My Favorite Tips for Windows XP SP2

Ongoing GPO Management
When you create GPOs in AD, you can do so from anywhere. For example, you can log on locally to a domain controller (DC) and create a GPO. You can then walk back to your desktop and modify that GPO through GPMC or the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Hopping between machines like this usually isn't a problem—unless you use an XP SP2 system to create the GPO, then use a non-SP2 machine to modify it.

In that case, when you create the GPO, you're using the XP SP2 versions of the .adm templates. Those new templates give you all the new SP2 policy settings. But if you then try to modify the GPO on a non—XP SP2 computer, you'll get an error message similar to the one you see in Figure 5. The About Windows window in the figure shows that I'm trying to modify this GPO on an XP SP1 machine. To clear this error, you need to press OK about 50 (yes, 50) times.

The cause of this difficulty, which is known as the LISTBOX ADDITIVE problem, is a bug that manifests only if you use a non-XP SP2 machine to modify GPOs that use the SP2 .adm templates. When the underlying gpedit.dll program loads the new .adm files on non-SP2 computers, older versions of the OS, which use an older gpedit.dll file, can't process syntax that occurs only within XP SP2 .adm templates.

Microsoft summarizes the problem and provides a hotfix at http://support.microsoft.com/?kbid=842933. You need to deploy this patch only on machines that are used to create or edit GPOs. There are patches for Windows Server 2003, Windows 2000, and Windows XP (for installation on machines with or without XP SP1.)

After you patch those machines, however, you still have a small problem: How can you "upgrade" existing GPOs to contain the XP SP2 .adm templates? One way is to open each and every GPO from an XP SP2 machine. You don't need to change anything; you can simply open the GPO for editing, then immediately close it. Opening the GPO automatically overwrites its existing .adm templates with the .adm templates from the XP SP2 machine. No policy settings are lost or changed because those settings aren't stored in the .adm template, which is simply a definition of what settings and registry changes can be deployed. The actual policy settings reside in another file, registry.pol, which is updated only when you change the settings.

If you have many GPOs, of course, opening each one for editing from an XP SP2 machine could take quite a while. Before you undertake the job, you might want to check the TechNet Script Center Script Repository at http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx for a script that will do it for you. Writing this script has been on the Scripting Guys' to-do list for a while, although the script isn't available yet. Finally, before you upgrade any GPO—whether manually or through a script—you should use GPMC to make a full backup of all your GPOs, just to be on the safe side. (For step-by-step instructions on backing up GPOs, see "Don't Wait—Back Up Those GPOs Now!", September 2004, InstantDoc ID 43588.)

Final Thoughts
Before you deploy SP2 and start using its new features, I highly recommend that you do a bit of reading. The following references will smooth the deployment and help you get the most out of the new functionality:

• "Changes to Functionality in Microsoft Windows XP Service Pack 2," go.microsoft.com/fwlink/?linkid=29126
• "Managing Windows XP SP2 Features Using Group Policy," go.microsoft.com/fwlink/?linkId=31974
• the enterprise implementation guide, planning guide, and planning template, all of which you can download from Microsoft's Web site at http://tinyurl.com/42wjv
• "Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2," http://tinyurl.com/6wm5b

You'll find all these references on TechNet's XP SP2 Web site at http://tinyurl.com/26uwc.