Applying Windows XP Group Policy in a Windows 2000 Domain (Part 2)



“For a complete guide to security, check out ”Security+ Study Guide and DVD Training System” from Amazon.com


Importing a Security Template into a GPO


Before reading this article, make sure that you have read the first part which explains how to get to this point, where you learn to set up the Group Policy within a new MMC, understand what Group Policy is and why it’s important. In this part of the article, we cover how to import a security template into a GPO (Group Policy Object).


To import an already-existing security template into a Windows XP GPO, perform the following steps:



  1. In the Group Policy snap-in, select Computer Configuration => Windows Settings => Security Settings and once you select it, you will see (in the contents pane of the MMC), the security options within.




  1. Once you have expanded the Security Settings node, you can import. There is a known bug in the MMC so make sure you expand to the Computer Configuration => Windows Settings => Security Settings node before doing your import.
  2. Rick click the Security Settings node and  select Import Policy from the menu




  1. You will be given an option from the Import Policy From dialog box which shows all the available templates from your %SystemRoot%\security\templates folder. (you can store more templates here as well)
  2. Once you have selected a template (or browsed to where you may have others stored), click Open.
  3. The settings in that template will now have ‘imported’ into the Security Settings node we were just discussing.
  4. You can view these settings and change them if needed. Expand the Security Settings node and take a look at some of the settings in which that template made

Once you have completed the importing of the template, there is something you should know about how to make it ‘register’ and take effect. Importing a template is not considered a ‘change’, so you will need to go into the settings of the template, change something (even if you change it back), and then your new setting will take effect. Now you have successfully worked with a security template and imported it into GPO.


Managing a Windows XP GPO from a Windows 2000 Domain Controller


With Windows XP, you need to edit the GPO on the Windows XP system itself as doing this on a Windows 2000 system will not work. You can use the GPO on a Windows 2000 Domain Controller, but you will most likely get an error message like “Windows cannot open template file” when you try to open it. Remember though that even if you can’t see the template, it will work when applied correctly.


Local Group Policy Object


Local Policy Objects can be found on every 2000 and XP system. You can always edit the policy for the local PC. This is done by selecting the Local Computers Group Policy when constructing your MMC. This was covered in Part I of this article set.


Forcing a Group Policy Update (via the command line)


How does the system take the new Policy once you have it assigned? Well, you understand how it’s edited and you also understand where to edit it, the only difference being that an XP policy can be pushed from 2000 but must be made on an XP system… so what about forcing it out or doing it via the command line? Since you will most likely want your policy to take place immediately (don’t you want to see the effects of all your hard labor up to now?), you will need to force is as Group Policy is updated via Active Directory every 90 minutes which is a long time to wait. Its set this way as the default. If you want to have it take place immediately you will need to force it. To do so, open up a Command Prompt and type:



gpupdate /?



If you want to force an update, you can type:



Gpupdate /target:computer /force


Viewing the Resultant Set of Policy


So now you have built your MMC, added Group Policy, Edited is and forced it out, what’s next? Well, you will most likely want to know what the result of those polices are no? One thing you should consider is that because you are able to put polices at varying levels of the hierarchy (For example, you can have a Policy set at the Domain level and then also have individual ones set up at the OU level), you may get confused as to what the ‘results’ of those polices are. Windows XP can help you determine this with the Resultant Set of Policy tool as well as the Group Policy Result tool. Let’s look at each in depth.


RSoP Snap-in


RSoP.msc is an MMC snap-in used to display the Resultant Set of Policy for your system. In this next section I will lay out how to set up this view in your MMC. You can either make a new MMC or add a snap-in to one of the current ones you have set up, like the Group Policy MMC you created in Part I of this article set.


A shortcut to the RSoP.msc is to simply type rsop.msc from the command line.




This opens you up right to the MMC itself, but you didn’t have any options to modify, the next few steps shows you how to set up the MMC with specific options.



  1. Open up your MMC and add a snap-in
  2. Add the Resultant Set of Policy snap-in




  1. You will have started the RSoP Wizard which will help you to select computers and users to check and analyze




  1. Once you select next, you will then have to use Logging or Planning mode. Logging mode will allow you to review policy setting applied to a specific computer or user which is what we can’t to accomplish. You can also set up Planning mode and that will simulate a policy implementation by using data from Active Directory.  Planning mode is not available and will be used in a future release.




  1. Next, select the computer you want to view policy settings for.




  1. You can specify to view the current user, select a specific user or only analyze the Computer, not the users.


 



  1. Once you clock next you will then see a status, progress, summary set of pages. Once completed you can add the snap-in to the console.




  1. When you select Ok, then you will be brought back to the MMC so that you can see the Resultant Set of Policies on your system.




  1. You can browse the MMC to see what the settings are. 

Some of the things you should know about using RSoP is that the only items visible to scan are items that are logged on to the actual domain and are visible. You also need to be logged on as with Administrator rights to use RSoP.


Gpresult.exe


Command line utilizes are fast, they are quick gatherers of information that you may need. I use them all the time so here is another one for your arsenal when dealing with Group Policy and trying to see what security and policy information a system may have taken.


Gpresult.exe is a command-line tool that tells you the last time Group Policy was applied to the system as well as what GPOs were used and in what order they were used. You can also see what was not used because of filtering. Gpresult can be used locally as well as on a remote system.


Gpresult can also collect information about a remote system.


To view all the command-line options for gpresult, type the following at the command line:



Gpresult /?



You should be pretty comfortable with setting up your Group Policy MMC, how to import and use templates, as well as how to check if they have been applied properly. This wraps up the hands on portion of this article set


Summary


In part 1 of this article set we talked about Group Policy and why it’s important, what you can do with it and so on. We then covered how to set up the MMC (Microsoft Management Console) as this is the fundamentals of using and editing GPOs. In Part 2, we covered more XP specific template importing as well as how to check the result of using those templates. You should be comfortable with how to operate and use Templates within XP


Links and Reference Material


Also, see the Microsoft article on “Upgrading Windows 2000 Group Policy for Windows XP” at: http://support.microsoft.com/support/kb/articles/Q307/9/00.asp


GPO Information for Windows 2000 and XP I
http://support.microsoft.com/?kbid=322176


GPO Information for Windows 2000 and XP II
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/Articles/q307/9/00.asp&NoWebContent=1


GPO Information for Windows 2000 and XP III
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/default.mspx


RSoP information
http://www.microsoft.com/technet/prodtechnet/winxppro/proddocs/RSPintro.asp

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top