Category: At least Windows Server 2003

This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. When this setting is disabled or not configured the SYSVOL share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission. By default the SYSVOL share will grant shared read access to files on the share when exclusive access is requested. Note: The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files and in general the availability of the SYSVOL share on the domain will be decreased. If you enable this policy setting domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.

This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. If you enable this policy setting the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. If you disable or do not configure this policy setting the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission. By default the Netlogon share will grant shared read access to files on the share when exclusive access is requested. Note: The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files and in general the availability of the Netlogon share on the domain will be decreased. If you enable this policy setting domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.

This policy setting specifies the maximum size in bytes of the log file netlogon. log in the directory %windir% -> debug when logging is enabled. By default the maximum size of the log file is 20MB. If you enable this policy setting the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon. bak and netlogon. log is truncated. A reasonable value based on available storage should be specified. If you disable or do not configure this policy setting the default behavior occurs as indicated above.

This policy setting specifies the level of debug output for the Net Logon service. The Net Logon service outputs debug information to the log file netlogon. log in the directory %windir% -> debug. By default no debug information is logged. If you enable this policy setting and specify a non-zero value debug information will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting. If you specify zero for this policy setting the default behavior occurs as described above. If you disable this policy setting or do not configure it the default behavior occurs as described above.

This policy setting allows user-based policy processing roaming user profiles and user object logon scripts for interactive logons across forests. This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists. If you do not configure this policy setting:- No user-based policy settings are applied from the user’s forest. – Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user and an event log message (1529) is posted. – Loopback Group Policy processing is applied using the Group Policy Objects (GPOs) that are scoped to the computer. – An event log message (1109) is posted stating that loopback was invoked in Replace mode. If you enable this policy setting the behavior is exactly the same as in Windows 2000: user policy is applied and a roaming user profile is allowed from the trusted forest. If you disable this policy setting the behavior is the same as if it is not configured.

This policy controls the state of the application compatibility engine in the system. The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes or displays an Application Help message if the application has a know problem. Turning off the application compatibility engine will boost system performance. However this will degrade the compatibility of many popular legacy applications and will not block known incompatible applications from installing. (For Instance: This may result in a blue screen if an old anti-virus application is installed. )The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off these mitigations will not be applied to applications and their installers and these applications may fail to install or run properly. This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second and the performance of the loader is essential. NOTE: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting please reboot to ensure that your system accurately reflects those changes.

This policy controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. Enabling this policy setting removes the property page from the context-menus but does not affect previous compatibility settings applied to application using this interface.

Specifies whether to prevent the MS-DOS subsystem (ntvdm. exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. You can use this setting to turn off the MS-DOS subsystem which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components ntvdm. exe must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running any subsequent 16-bit applications launch faster but overall resource usage on the system is increased. If the status is set to Enabled the MS-DOS subsystem is prevented from running which then prevents any 16-bit applications from running. In addition any 32-bit applications with 16-bit installers or other 16-bit components cannot run. If the status is set to Disabled the MS-DOS subsystem runs for all users on this computer. If the status is set to Not Configured the OS falls back on a local policy set by the registry DWORD value HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> Control -> WOW -> DisallowedPolicyDefault. If that value is non-0 this prevents all 16-bit applications from running. If that value is 0 16-bit applications are allowed to run. If that value is also not present on Windows 8. 1 and above the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on windows 7 and downlevel the OS will allow 16-bit applications to run. Note: This setting appears in only Computer Configuration.