Applying Windows XP Group Policy in a Windows 2000 Domain (Part 1)

In this two part article set we will cover the fundamentals of putting Windows XP securely into your network while utilizing the Group Policy Objects in Windows 2000. This two part article covers all the details on how to configure Windows 2000 and XP so that GPOs can be used. Part 1 covers the fundamentals and setup, Part 2 covers the Implementation. If you are not familiar with GPOs, I will cover some fundamentals in the beginning of Part 1.


"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"

Introduction to GPOs

What is a GPO? A GPO stands for Group Policy Object and before we get into what those objects are, let’s cover what the policy is and why it’s important to understand in the world of Windows Networking and Security. Polices are nothing new. Poledit was an old utility used on Windows 9x systems to apply a set of configuration settings to the PC that would restrict users from doing things or seeing things. Because this was so effective, once Microsoft moved to a Active Directory, it would allow for users to log into the Domain and receive these same types of configuration settings en masse. In other words, you could say that everyone in the Finance Group should receive a Minimum Password length of no less than 8 characters, everyone who was part of that group and logged on would have that policy enforced on them. GPO’s are the objects created that house all these settings. It makes for much easier change management.

Note:
Change Management is nothing more than the system in place that safely manages the efforts of constant change in the information technology world. (Example: policy deployment, service packs deployments and so on).

So, in sum – Group Policy is what is used to define configurations for users and computers. The Policies are called Objects (GPOs) because once created in the Active Directory, they are objects that can be assigned to other objects, such as sites, domains, or organizational units (OUs). The operation is simple; apply the GPO to an OU and every object in that OU will have that GPOs policies filtered down to the objects in that OU. This allows for very easy management of change. It also allows added security. Why? If you need to make a security change on every user in an OU and you have 500 users in that OU, then you may make an error or miss something while applying the GPO filters down to the entire OU without missing anything and if an error occurs, you will be altered of it.

Introduction to GPOs with XP

Windows XP introduces new options with Group Policy use that weren’t included in the 2000 version so this article covers how to utilize XP with 2000 and Group Policy. What this means is that Windows 2000 Domain Controllers will push policies to Windows XP if configured correctly. This means that if you want to use Windows 2000 and update XP systems with it, you must edit the GPO on a Windows XP system. The question does come up, what if I make a GPO on an XP machine and a GPO on a 2000 machine… how will it affect a container with mixed systems? That means an OU with mixed XP and 2000 clients, how would that work? Well, if you make the GPO on XP and apply it, the 2000 clients will ignore any of the XP-specific settings.

Setting up your MMC with Group Policy

Now that we have covered Group Policy and what is important about it in relation to XP, let’s look at how to set it up so that you can utilize the GPO. In this article we cover the GPO and how to configure your system to use a GPO.

  1.   Run the Microsoft Management Console (mmc.exe)

  2.   Select File => Add/Remove Snap-in

  3.   Once you select to add and remove snap-ins, you will see the Add/Remove Snap-in dialog box appear

  4.   Click Add

  5.   Select Group Policy from the Add Standalone Snap-in dialog box

  6.   Click Add

  7.   Once you select Add, you will be presented with the Select Group Policy Object dialog box. You can either select the local Computer, or you can browse to another machine in the Domain. For purposes of this exercise, you can select Local Computer, but we will continue to show you the steps in locating a remote computer.

  8.   To change and edit another GPO, click the Browse button. When you do you will be presented to browse for a GPO. 

  9.   Now, you can either Browse for a remote or you can stay Local. If you stay Local than click Ok, Close and then Ok.

 That’s it, that’s all you need to do to is look at the Console Root of the MMC you have open and you will be able to view your GPO.  

Viewing the GPO

Now that you have the GPO open, you can see its contents. Just like we mentioned earlier, you have a computer policy and settings specific to that policy ready to apply to any computers that it is assigned too. The end of this article has some links to Microsoft’s website to find more information, but for the purpose of this article set, you have enough fundamental knowledge to follow into the next article which covers XP directly.

Security Settings Extension

When you open the MMC (Microsoft Management Console) that houses your access to Group Policy, you can see within it the ‘Security Settings’ which will allow you to set a very granular security policy which when utilized properly, will allow for very specific security settings to be applied to desktops from a central location.

This is just one of the areas, but this is the one we will concentrate on since this is a Windows Security based site. You can configure Account Policies which basically cover security related items like account policies which will allow you to keep passwords at a minimum or maximum password age, or minimum password length. You can also set the account lockout features as well.  Local Policies are also configurable which allow you to configure specific things to the system itself, such as configuring auditing, or setting who can do specific things like ‘add workstations to the domain’ for instance. PKI (Public Key Infrastructure) polices are also configurable as well as IPSec polices to help encrypt transmissions from this system as well as setting software restriction polices. As you can see there is a lot you can configure in the GPO.

Summary

In this article we covered the basics of the GPO. For those of you who are Microsoft Guru’s, I hope this article served as a refresher for you, but if you already know all this, make sure to read the next article in this series which applies directly to GPO’s and Windows XP. You will need this basic information in this article to proceed to the next one. Stay tuned!

Links and Reference Material

Also, see the Microsoft article on “Upgrading Windows 2000 Group Policy for Windows XP” at: http://support.microsoft.com/support/kb/articles/Q307/9/00.asp

GPO Information for Windows 2000 and XP I
http://support.microsoft.com/?kbid=322176

GPO Information for Windows 2000 and XP II
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/Articles/q307/9/00.asp&NoWebContent=1

GPO Information for Windows 2000 and XP III
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/default.mspx

About Robert J. Shimonski

Robert J. Shimonski (MCSE, etc) is an entrepreneur, technology consultant and published author. Robert's specialties include network infrastructure design, management and the troubleshooting of Microsoft and Cisco products. Robert has in depth experience with globally deployed Microsoft and Cisco systems. Robert works with new companies constantly to help them forge their designs, as well as to optimize their networks and keep them highly available, secure and disaster free. Robert is author of many security related articles and published books to include the best selling: "Sniffer Network Optimization and Troubleshooting Handbook" from Syngress Media Inc (ISBN: 1931836574). Robert is also the author of the best selling: Security+ Study Guide and DVD Training System (ISBN: 1931836728) and Building DMZs for Enterprise Networks (ISBN: 1931836884) also from Syngress. Robert can be found online at www.rsnetworks.net

Click here for Robert J. Shimonski's section.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred network auditing solution?