Introduce the Windows XP Group Policy in the Windows 2000 Domain

How to analyze Windows XP in Windows 2000 DomainGroup Policy? A detailed description is provided below.

The Group Policy is based onActivity directoryFor security and software installation memory script settings, you can use group policies. Group policies can be applied to user groups or computers based on the location of objects in the Active Directory.

The group policy settings are stored inDomain ControllerOfGPOIn Group Policy objects, Group Policy object), GPO is connected to various container sites, domains, and OU in the Active Directory structure. Because the group policies are closely integrated with the Active Directory, it is necessary to have a basic understanding of the Active Directory structure and security before implementing the group policies.

Group Policy is a basic tool to ensure the security of Windows XP. It can be used to apply and maintain the consistency of policy configurations of all computers in the network.

Overview

Windows XP group policies introduce new features not previously included in Windows 2000. However, Windows 2000 Domain Controllers can also publish group policy settings to Windows XP clients through the Active Directory.

To use all the new features in Windows XP, GPO must be edited on a computer running Windows XP. The administrator can also perform later GPO management on the Windows 2000 Domain Controller to link GPO to the domain or OU ). If GPO is applied to a domain that contains both Windows XP and Windows 2000 clients, Windows 2000 ignores the new settings for Windows XP only, and only the applications can be set by Windows 2000 applications, on Windows XP, all settings are applied. Before applying GPO to a Windows 2000 Domain, see Guide to Securing Microsoft Windows 2000 Group Policy. You can also refer to Upgrading Windows 2000 Group Policy for Windows XP: http://support.microsoft.com/support/kb/articles/Q307/9/00.asp

Security Settings Extension

As you can see from a security report, security setting extension is one of the most important parts of group policies. Many security-related settings are implemented in security settings. security settings allow administrators to consolidate many security-related objects, apply the group policies and activity directories to any computer running Windows XP.

The Security Settings extension is located in the path of GPO computer configuration, Windows Settings, and security settings, and can be accessed through the group policy component of MMC. Security Settings are for computers, not for a specific user, but also for all security areas in the security template, such as account policies and local policies ), in addition, there are public key policies and IP Security Policies for the Active Directory.

Create a Windows XP GPO

Windows xp gpo must be edited on a machine running Windows XP. To enable or create a GPO, you can perform the following operations on a computer running Windows XP that has already joined the domain:

Run the Microsoft Management Console mmc.exe)

Select console-Add/delete Components

Click Add

Select Group Policy

Click Add

A select group policy object window appears. Under the Group Policy object option, the local computer is displayed by default. to edit GPO, click the Browse button in the domain to specify the container to apply GPO, after the container is displayed, select an existing GPO or click the second button at the top of the window to create a GPO, and then select this GPO

Click OK

Click Close

Click OK

Import a security template to GPO

To import an existing security template to Windows xp gpo, perform the following operations:

In the group policy component, go to computer configuration, Windows Settings, and security settings.

Expand the Security Settings node before importing the template. Figure 12 shows the expanded Security Settings

Figure 12

Warning according to a Bug in MMC, errors that occur when the security setting node is expanded before the template is imported may cause the template loading error.

Right-click Security Settings

Select an import policy from the menu

All templates in the % SystemRoot % \ security \ templates folder will be displayed in the Import Policy window. Select a template from this folder or use the browser function to find other suitable templates.

Click to open

The settings in the selected template have been imported to the security option node. Now you can view and modify these settings in the Security Settings tree.

Warning to make a new GPO be correctly applied, you must first register this change. Simply importing the template to the new GPO does not play this role, even if you close the GPO in the group policy component and wait a moment to open it again, the system will report that the imported security settings have been saved. After the Group Policy is refreshed, GPO is cleared rather than applied. To register a change, edit any settings in GPO after loading the security template, even if you change one of the settings and then reset the settings.

Manage Windows xp gpo on Windows 2000 Domain Controller

In earlier regulations, after Windows xp gpo is edited on a computer running Windows XP, later GPO management, such as linking GPO to a domain or OU) this can be done on the Windows 2000 Domain Controller.

When you use a Windows 2000 Domain Controller to view Windows xp gpo, if a user or user group exclusive to Windows XP, such as local service or network service, is displayed in a file or registry permission setting, when you locate the Computer Configuration \ Windows Settings \ Security Settings node, the error message "Windows cannot open template files" may occur. However, even if these security settings cannot be viewed in Windows 2000, GPO can still be correctly applied.

Local Group Policy Object

Each computer, whether or not a domain member, has a local group policy. The local group policy is the first policy to be applied. Although any later group policy may overwrite the settings of the local policy, any policy that is set in the Local Group Policy and not set in other policies will be retained. Therefore, it is important that the local policy and the configuration of the Active Directory group policy are consistent.

The Local Group Policy object Local GPO is saved in % SystemRoot % \ System32 \ Group Policy, you can select a remote computer from the group policy component or select a Local Security Policy under the Management Tools menu to access and view the security policy.

LGPO does not include all the settings of the Active Directory group policy. For example, under the Security Settings node, only the account policy and local policy are available. Therefore, if a security template is imported into a local policy, in fact, only the available part of the local policy is actually imported. Other settings, such as registry and file permissions, can be applied to the local device through security configuration and analysis components.

Force Group Policy Update

The Group Policy is periodically updated through the Active Directory. The default setting is to update the Group Policy setting of the workstation every 90 minutes.

You can use the command line tool gpupdate.exe to force the Configuration Policy to be activated on the local device. Enter gpupdate /? All available parameters of the command are displayed. For example, to force the computer to refresh the Group Policy settings immediately, you can use:

Gpupdate/target: computer/force

View policy result set

Depending on the container of the object, multiple GPO can be applied to the domain object at the same time. For example, a domain-level GPO setting can be applied to all computers in the domain, and GPO for different OU can be applied to the corresponding object of the OU respectively. It is a tedious task to manually determine which GPO is applied and in what order they are applied, especially in a complex domain environment, this makes it difficult to troubleshoot group policy problems. Fortunately, Windows XP provides two tools: RsoPResultant Set of policy, policy Set setting and gpresult.exe, which can be used to view the application of GPO on an object.

RsoP Components

RSoP. msc is an MMC component used to display the application of policies on the local computer. To open this component, you can directly enter RSoP in the command line window. msc or add the policy result set to MMC. Figure 13 shows the policy result set component.

Figure 13

For each group of policy settings, RsoP displays the settings of the current computer on the computer) and the GPO source that generates the current settings ).

Gpresult.exe

Gpresult.exe is a command line tool that can be used to view the detailed status of the last group policy applied on a computer: GPO applied and the application sequence, and for which GPO is not applied. Gpresult can also collect information about other computers on the network.

To view all available gpresult parameters, enter

Gpresult /?

Known issues

This section describes the problems that may occur when a Windows XP computer is added to the Windows 2000 domain.

RestrictAnonymous settings and "the user must change the password upon next login"

By default, Windows XP does not assign an anonymous user with the same permissions as the Everyone group. However, in Windows NT and Windows 2000, anonymous users have the same permissions. If a user in the Windows 2000 domain is set to have the password option modified upon next login, And the RestrictAnonymous registry key on the Windows 2000 Domain Controller is set to anonymous, unless the assigned registry key value is set to 2), in this case, Windows 2000 Domain Users may encounter some potential problems when logging on to Windows XP.

Users who log on from the Windows 2000 Professional client do not encounter any logon problems. They can also modify their passwords as needed. However, if you log on from a Windows XP client, the same user may encounter an error message "You have no permission to change the password" after entering the new password. The only solution is to change the RestrictAnonymous key value from 2 to 0 or 1 on the Windows 2000 Domain Controller. Note that modifying Windows 2000 settings may generate a lot of public status information on the domain controller, which can be exploited by hackers, even if the registry key is set to 1. Many tool software can collect this information, and even enumerate all user account information. Pay attention to the security risks.

After introducing the Win XP Group Policy in the Windows 2000 Domain, I believe you have a general understanding of the Win XP group policy, more knowledge about group policies needs to be learned and consolidated by readers.