COMMAND

    NT System Policy for Win95

SYSTEMS AFFECTED

    win32

PROBLEM

    Martin Kay found following.  IF:

        a) System Policies are in use, AND
        b) Mandatory User Profiles are in use, AND
        c) the Mandatory user  profiles (*.MAN files) being  used were
           created and made mandatory BEFORE the instigation of system
           policies...

    THEN if a domain user logs into the domain, and adds a space (" ")
    after  the   domain  name,   then  the   system  policy   is   not
    downloaded/put  into  effect  on  the  PC concerned.  Any security
    restriction in the policy is not in place.

    Cause:
    1) MANdatory user profiles  are read only. System  Policies change
       registry settings  "on the  fly".   Without mandatory profiles,
       the system policy  updates the user  profile and thus  security
       limitations are put into effect thereafter as the user  profile
       is  saved  back  to  the  profile  directory (either roaming or
       locally).

    2) This does not explain WHY policies are not run when logging  in
       with a space after the domain name.

    Shawn Wright added following.  There are more permutations to this
    problem, which  do not  have a  solution, according  to Microsoft,
    and  this  is  why  no  one  should  any  longer  run  Wn95 public
    workstations.  In one case, with System Policies stored in the  DC
    Netlogon shares, any user can bypass policies by entering a  valid
    domain user/password, but changing the Domain to *anything*  other
    than the correct domain name.   A significant delay occurs  (10-20
    seconds),  after  which  they  are  granted  a  local logon to the
    workstation, with the policy of  the previous user in place.   Any
    persistent connections  to network  shares are  restored, and  any
    shortcuts with valid UNC paths will also still work, provided  the
    username has permissions to  these resources.  The  security event
    logs on the  DCs will show  multiple failed logins  with the phony
    domain  name,  but  do  NOT  show  a  valid login, even though one
    obviously must occur to use  the network resources.  This  problem
    was with NT 4 SP3, and any version of win95.  It is possible  that
    this was rectified with SP4 or above.  This became such a  problem
    in  Shawn's  school  labs  that  they  were  forced to upgrade all
    machines to NT4.

SOLUTION

    Change user profiles back  to writeable, login (without  space) to
    get the  system policy  changes, logout,  rename user  profiles to
    .MAN.  Change had then occured in the roaming user profile.

    See for Q237923 Policy Not Applied Logging On Using a Space in the
    Domain Name...