Managing Windows XP in a Windows 2000 Server Environment
Published: August 01, 2001 | Updated: April 11, 2003
This article provides an overview of the policy-based management capabilities in the Microsoft Windows XP Professional operating system. It explains how administrators can use Windows XP and Windows 2000 Server to manage client computers in a Windows 2000 Server network environment.
Mohammed Samji, program manager, Microsoft Corporation.
John Kaiser, technical editor, Microsoft Corporation.
On This Page
Whats New for Policy Settings in Windows XP
Logon Optimization in Windows XP
Managing Client Computers with Windows XP Administrative Template Files
Verifying Policy with Resultant Set of Policy (RSoP)
Deploying clients running the Windows XP operating system into a Windows 2000 Server environment provides administrators with new options, policy settings, and capabilities to manage desktops throughout an organization.
Intended for organizations that have already deployed or are planning to deploy the Active Directory service, this article helps administrators manage policy settings for computers running Windows XP, the successor to Windows 2000 Professional. Many new features of Windows XP—such as Remote Assistance, Windows Media Player, and Error Reporting—come with their own Group Policy settings that administrators can use to customize and standardize configurations for users and computers across the network.
Group Policy settings define the various components of the user's desktop environment that administrators need to manage such as the programs available to users, the programs that appear on a user's desktop, and options for the Start menu.
Managing policies is part of the IntelliMirror management technologies set, first introduced in the Windows 2000 operating system. IntelliMirror enables users data, software, and settings to follow them throughout a distributed computing environment, whether they are online or offline. At the core of IntelliMirror are three features: User Data Management, User Settings Management and Software Installation and Maintenance. These features may be used separately or together.
IntelliMirror policy-based management brings two important benefits:
Lower total cost of ownership for managing the desktop environment. Because organizations can deploy and manage customized desktop configurations, they spend less money supporting users on an individual basis. Users get the flexibility they need to do their jobs without having to spend time configuring their system on their own.
Enhanced productivity from newly empowered users. Because users' applications, data, and settings are available to them regardless of where they log on, they can get more done. And applications can be remotely installed and upgraded.
Clients running Windows XP can be dropped directly into Active Directory and process all the same policies that currently apply to desktops running Windows 2000. New policy settings that apply only to Windows XP are ignored by any clients running Windows 2000. Verifying operating system requirements and functions of each setting is made easier with explain text contained directly in the new user interface for the Group Policy snap-in—administrators don’t have to search documentation to determine what a policy does.
This article explains:
Whats new for policy settings in Windows XP.
Logon optimization in Windows XP.
Managing client computers using Windows XP.
Verifying policy with Resultant Set of Policy (RSoP).
Whats New for Policy Settings in Windows XP
Windows XP includes improved policy setting management, enabling administrators to fine tune, manage, or simply turn off features they don’t wish to use. Administrators can deploy any of the policy settings in Windows XP from a Windows 2000 Server Active Directory.
All Windows 2000 Policies Supported on Windows XP
Windows 2000 shipped 421 policy settings which are fully supported and, in some cases, improved in Windows XP. For example, shell settings have been improved to provide finer control over items such as the Start Menu.
New policy settings on Windows XP
With 212 new policy settings for Windows XP, organizations can choose how they wish to standardize new features such as Remote Assistance, Windows Media Player, and the Start Menu. If desired, administrators can set desktops to use the Windows 2000 classic user interface. A spreadsheet showing all policies for Windows 2000 and Windows XP accompanies this article. For more information, see the Windows XP Web site location for this article at http://go.microsoft.com/fwlink/?LinkId=22031.
Windows XP policy settings ignored on computers running Windows 2000
New policy settings in Windows XP only work on machines running Windows XP and will be ignored by all machines running Windows 2000. In addition, machines running Windows 2000 cannot be harmed by any of the new policies that ship with Windows XP. When viewing policy settings in Windows XP, requirements of each policy setting are noted at the beginning of the explain text, shown in the middle column in Figure 1 below.
Figure 1: Using the Group Policy snap-in in Windows XP
New User Interface for Managing Policy
The Group Policy snap-in takes advantage of Web view capabilities in Windows XP, making it easier for administrators to assess and verify policy settings. As shown in Figure 1 earlier, administrators can navigate to the desired policy and see text explaining its function and supported environments such as Windows XP only or Windows 2000.
Integrated Online Help
Learning and tracking policy settings is made easier with integrated, searchable Help files. In addition to the explain text included directly in the snap-in, you can get Help about a specific area by pressing F1 on your keyboard. For example, if you select the Administrative Templates node in the Group Policy snap-in and press F1, you go directly to the section for Administrative Templates where you can find links to specific HTML Help files such as the one for system.adm shown in Figure 2 below.
Figure 2: Viewing integrated online help in Windows XP
Logon Optimization in Windows XP
By default, Windows XP does not wait for the network to be fully initialized at startup and logon. Any existing users logging on are logged on using cached credentials, which results in shorter logon times. Because the computer doesn't wait for the network to be fully started, Group Policy is applied in the background (asynchronously) once the network becomes available. Table 1 below compares how policy is processed in Windows 2000 and Windows XP Professional.
Table 1. Policy processing in Windows 2000 and Windows XP
By default how is policy processed on the client?
@ Policy Refresh
Windows XP Pro
The boot time is the time it takes before a user sees the Ctrl-Alt-Delete screen. Logon time is the time it takes before users can begin working on their computer.
Asynchronous processing in Windows XP Pro enables faster boot and login times compared to synchronous processing in Windows 2000 where users must wait for all their policies to apply before they can begin a computer session. However, all Group Policy settings are still processed in full whenever a user first logs onto a machine.
Changes to some Group Policy settings can take up to three logons to become effective
Because background refresh is the default behavior in Windows XP, some policy extensions such as Software Installation and Folder Redirection may require as many as three logons to apply changes.
This behavior exists since because Software Installation and Folder Re-direction can not apply during an asynchronous or background application of policy. These extensions can only apply when processed synchronously.
Here is a sample scenario showing how polices are applied:
An administrator deploys a software package to User A.
User A logs on fast and receives a background (asynchronous) application of policy.
Because the policy application was asynchronous, the software that was set to be installed cannot be installed at this time. Instead the machine is tagged, indicating that software needs to be installed.
The next time the user logs on, the machine instead logs on the user synchronously to allow the software package to be installed. (This is the same behavior as Windows 2000). This results in one extra logon for the software to be installed.
In the case of Advanced folder redirection, because policy is evaluated based on security group membership three logons will be required: the first logon to update the cached user object (and security group membership), the second logon for policy to detect the change in security group membership and require a foreground policy application, and the third logon to actually apply folder redirection policy in the foreground.
Changes to some user object properties may take two logons to become effective
When the fast logon optimization is enabled, all user logons are cached. The users logon information is updated after logon, which means that changes to user object properties such as adding a roaming profile path, home directory, or user object logon script will not be detected until the second logon. At the second logon, the system detects that the user has a Roaming User Profile, HOMEDIR or user object logon script, and disables the Fast Logon optimization for that user. (Although the users machine could still experience fast boot.)
Reverting to Windows 2000 Logon Processing
Some administrators may wish to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon or boot cycle of the machine, which is the default state in Windows 2000. To enable this for Windows XP, administrators need to enable the setting Always wait for the network at computer startup and logon (located in the Group Policy snap-in at Computer Configuration\Administrative Templates\System\Logon).
Managing Client Computers with Windows XP Administrative Template Files
Group Policy settings that administrators specify are contained in a Group Policy object (GPO), which is in turn associated with selected Active Directory objects—sites, domains, or organizational units. Group Policy applies not only to users and client computers, but also to member servers, domain controllers, and any other Windows 2000-or Windows XP-based computers within the scope of management. To create a specific desktop configuration for a particular group of users, administrators use the Group Policy snap-in, also known as the Group Policy Editor.
In order to manage Windows XP clients, administrators need a computer running Windows XP, which comes with updated Administrative Template files (.adm). These are the files that provide policy information for items that are under the Administrative Templates folder in the console tree of the Group Policy snap-in, as shown in Figure 3 below.
Windows XP contains the following updated administrative template files:
System.adm. Used for core settings.
Wmplayer.adm. Used for Windows Media settings.
Conf.adm. Used for NetMeeting conferencing software.
Inetres.adm. Used for Internet Explorer.
Wuau.adm. Used for automatic updates.
Figure 3: Viewing Administrative Template policies in Windows XP
Upgrading to the latest Administrative Template Files
If you have .adm files that are newer than those in the GPO, your computer will automatically update the GPO with the newer .adm files. In order to make this happen, you need to have the latest .adm files in your INF directory.
To upgrade .adm files:
Locate the desired .adm files on a Windows XP machine. (These are in the Windows/INF directory.)
Copy system.adm and any other .adm files to a file share.
Go to a Windows 2000-based computer and open a GPO in the Group Policy snap-in.
Right click Administrative templates and select Add/Remove Templates as shown in Figure 4 below.
Figure 4: Add/Remove Templates
When the Add/Remove Templates dialog box appears, remove the Windows 2000-based .adm files and add the Windows XP-based .adm files.
Repeat for each GPO.
In a mixed environment, use Windows XP .adm files to administer your GPOs.
Try to apply the same policy settings to both Windows XP and Windows 2000 to allow roaming users to have a consistent experience.
Test interoperability of the various settings before deployment.
Only configure policy settings on client machines using GPOs. Do not try to create these registry values by other methods.
Verifying Policy with Resultant Set of Policy (RSoP)
With Resultant Set of Policy (RSoP), administrators can assess and predict how different policies work for a specific computer or user as well as group of computers or users. When policies are applied on multiple levels (for example, site, domain, domain controller, and organizational unit), the results can be in conflict. If a conflicting policy is set, it can be difficult to track down and change. RSoP can help administrators determine the final set of policies that are applied and track down policy precedence, making troubleshooting easier.
How RSoP Works
RSoP is a query engine that polls existing policies and then reports the results of the query. It polls existing policies based on site, domain, domain controller, and organizational unit (OU). RSoP gathers this information from the CIMOM database (commonly referred to as "WMI").
In addition to checking the policies set by Group Policy, RSoP also checks Software Installation for any applications that are associated with a particular user or computer and reports the results of these queries as well. RSoP details all the policy settings that are configured by an administrator. This includes Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security, and Scripts.
Resultant Set of Policy Tools
Windows XP makes it easier to verify which policies are being applied on a specific computer. Administrators have several tools they can use to run RSoP for users and computers:
GPResult Command Line Tool.
Help and Support Center RSoP Report.
Using the RSoP Snap-In
The RSoP Snap-in lets you verify policies in effect for a given user or computer. RSoP is fully remotable, which means administrators can direct the snap-in to check policies for any computer or user on a domain.
To run the RSoP Snap-in
As Administrator, logon to your domain using Windows XP.
Click Start, Run, and type MMC. The Microsoft Management Console appears.
On the File menu, click Add/Remove Snap-in. When the Add/Remove Snap-in dialog box appears, click Add.
In the Available Standalone Snap-ins dialog box, select Resultant Set of Policy and click Add.
When the RSoP wizard welcome page appears, click Next. When the Mode Selection page appears, click Next.
When the Computer Selection page appears, you can browse for the computer for which you want to display settings. Otherwise the wizard will check RSoP for the computer on which it is being run. Click Next.
When the User Selection page appears, you can choose which user you wish to view policy settings for. (In this example, the administrator chooses the user Cynthia as shown in Figure 5 below.) Click Next.
Figure 5: Choosing a target user in the RSoP wizard
When the Summary of Selections page appears, click Next. The wizard should reach the completion page. Click Finish. Close the Add Stand alone Snap in dialog box.
On the Add Remove Snap in dialog box, click OK. RSoP results should appear in the console as shown in Figure 6 below.
Figure 6: RSoP results
You can expand the policy tree in the left pane and navigate to any of the policies that are in effect for the target user. In this example, as shown in Figure 7 below, RSoP shows the user Cynthia is subject to various policies enabled via the GPO Kiosklockdown.
Figure 7: Viewing enabled policies in RSoP results
Using Group Policy Results Tool (GPResult.exe) Command Line Tool
This is a command line tool that you run on the computer on which you wish to test Group Policy. Because you can apply overlapping levels of policies to any computer or user, Group Policy generates a resulting set of policies at logon. Gpresult displays the resulting set of policies that were enforced on the computer for the specified user at logon.
To run GPResult on your own computer:
Click Start, Run, and enter cmd to open a command window.
Type gpresult and redirect the output to a text file as shown in Figure 8 below:
Figure 8: Directing GPResult data to a text file
Enter notepad gp.txt to open the file. Results appear as shown in Figure 9 below.
Figure 9: Verifying policies with GPResult
Help and SupportCenter RSoP Report
Although of limited use for administrators, users can run Help and Support Center RSoP Report on their own computers to verify policy settings. This tool provides a user-friendly report of most policies in effect on the computer on which it is run.
To open the Group Policy Help and SupportCenter RSoP tool:
Click Start, click Help and Support Center.
Under Pick a Task, select Use Tools to view your computer information and diagnose problems.
Click Advanced System Information, then click View Group Policy settings applied.
Note: You can also generate the report by entering the following URL in your browser: hcp://system/sysinfo/RSoP.htm#
When system information is collected, RSoP results appear on the screen. This report can be printed, saved, and sent to an administrator. In this example, the first few items in the report are shown in Figure 10 below.
Figure 10: Viewing the RSoP Report in the Help and SupportCenter
Developing Customized RSoP Tools
For more information about RSoP including documentation about developing RSoP tools, see the Microsoft Platform SDK at http://www.microsoft.com/msdownload/platformsdk/sdkupdate/.
Intended for organizations who have already deployed or are planning to deploy the Active Directory service, this article explains:
Whats New for Policy settings in Windows XP. Windows XP ships with more than 200 new policies in addition to the 421 policies still supported from Windows 2000. All Windows XP policies will not harm Windows 2000 machines; such policies are simply ignored.
Logon optimization in Windows XP. Windows XP supports fast logon, which reduces delays that may otherwise occur when logging on. Some policies such as software installation or folder redirection require extra logons to take effect.
Managing Client Computers with Windows XP. Administrators use the latest Administrative Template files in Windows XP to manage policy settings in the Windows 2000 Server Active Directory. Managing policy is made easier with a new user interface containing explain text and OS requirements for each policy. New Help files dedicated to policy settings let you search for specific policies by keyword.
Resultant Set of Policy (RSoP). Users and administrators can quickly verify which policies are in effect for a given user and a specific computer. New tools let administrators check policy settings in effect for any machine or user in a domain. Users can verify their own policy settings on their computer with a user-friendly report accessible from the Help and Support Center.
For more information about User Profiles and Folder Redirection, see User Data and Settings Management at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpusrdat.mspx.
For more information about Resultant Set of Policy (RSoP), see the Microsoft Platform SDK at http://www.microsoft.com/msdownload/platformsdk/sdkupdate/.
For a spreadsheet showing all policies in Windows 2000 and Windows XP, see the Windows XP Web site location for this article at http://go.microsoft.com/fwlink/?LinkId=22031.
Windows XP advanced HowTo articles will be available at http://www.microsoft.com/technet/prodtechnol/winxppro/default.mspx.
For the latest information on Windows XP, check out our Web site at http://www.microsoft.com/windowsxp/default.asp.