Skip to main content

Domain Controller, registry and Group Policy restrictions

More
15 years 4 months ago #28341 by SteveP
A question about networks - but not Cisco!

Let's say that I have an XP Pro client and Windows 2003 with Active Directory. I know that I can log on to the XPP client locally and the logon credentials are stored in the SAM. Further, if there are settings specific to the user (desktop background, access to CMD prompt, access to Control Panel applets etc.), they are stored in the registry under HKCU. There is an HKCU element for each user that can log on to the workstation locally and which of the individual HKCU elements is displayed in the registry depends upon the user that logs on.

If I log on to the domain, the credentials are stored on the Domain Controller and the users may be grouped in order that specific settings can be applied to individuals or groups of individuals. For instance, Group 1 might have access to Control Panel applets but Group 2 might not. As far as I'm aware, these restrictions are determined by Group Policy and are "rolled out" as the user logs on so it's irrelevant which actual PC the user has to access the network.

If my analysis thus far is correct, the question that I have is what happens in the local registry when I log on to the domain? I'm not logged on locally so is there an HKCU element displayed (assuming that I have access to the registry!)? Are settings written to the registry and, if so, are they deleted when I log off from the domain? If there are settings which are written in the registry relating to the user that logs on and they are not deleted, what happens in a college situation where many people may log on to a particular workstation throughout a week or month? Will the registry get "bloated"?

I hope that I've set out the questions clearly. Needless to say, I don't have access to a domain which would allow me to investigate directly.

Thanks for your time.
More
15 years 4 months ago #28342 by Chojin
Nothing to do with Networks imho ;)

CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
More
15 years 4 months ago #28344 by KiLLaBeE
Yes, a HKCU key is still created.

Though the registry can get pretty large as more and more users sign on, I don't think it would be an issue if it got "bloated." Besides, the registry is essentially a database, and databases are designed to hold lots of information. The number of user profiles on the computer would probably be slightly a larger issue but XP should still be able to handle it.
More
15 years 3 months ago #28350 by SteveP
Thank you KiLLaBeE, that's interesting.

I know that the registry is basically a large database which includes, among other things, configurations which are user-specific and machine-specific. I'm amazed that a new HKCU element is created for every new user that logs on to the domain with a particular workstation. I attend a college and suspect there are several thousand students and staff. My question was essentially asking about whether the registry would get overfull and, if so, would there would be any reason (in a real life network) to clear out the registry on client machines. I know that a new "virgin" image of the OS can be loaded on the clients and suspect that this might be an annual job for the IT staff during the summer holiday.
More
15 years 3 months ago #28351 by S0lo
hmm, I'm not sure if all user data gets loaded into the registry (essentialy memory), But I really don't think so. Here is why and I might be wrong.

The registry database is stored in separate hive files in the Windows\System32\Config\ folder:

Sam: HKEY_LOCAL_MACHINE\SAM
Security: HKEY_LOCAL_MACHINE\SECURITY
Software: HKEY_LOCAL_MACHINE\SOFTWARE
System: HKEY_LOCAL_MACHINE\SYSTEM
Default: HKEY_USERS\.DEFAULT

Note that these files don't have extensions.

The user data/settings are however stored in different locations Documents and Settings\<user_name>\ntuser.dat (for HKEY_CURRENT_USER) and Documents and Settings\<user_name>\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat (for HKEY_CURRENT_USER\Software\Classes). As far as I can recall, the ntuser.dat file has a copy on the AD roaming profile of each user which are syncronized each time a user logon and logoff.

Now, if we assume that we have 10000 users in Active Directory. And 300 users frequently login and logoff a public PC (like a lab in college or something). Loading all those ntuser.dat files for all users into memory would definitly cause a performance hit. I personaly work in such an environment with more than 250 students and I don't recall noticing any slowness or excesive memory usage. The only delay I get is when a user logs into a PC for the first time were his 50Mb or more profile is cached into the PC. I simply don't think Windows is dumb enough to load all registry profiles into memory at once. It makes sence only to load the loged in user profile.

Any other ideas...?

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 3 months ago #28354 by SteveP
Well, that's certainly a different proposition to what KiLLaBeE suggested!

I suppose it would be easy for someone to look at a few client PCs and examine the registry. As far as I know, all local users have an entry in HKEY_USERS and the relevant part is copied into HKEY_CURRENT_USER when a particular user logs on. If KiLLaBeE (and my understanding of how the registry works) is/are correct, shouldn't there be a whole load of entries (50, 100, 200, more?) in HKEY_USERS? On my XP Pro SP3, they all start S-1-5-18 through to S-1-5-21 and, after the latter ones, there is a whole string of digits, separated by hyphens. There are about 8 entries in my standalone PC which has never connected to a domain.
Time to create page: 0.155 seconds