Group Policy Settings for Network Connections
XP Pro includes new computer configuration and user configuration Group Policy settings that offer greater control over who can alter network settings. Before you can use XP Pro's new core Group Policy settings in a Windows 2000 Server AD Group Policy Object (GPO), you must install the latest XP Administrative Template (.adm) file to the appropriate domain system container(s) on the domain controller (DC). Using XP .adm files for administering GPOs in a mixed-client environment is generally acceptable because down-level clients will ignore nonapplicable settings. However, you'll want to test the interoperability of your setting selections before you deploy those settings. Be sure that you understand the implications of Group Policy and that you follow your company's guidelines for Group Policy before you proceed with these steps. For an excellent explanation of Group Policy in Win2K, see "Introducing Group Policy," September 1999, http://www.winnetmag.com, InstantDoc ID 7066.
To upgrade the .adm file on a Win2K system, log on with Administrator privileges and perform the following steps:
- Copy the \%systemroot%\inf\system.adm file from an XP Pro system to a 3.5" disk or network location.
- Copy the system.adm file from the 3.5" disk or network location to the \%systemroot%\inf folder on your domain controller (DC). Depending on your internal template-handling procedures, you can replace the Win2K system.adm file or use an alternate name such as system_xp.adm for the XP version.
- From the MMC Active Directory Users and Computers snap-in, right-click the DC to which you want to apply the new settings, then select Properties.
- Click the Group Policy tab, select a GPO, and click Edit.
- Right-click the Administrative Templates object under either Computer Configuration or User Configuration and choose Add/Remove Templates from the context menu.
- Remove the Win2K system.adm file and add the system.adm or renamed version of system.adm that you copied from the XP Pro system.
- Close the Add/Remove Templates dialog box, then explore the administrative templates to verify that the new XP settings are available.
Computer Configuration. Figure 2 shows the XP Pro Group Policy settings that apply to the computer, which are in the Computer Configuration node in the MMC Group Policy snap-in. As you can see, these settings address three major areas of concern regarding XP capabilities in a corporate network domain. You can use these settings to remove the ability for anyone, including Administrators, to enable ICS, ICF, or Network Bridging. The Explain tab on the Properties window for each setting provides a description.
Keep in mind one caveat related to these settings: If an ICS, ICF, or Network Bridging setup exists on a computer attached to your domain, Group Policy won't alter those settings. This phenomenon happens because the Group Policy settings are location aware (i.e., they apply only when the computer connects to the same DNS domain network that the computer was connected to when its settings were last updated).
User Configuration. Figure 3 shows the XP Pro Group Policy settings that apply to users. These settings are in the User Configuration node in the MMC Group Policy snap-in. The Explain tab on the Properties window for each setting provides a description. These settings provide granularity of control over network configuration operations. In the same breath, I should mention that you should cautiously read the description and behavioral information thoroughly before applying any of these settings, particularly in conjunction with the "Enable Windows 2000 Network Connections settings for Administrators" policy in a mixed-client environment.
Be in Control
XP's new networking offerings can make home networking a breeze or can wreak havoc on a corporate networking environment. Fortunately, the measures for controlling when and how you can use specific functionality are thorough and effective. Putting those measures in place is up to you.
End of Article
Prev. page
1
[2]
next page -->
