Among the many improvements in Whistler (the next version of Windows 2000) are two new tools that should make migration to and management of Whistler simpler for system administrators. For migration tasks, Whistler offers the User State Migration Tool (USMT).

The USMT lets the administrator capture the state of a user's machine before upgrading. This means you can save custom user settings, data files, and documents to a remote location, replace the system (any version of Win2K or Whistler, Windows NT 4, or Windows 9x) with a new computer running Whistler, and transfer the previous system's state to the new computer (the target system must be running Whistler). This system state doesn't include applications, but it does include OS shell settings such as email configuration, UI configuration, and proxy server information. After you reinstall the user applications, the user experience should be identical to the replaced computer plus whatever enhancements Whistler adds. USMT is a command-line tool with a user-customizable .inf file. The default .inf file contains commonly used shell and Office application settings.

One of the most difficult tasks that system administrators face is making Group Policy changes that go across multiple levels (e.g., multiple sites or domains). When you make these kinds of policy changes, the end result is often quite different than when the policy is applied locally. To help prevent this kind of problem, Whistler will offer a Microsoft Management Console (MMC) snap-in called the Resultant Set of Policy (RSoP) Wizard. The RSoP has two modes of operation: planning and logging. Logging mode lets the user look at existing policies, security, and Microsoft Remote Installation Services (RIS) setups. Planning is far more interesting, letting the user perform "what-if" analyses on policy changes to see how the changes will affect users across the affected systems. These analyses will help you fine-tune your policies and policy management and avoid accidental changes that would result in user support headaches.

This week's tip: Controlling access to removable media has always been a problem when managing Win2K and Windows NT clients, and Win2K adds removable hard disk media to the mix. You can find access control to removable media at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

There are quite a few values here, but we're concerned with only three of them:

AllocateFloppies
AllocateCDRoms
Allocatedasd

With AllocateFloppies and AllocateCDRoms, the default value is 0, which lets all users access the device. Changing this value to 1 lets only locally logged-on users access the removable disk or CD-ROM. To enable this restriction, you also need to delete the administrative shares that are created by default.

Allocatedasd (DASD is an old mainframe term for Direct Access Storage Deviceā€”a hard drive) has three possible values to control access:

  • 0 Only members of the computer's Administrator group.
  • 1 Only members of the Administrator and Power Users groups.
  • 2 Only members of the Administrator group and the local current user.