.

If the system has been upgraded from NT 4, however, profiles will still be found under the %systemroot%\profiles folder. By default, all user profiles are local. That means that when a user logs on to a system for the first time, they receive a new profile, and any changes they make are stored on that machine only. By contrast, you can also store user profiles on a server such that they follow users as they move from machine to machine. These are referred to as roaming profiles. When a user logs off a system, their settings (including any changes they have made) are saved back to the central server. Note that certain folders, such as My Pictures and My Documents, are part of the user profile. As such, if you are using roaming profiles, and a user has a number of large files in these folders, it can cause significant network disruption. However, Windows 2000 does keep a locally cached copy of roaming profiles on a system. As such, if a user has a large roaming profile and usually uses the same machine, only the changes are copied back and forth, not the entire profile every time they log on. Roaming profiles are configured in the properties of a user account (on the Profile tab), by providing a UNC path to where the profile is stored such as \\server2\profiles\dan. In order to make things simpler, consider setting user accounts up for roaming profiles by using the %username% variable instead of the actual user name. This will automatically create a profile location on the server with the same name as that of the user (if you do this, only the administrator and user will have full control over the profile by default if the target volume is formatted NTFS). If you want to take an existing local profile and change it to roaming, you must set the properties on the user account as mentioned above, as well as copy the local profile to the server using the Copy To button on the Profiles tab in the System Program.

As in NT 4, you can still make a profile mandatory (unchangeable) by renaming the Ntuser.dat file in the profile to Ntuser.man.

Recovery Console

Windows 2000 provides the ability to access an advanced troubleshooting environment referred to as the Recovery Console. This tool, which is not installed by default, can be installed by running the winnt32 /cmdcons command. This option provides a command-line interface, similar to DOS, but with a more limited command set available. The recovery console will allow you to start and stop services, fix the master boot record, replace files, and so forth. However, there are certain things it will not allow you to do, such as edit a file. If you needed to do this, you would have to copy the file to a floppy, and edit it on another system. If you have not installed the Recovery Console in advance and need to use it, can still be accessed by booting the system using the Windows 2000 CD, choosing the option to repair Windows 2000, and then starting the Recovery Console.

If already installed, you can access the Recovery Console by rebooting and choosing the Recovery Console option from the boot loader menu. After it starts, you must log on with the local administrator account name and password. Remember that the recovery console provides access only to a limited set of commands, such as fixmbr (to fix the master boot record), format, disable (service or device driver) and so forth. For a complete list of supported commands, see this recovery console command reference.

System Startup Options

Some of the familiar startup options from NT 4, along with a whole range of other options that you may be familiar with from Windows 9x are now available in Windows 2000. Pressing F8 when prompted during the boot process accesses the advanced startup menu. Many of the options are useful is a system is not capable of booting correctly due to driver and service issues. The list below outlines the choices you will be presented with and their associated uses.

  • Safe Mode: Boots Windows 2000 using the minimum required system files and device drivers.
  • Safe Mode with Networking: As above, but including networking support.
  • Safe Mode with Command Prompt: Same as Safe Mode, except that it boots to the command prompt instead of the GUI.
  • Enable Boot Logging: Starts all drivers and services, and logs details to a file called Ntbtlog.txt in the %systemroot% directory (this file is also created when any of the safe mode options are chosen – it can be an important source of troubleshooting information).
  • Enable VGA Mode: Boots Windows 2000 normally, but with a VGA display driver.
  • Last Known Good Configuration: Boots Windows 2000 using the last known good registry configuration, which would have been created at the last successful logon. This option should be used prior to attempting an emergency repair using the ERD.
  • Directory Services Restore Mode: For domain controllers only, this option is used to restore the Active Directory and/or the Sysvol folder.
  • Debugging Mode: Boots the system normally, but sends debugging information to another system connected via a serial cable.

Data Backup and Recovery

Data backup and recovery in Windows 2000 is accomplished via the Backup program, ntbackup.exe. The new program includes the ability to backup up to different types of media (tape drive, CDR, zip drive, etc), as well as the ability to have backups span media (multiple zip drives, etc). Perhaps the greatest benefit is the ability to schedule a backup – something that was sorely missing (unless you wrote a batch file and scheduled it with the AT command) in NT 4 – in Windows 2000 this is done via integration with the Task Scheduler. Backup and restore operations can be carried out by explicitly choosing files and folders if you’re familiar with the process, or by a wizard if you are not.

In order to backup files and folders, you must have appropriate rights and / or permissions. Users may back up their own files, as well as those to which the have the NTFS Read permission. Users may only restore their own files or ones to which the have the NTFS Write permission. Administrators and members of the Backup Operators group have the right to backup and restore files (as do Server Operators on a server), including those to which they have no access.

There are 5 different types of backups you should know about. Note that some backups set or clear a ‘marker’. The marker is the archive attribute on the file or folder being backed up. The 5 types of backups are looked at below:

  • Normal: Backs up all selected files and folders, and clears all markers.
  • Differential: Backs up all selected files and folders that have changed since the last Normal backup, and does not clear markers.
  • Incremental: Backs up all selected files and folders that have changed since the most recent Incremental or Normal backup. It does clear markers.
  • Copy: Copies all selected files and folders, and does not clear markers.
  • Daily: Backs up all selected files and folders that have changed on that day, and does not clear markers.

Remembering the backup types is easy. Using a Differential backup strategy means that backups take a little longer, but restores tend to be quicker. An Incremental backup strategy generally means faster backups and a lengthier restore period.

Monitoring Server Performance

A familiar tool still exists in Windows 2000 for monitoring performance, although it now carries a new name. The Performance tool is actually a combination of two different MMC snap-ins: System Monitor, and Performance Logs and Alerts. Combined, they essentially form Performance Monitor from NT 4.

Performance Monitor Logs and Alerts allows you to configure both logs (which collect information on performance counters you specify) and alerts (which allow you to specify a course of action once the thresholds you define are reached). A log records data over a period of time, and is usually used for analysis purposes, such as tracking resource usage trends and creating baseline measurements. You can later import this logged data into a spreadsheet or the System Monitor program for analysis. Two types of logs exist: Counter logs and Trace logs. A Counter log measures object performance counters at defined intervals. A Trace log is mostly used for debugging or error tracking, and records data only when certain errors (such as a page fault) occur. Note that running logs appear with a green icon, and that stopped logs appear in red. Alerts can also be configured according to when a certain threshold is reached. For example, you could set an alert to be triggered when processor utilization exceeds 80 percent. Further to this, you can control what happens when the alert is triggered.

Optimizing and Troubleshooting Server Performance

Optimizing the performance of the Windows 2000 Professional desktop is a rather simple affair. The main configuration option is the Performance Options section on the Advanced tab of the System Properties.

Usually we want to optimize performance for applications on Windows 2000 Professional (default) and for background services on Server (default).

However, another area to consider when configuring for performance is the system’s virtual memory, or page file settings. In Windows 2000, the page file size is automatically set to 1.5 times the amount of RAM present in the system by default, but this can be changed. The page file exists physically as the file pagefile.sys in your %systemroot% partition (the partition containing your WINNT directory). To improve page file performance consider moving it to a partition other than the system or boot partition, split evenly across multiple physical disks (except the system or boot partitions), or on its own fast under-utilized drive. Also consider setting the initial and maximum paging file sizes to the same value to avoid the performance costs associated with dynamically resizing the page file on the fly.

As far as application performance and responsiveness is concerned, applications can still be configured to run at different priorities. This can be controlled by either starting an application from the command line (using the start command with the /low, /belownormal, /normal, /abovenormal, /high, or /realtime switches), or by changing an application’s priority using Task Manager. Only an administrator can start set a program to run using the realtime priority.

Task Manager still allows familiar features, including the ability to start or stop applications or processes, as well as get quick statistics with respect to memory and processor usage. The program now also includes the ability to view the difference between user mode and kernel mode resource usage with the Show Kernel Times option on the View menu. Kernel mode resource usage will appear in red.

Synchronizing Offline Files

While we’ve already discussed the offline caching of files, this section involves a look at the synchronization settings relating to offline files and how they can be configured and controlled. Synchronization Manager allows you to control how and when offline files are synchronized. You can find the utility via the Synchronize option on the Tools menu in Windows Explorer. Options include synchronizing offline files, folders, and web pages at logon/logoff, when the system is idle, or at a scheduled time. You may, for example, choose only to synchronize a certain folder, instead of all offline items. You can also control whether synchronization occurs based on the type of connection. For example, you may want to synchronize when connected via the LAN, but not when connected via a dial-up connection.

The Synchronization process also handles file conflicts. For example, let’s say that you synchronize a directory and then disconnect your system from the network (a laptop). If you change a file while offline, Windows 2000 will automatically replace the network version with your newer version once you reconnect and synchronize, assuming the network version hadn’t changed. If another user had also changed it while you were offline, Synchronization Manager would ask how you would like to proceed. It allows you to view both copies of the file, and decide on an appropriate course of action. You could keep both files (renaming one), overwrite the network copy with yours, or overwrite your copy with the new network copy.