Deploying clients running the Windows XP operating system into a Windows 2000 Server environment provides administrators with new options, policy settings, and capabilities to manage desktops throughout an organization.
Intended for organizations that have already deployed or are planning to deploy the Active Directory service, this AMSS Insider Whitepaper helps administrators manage policy settings for computers running Windows XP, the successor to Windows 2000 Professional. Many new features of Windows XP—such as Remote Assistance, Windows Media Player, and Error Reporting—come with their own Group Policy settings that administrators can use to customize and standardize configurations for users and computers across the network.
Group Policy settings define the various components of the user's desktop environment that administrators need to manage such as the programs available to users, the programs that appear on a user's desktop, and options for the Start menu.
Managing policies is part of the IntelliMirror management technologies set, first introduced in the Windows 2000 operating system. IntelliMirror enables users data, software, and settings to follow them throughout a distributed computing environment, whether they are online or offline. At the core of IntelliMirror are three features: User Data Management, User Settings Management and Software Installation and Maintenance. These features may be used separately or together.
IntelliMirror policy-based management brings two important benefits:
| • |
Lower total cost of ownership for managing the desktop environment. Because organizations can deploy and manage customized desktop configurations, they spend less money supporting users on an individual basis. Users get the flexibility they need to do their jobs without having to spend time configuring their system on their own. |
|
• |
Enhanced productivity from newly empowered users. Because users' applications, data, and settings are available to them regardless of where they log on, they can get more done. And applications can be remotely installed and upgraded. |
Clients running Windows XP can be dropped directly into Active Directory and process all the same policies that currently apply to desktops running Windows 2000. New policy settings that apply only to Windows XP are ignored by any clients running Windows 2000. Verifying operating system requirements and functions of each setting is made easier with explain text contained directly in the new user interface for the Group Policy snap-in—administrators don’t have to search documentation to determine what a policy does.
Windows XP includes improved policy setting management, enabling administrators to fine tune, manage, or simply turn off features they don’t wish to use. Administrators can deploy any of the policy settings in Windows XP from a Windows 2000 Server Active Directory.
All Windows 2000 Policies Supported on Windows XP
Windows 2000 shipped 421 policy settings which are fully supported and, in some cases, improved in Windows XP. For example, shell settings have been improved to provide finer control over items such as the Start Menu.
New policy settings on Windows XP
With 212 new policy settings for Windows XP, organizations can choose how they wish to standardize new features such as Remote Assistance, Windows Media Player, and the Start Menu. If desired, administrators can set desktops to use the Windows 2000 classic user interface. A spreadsheet showing all policies for Windows 2000 and Windows XP, as well as advanced administrative templates, that extend the power of the Group Policy Editor, can be downloaded here.
Windows XP policy settings ignored on computers running Windows 2000
New policy settings in Windows XP only work on machines running Windows XP and will be ignored by all machines running Windows 2000. In addition, machines running Windows 2000 cannot be harmed by any of the new policies that ship with Windows XP. When viewing policy settings in Windows XP, requirements of each policy setting are noted at the beginning of the explain text.
New User Interface for Managing Policy
The Group Policy snap-in takes advantage of Web view capabilities in Windows XP, making it easier for administrators to assess and verify policy settings. Administrators can navigate to the desired policy and see text explaining its function and supported environments such as Windows XP only or Windows 2000.
Integrated Online Help
Learning and tracking policy settings is made easier with integrated, searchable Help files. In addition to the explain text included directly in the snap-in, you can get Help about a specific area by pressing F1 on your keyboard. For example, if you select the Administrative Templates node in the Group Policy snap-in and press F1, you go directly to the section for Administrative Templates where you can find links to specific HTML Help files such as the one for system.adm.
By default, Windows XP does not wait for the network to be fully initialized at startup and logon. Any existing users logging on are logged on using cached credentials, which results in shorter logon times. Because the computer doesn't wait for the network to be fully started, Group Policy is applied in the background (asynchronously) once the network becomes available. Table 1 below compares how policy is processed in Windows 2000 and Windows XP Professional.
Table 1. Policy processing in Windows 2000 and Windows XP
| By default how is policy processed on the client? | @ Boot | @ logon | @ Policy Refresh |
|
Windows 2000 |
Synchronously |
Synchronously |
Asynchronously |
|
Windows XP Pro |
Asynchronously |
Asynchronously |
Asynchronously |
The boot time is the time it takes before a user sees the Ctrl-Alt-Delete screen. Logon time is the time it takes before users can begin working on their computer.
Asynchronous processing in Windows XP Pro enables faster boot and login times compared to synchronous processing in Windows 2000 where users must wait for all their policies to apply before they can begin a computer session. However, all Group Policy settings are still processed in full whenever a user first logs onto a machine.
Changes to some Group Policy settings can take up to three logons to become effective
Because background refresh is the default behavior in Windows XP, some policy extensions such as Software Installation and Folder Redirection may require as many as three logons to apply changes.
This behavior exists since because Software Installation and Folder Re-direction can not apply during an asynchronous or background application of policy. These extensions can only apply when processed synchronously.
Here is a sample scenario showing how polices are applied:
|
1. |
An administrator deploys a software package to User A. |
|
2. |
User A logs on fast and receives a background (asynchronous) application of policy. |
|
3. |
Because the policy application was asynchronous, the software that was set to be installed cannot be installed at this time. Instead the machine is tagged, indicating that software needs to be installed. |
|
4. |
The next time the user logs on, the machine instead logs on the user synchronously to allow the software package to be installed. (This is the same behavior as Windows 2000). This results in one extra logon for the software to be installed. |
In the case of Advanced folder redirection, because policy is evaluated based on security group membership three logons will be required: the first logon to update the cached user object (and security group membership), the second logon for policy to detect the change in security group membership and require a foreground policy application, and the third logon to actually apply folder redirection policy in the foreground.
Changes to some user object properties may take two logons to become effective
When the fast logon optimization is enabled, all user logons are cached. The users logon information is updated after logon, which means that changes to user object properties such as adding a roaming profile path, home directory, or user object logon script will not be detected until the second logon. At the second logon, the system detects that the user has a Roaming User Profile, HOMEDIR or user object logon script, and disables the Fast Logon optimization for that user. (Although the users machine could still experience fast boot.)
Reverting to Windows 2000 Logon Processing
Some administrators may wish to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon or boot cycle of the machine, which is the default state in Windows 2000. To enable this for Windows XP, administrators need to enable the setting Always wait for the network at computer startup and logon (located in the Group Policy snap-in at Computer Configuration\Administrative Templates\System\Logon).
Group Policy settings that administrators specify are contained in a Group Policy object (GPO), which is in turn associated with selected Active Directory objects—sites, domains, or organizational units. Group Policy applies not only to users and client computers, but also to member servers, domain controllers, and any other Windows 2000-or Windows XP-based computers within the scope of management. To create a specific desktop configuration for a particular group of users, administrators use the Group Policy snap-in, also known as the Group Policy Editor.
In order to manage Windows XP clients, administrators need a computer running Windows XP, which comes with updated Administrative Template files (.adm). These are the files that provide policy information for items that are under the Administrative Templates folder in the console tree of the Group Policy snap-in.
Windows XP contains the following updated administrative template files:
| • |
System.adm. Used for core settings. |
| • |
Wmplayer.adm. Used for Windows Media settings. |
| • |
Conf.adm. Used for NetMeeting conferencing software. |
| • |
Inetres.adm. Used for Internet Explorer. |
Upgrading to the latest Administrative Template Files
If you have .adm files that are newer than those in the GPO, your computer will automatically update the GPO with the newer .adm files. In order to make this happen, you need to have the latest .adm files in your INF directory.
To upgrade .adm files:
1. Locate the desired .adm files on a Windows
XP machine. (These are in the Windows/INF directory.) 2. Copy system.adm and any other .adm files
to a file share. 3. Go to a Windows 2000-based computer and
open a GPO in the Group Policy snap-in. 4. Right click Administrative
templates and select Add/Remove
Templates.
|
5. |
When the Add/Remove Templates dialog box appears, remove the Windows 2000-based .adm files and add the Windows XP-based .adm files. |
|
6. |
Repeat for each GPO. |
| • |
In a mixed environment, use Windows XP .adm files to administer your GPOs. |
| • |
Try to apply the same policy settings to both Windows XP and Windows 2000 to allow roaming users to have a consistent experience. |
| • |
Test interoperability of the various settings before deployment. |
| • |
Only configure policy settings on client machines using GPOs. Do not try to create these registry values by other methods. |
With Resultant Set of Policy (RSoP), administrators can assess and predict how different policies work for a specific computer or user as well as group of computers or users. When policies are applied on multiple levels (for example, site, domain, domain controller, and organizational unit), the results can be in conflict. If a conflicting policy is set, it can be difficult to track down and change. RSoP can help administrators determine the final set of policies that are applied and track down policy precedence, making troubleshooting easier.
How RSoP Works
RSoP is a query engine that polls existing policies and then reports the results of the query. It polls existing policies based on site, domain, domain controller, and organizational unit (OU). RSoP gathers this information from the CIMOM database (commonly referred to as "WMI").
In addition to checking the policies set by Group Policy, RSoP also checks Software Installation for any applications that are associated with a particular user or computer and reports the results of these queries as well. RSoP details all the policy settings that are configured by an administrator. This includes Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security, and Scripts.
Resultant Set of Policy Tools
Windows XP makes it easier to verify which policies are being applied on a specific computer. Administrators have several tools they can use to run RSoP for users and computers:
| • |
RSoP Snap-In. |
| • |
GPResult Command Line Tool. |
| • |
Help and Support Center RSoP Report. |
Intended for organizations who have already deployed or are planning to deploy the Active Directory service, this article explains:
| • |
What's New for Policy settings in Windows XP. Windows XP ships with more than 200 new policies in addition to the 421 policies still supported from Windows 2000. All Windows XP policies will not harm Windows 2000 machines; such policies are simply ignored. |
|
• |
Logon optimization in Windows XP. Windows XP supports fast logon, which reduces delays that may otherwise occur when logging on. Some policies such as software installation or folder redirection require extra logons to take effect. |
|
• |
Managing Client Computers with Windows XP. Administrators use the latest Administrative Template files in Windows XP to manage policy settings in the Windows 2000 Server Active Directory. Managing policy is made easier with a new user interface containing explain text and OS requirements for each policy. New Help files dedicated to policy settings let you search for specific policies by keyword. |
|
• |
Resultant Set of Policy (RSoP). Users and administrators can quickly verify which policies are in effect for a given user and a specific computer. New tools let administrators check policy settings in effect for any machine or user in a domain. Users can verify their own policy settings on their computer with a user-friendly report accessible from the Help and Support Center. |
James K. Murray (MCSA,
MCSD)
President
A. M. Software Services,
Inc.
347.247.6680
JamesMurray@AMSoftwareServices.com
http://www.amsoftwareservices.net