AD admins should be running Windows XP Pro

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Background : AD differences between XP and W2K. Summary :
  • An updated Adminpak.msi must be installed because the one shipped with Windows 2000 is not compatible with Windows XP.
  • There are over 200 new group-policy settings in Windows XP.
  • Windows XP specific group policy settings are ignored when applied to Windows 2000 systems.
  • Windows 2000 applies GPOs synchronously, while Windows XP applies GPOs asynchronously
Source: Managing Windows XP in a Windows 2000 Server Environment

You can add Windows XP Pro workstations to your AD domains and they will respond to existing GPOs just like Windows 2000 Pro. That is a significant bit of information. Much more important though is that if you update Windows 2000 Active Directory with the new security templates that shipped with Windows XP Pro, significant new functionality becomes available to the AD administrator using XP Pro as the admin console. For this reason, Windows XP Pro is now the preferred management console for Windows 2000 Active Directory.

Windows XP Pro ships with more than 200 new policies in addition to the 421 policies still supported from Windows 2000. Windows XP specific policies will be ignored by Windows 2000 machines. Managing policy is made easier with a new user interface available to XP Pro containing descriptive text and OS requirements for each policy. New Help files dedicated to policy settings let you search for specific policies by keyword. XP ships with Resultant Set of Policy (RSoP). New tools let administrators check policy settings in effect for any machine or user in a domain. Users can verify their own policy settings on their computer with a user-friendly report accessible from the Help and Support Center.

It is now clear that a GPO best practices are

  • exclusively use an XP Pro workstation as the AD management console when working with GPOs
  • use the same policy settings for both XP and W2K Pro IF you now or will ever support roaming users who will be using both XP and W2K Pro workstations.

See the full Microsoft document for details but the process to update the security templates is simple. Be sure you can get back to your starting point should the sh*t hit the fan when you do this. It has been reported to me that in certain circumstances, this will set domain policies to defaults. Ouch to say the least.:

  • Copy all .ADM files from the WINNT/INF directory on a Windows XP Pro workstation to a file share on the network.
  • From a Windows 2000 based computer, open a GPO in the Group-Policy console.
  • Right click on Administrative templates and then select Add/Remote Templates.
  • From the Add/Remove Templates window, remove the old Windows 2000 .ADM files and add the new Windows XP .ADM files.
  • You will need to repeat this for each of your Group Policy Objects.
A brief list of the most important new Group Policy settings available to clients running Windows XP workstations:
  • XP clients support software restriction policies which allows one to protect XP workstations from untrusted code by identifying and specifying which applications are allowed to run.
  • XP Terminal Services enhancements
  • XP workstations support more granular configuration of the Start menu and Taskbar so the XP can be more easily locked down than W2K. If you need to kiosk or have a restrictive user environment. Or you are a control freak.
  • XP supports very fine control over MMC snap-ins when comparied to W2K.

OK I admit it. There are reasons for at least administrators to upgrade from Windows 2000 to Windows XP. And if you want the capability of tighter desktop control, your users should be on Windows XP Pro. I have had many discussions about the value of XP Pro vs W2K. My interest is from a business perspective. These new capabilities are real considerations.

Additional resources:

See Also

Featured Links