M
Mark Williams [MSFT]
As you know, Microsoft has recently announcement the pending availability of
Windows XP Service Pack 2. I won't describe the multitude of benefits
associated with this service pack, especially from a security perspective
(these are well documented here:
http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to bring
your attention to an important issue related to Group Policy.
Many of the central features in Windows XP Service Pack 2, such the Windows
Firewall and enhanced Internet Explorer functionality, can be managed
through Group Policy. In fact, my team has been heavily involved with
supporting the teams who have added the 600+ new policy settings available
in the XP SP2 versions of the .adm files. XP SPS2 is the most policy-enabled
operating system / service pack we have ever shipped. Numerically, much of
this increase in policy settings is attributable to repeated "groups" of
policy settings in IE (across the various IE zones) but there is still a
much richer set of policy settings that, we believe, is a key factor
improving the manageability of Windows XP through Group Policy. By way of
example, the new Windows Firewall (turned on by default in XP SP2) has a
broad range of policy settings to "custom fit" this component to your
specific needs - which ports and programs you allow, management of remote
administration and file/print services ports and so on. All told, Group
Policy represents the primary mechanism through which you can manage the new
features of XP SP2 in an Active Directory environment.
As well as highlighting these changes, I wanted to bring your attention to
an important issue around the use of the .ADM files we ship with XP SP2.
These files use syntax that has been available for some time but which has
exposed some issues with earlier versions of the Group Policy Object Editor
(GPEdit). In a nutshell, if you load the XP SP2 files from earlier versions
of GPEdit (across Windows 2000, XP or Windows Server 2003), GPEdit will
generate multiple "string too long" error messages.
By default GPEdit compares the timestamps of the files stored in a GPO (in
Sysvol) with those on the administrative machine and, if the latter are more
recent, will upload the .ADM files to the GPO, in Sysvol. What this means is
that the act of viewing a GPO (no changes to the GPO are necessary) will
result in the new .ADM files being uploaded and, eventually, used by other
versions of GPEdit around your network that are not yet running XP SP2. NOTE
THAT THIS IS PURELY AN ADMINISTRATIVE ISSUE - this has no implications for
the actual application of Group Policy to machines or users.
To this end we are making available a number of hotfixes that will resolve
this issue. The Windows 2000 fix is available today and we expect to be the
others (for Windows Server 2003 and XP SP1) to be available later this week.
Initially, the fixes will be available through Microsoft Product Support
Services (PSS) but in due course we plan to release these directly to the
Microsoft Download Center.
Further details of this can be found in KB 842933
(http://support.microsoft.com/default.aspx?kbid=842933). We will be updating
this regularly as the fixes become available through PSS and, subsequently,
through the Download Center.
Please let us know if you have any questions.
Mark Williams
Program Manager, Group Policy
http://www.microsoft.com/technet/grouppolicy
This posting is provided "AS IS" with no warranties, and confers no rights.
Windows XP Service Pack 2. I won't describe the multitude of benefits
associated with this service pack, especially from a security perspective
(these are well documented here:
http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to bring
your attention to an important issue related to Group Policy.
Many of the central features in Windows XP Service Pack 2, such the Windows
Firewall and enhanced Internet Explorer functionality, can be managed
through Group Policy. In fact, my team has been heavily involved with
supporting the teams who have added the 600+ new policy settings available
in the XP SP2 versions of the .adm files. XP SPS2 is the most policy-enabled
operating system / service pack we have ever shipped. Numerically, much of
this increase in policy settings is attributable to repeated "groups" of
policy settings in IE (across the various IE zones) but there is still a
much richer set of policy settings that, we believe, is a key factor
improving the manageability of Windows XP through Group Policy. By way of
example, the new Windows Firewall (turned on by default in XP SP2) has a
broad range of policy settings to "custom fit" this component to your
specific needs - which ports and programs you allow, management of remote
administration and file/print services ports and so on. All told, Group
Policy represents the primary mechanism through which you can manage the new
features of XP SP2 in an Active Directory environment.
As well as highlighting these changes, I wanted to bring your attention to
an important issue around the use of the .ADM files we ship with XP SP2.
These files use syntax that has been available for some time but which has
exposed some issues with earlier versions of the Group Policy Object Editor
(GPEdit). In a nutshell, if you load the XP SP2 files from earlier versions
of GPEdit (across Windows 2000, XP or Windows Server 2003), GPEdit will
generate multiple "string too long" error messages.
By default GPEdit compares the timestamps of the files stored in a GPO (in
Sysvol) with those on the administrative machine and, if the latter are more
recent, will upload the .ADM files to the GPO, in Sysvol. What this means is
that the act of viewing a GPO (no changes to the GPO are necessary) will
result in the new .ADM files being uploaded and, eventually, used by other
versions of GPEdit around your network that are not yet running XP SP2. NOTE
THAT THIS IS PURELY AN ADMINISTRATIVE ISSUE - this has no implications for
the actual application of Group Policy to machines or users.
To this end we are making available a number of hotfixes that will resolve
this issue. The Windows 2000 fix is available today and we expect to be the
others (for Windows Server 2003 and XP SP1) to be available later this week.
Initially, the fixes will be available through Microsoft Product Support
Services (PSS) but in due course we plan to release these directly to the
Microsoft Download Center.
Further details of this can be found in KB 842933
(http://support.microsoft.com/default.aspx?kbid=842933). We will be updating
this regularly as the fixes become available through PSS and, subsequently,
through the Download Center.
Please let us know if you have any questions.
Mark Williams
Program Manager, Group Policy
http://www.microsoft.com/technet/grouppolicy
This posting is provided "AS IS" with no warranties, and confers no rights.