Windows XP’s Advanced Networking Features

Satisfying remote user networking needs without crashing the corporate network

Windows XP Professional offers powerful new network capabilities and enhancements, many of which help make home and remote-user networking easier and more robust. Although some features such as Internet Connection Sharing (ICS), Internet Connection Firewall (ICF), and Network Bridging cause much hand wringing and jaw clenching among network administrators, these features offer workable solutions for users at home and on the road. With an understanding of the specific capabilities of these features, when you should apply them, and how you can control them, you can enhance the connectivity and security of your users' portable systems without sacrificing your corporate network's integrity.

Alternate Configuration Settings
Before you design an elaborate solution to satisfy the networking needs of nomadic users, take a look at XP Pro's Alternate Configuration networking capabilities. The Alternate Configuration settings provide a simple, yet effective, solution for systems used in two network environments, such as a laptop that does double duty at the office and on the road or at home. As an administrator, you can configure these settings to meet the user's connection requirements so that the user doesn't need to know the difference between a subnet mask and a Batman mask.

The Alternate Configuration settings let XP dynamically switch between a dynamic IP address configuration and a static IP address configuration. The settings that you specify take effect when the computer doesn't receive a response from a DHCP server on the network to which the system is attached. For example, when a user attaches a laptop to the corporate network, the system identifies a DHCP server and maintains settings appropriate for that environment. When the user takes the laptop home, the lack of a DHCP server triggers the system to use the Alternate Configuration settings. The default Alternate Configuration settings are to assign an address from the Automatic Private IP Addressing (APIPA) range (i.e., 169.254.x .y with a subnet mask of, but you can configure your own values to match the IP addressing scheme of the secondary network. Figure 1 shows the Alternate Configuration tab of the Internet Protocol (TCP/IP) Properties dialog box. To access this dialog box, open the Network Connections window, right-click the network connection that you want to configure, select Properties from the context menu, choose Internet Protocol (TCP/IP), click the Properties button, then select the Alternate Configuration tab. Note that this tab isn't available unless you first select the Obtain an IP address automatically option on the General tab of the Internet Protocol (TCP/IP) Properties dialog box.

Network Connections Folder
Consider yourself lucky if the Alternate Configuration settings keep your multilocation users out of the Network Connections folder. XP Pro includes a plethora of network settings that you can adjust, either using a wizard or manually, from within this folder. You'll want your users to be able to adjust some, but not all, of these settings. To determine which users can change which settings in which situations, you can use a new group to adjust the granularity of control necessary for your environment.

Network Configuration Operators Group
XP Pro features the new built-in group Network Configuration Operators, which lets you delegate network configuration management tasks. In addition to providing a measure of control over who can alter network settings, this group lets you give a local user the ability to change certain settings without making the user a member of the local Administrators group. In some cases, members of the Network Configuration Operators group can modify the TCP/IP properties to rename, enable, and disable LAN connections available to all users on the system; in other cases, these members can modify only the settings for their own connections. Group members can also delete, rename, and modify properties of remote access connections for the current user, and they can issue ipconfig release and renew commands.

To add a local user to this group, go to the Computer Management dialog box and expand the Microsoft Management Console (MMC) Local Users and Groups snap-in. Select the Groups object in the console tree and double-click the Network Configuration Operators item in the details pane. Click the Add button to enter the user's name. If you aren't sure about the syntax or spelling of the user object, click the Advanced button to query either the local user database or the Active Directory (AD) user database and choose from the available list of relative distinguished names (RDNs). After adding the name to the group, click OK to close the Network Configuration Operators Properties window.

After you add a user to the Network Configuration Operators group, the user can perform simple network configuration tasks in XP Pro, even when the user is away from the office. However, being a member of this group doesn't give the user permission to configure ICS, ICF, or Network Bridging. To configure those items, the user must have a local user account with administrative permissions. But once you grant these permissions, how do you make sure that the settings the user makes don't have a detrimental effect on your corporate network settings? The answer lies in Group Policy settings and Network Location Awareness.

Group Policy Settings for Network Connections
XP Pro includes new computer configuration and user configuration Group Policy settings that offer greater control over who can alter network settings. Before you can use XP Pro's new core Group Policy settings in a Windows 2000 Server AD Group Policy Object (GPO), you must install the latest XP Administrative Template (.adm) file to the appropriate domain system container(s) on the domain controller (DC). Using XP .adm files for administering GPOs in a mixed-client environment is generally acceptable because down-level clients will ignore nonapplicable settings. However, you'll want to test the interoperability of your setting selections before you deploy those settings. Be sure that you understand the implications of Group Policy and that you follow your company's guidelines for Group Policy before you proceed with these steps. For an excellent explanation of Group Policy in Win2K, see "Introducing Group Policy," September 1999,, InstantDoc ID 7066.

To upgrade the .adm file on a Win2K system, log on with Administrator privileges and perform the following steps:

  1. Copy the \%systemroot%\inf\system.adm file from an XP Pro system to a 3.5" disk or network location.
  2. Copy the system.adm file from the 3.5" disk or network location to the \%systemroot%\inf folder on your domain controller (DC). Depending on your internal template-handling procedures, you can replace the Win2K system.adm file or use an alternate name such as system_xp.adm for the XP version.
  3. From the MMC Active Directory Users and Computers snap-in, right-click the DC to which you want to apply the new settings, then select Properties.
  4. Click the Group Policy tab, select a GPO, and click Edit.
  5. Right-click the Administrative Templates object under either Computer Configuration or User Configuration and choose Add/Remove Templates from the context menu.
  6. Remove the Win2K system.adm file and add the system.adm or renamed version of system.adm that you copied from the XP Pro system.
  7. Close the Add/Remove Templates dialog box, then explore the administrative templates to verify that the new XP settings are available.

Computer Configuration. Figure 2 shows the XP Pro Group Policy settings that apply to the computer, which are in the Computer Configuration node in the MMC Group Policy snap-in. As you can see, these settings address three major areas of concern regarding XP capabilities in a corporate network domain. You can use these settings to remove the ability for anyone, including Administrators, to enable ICS, ICF, or Network Bridging. The Explain tab on the Properties window for each setting provides a description.

Keep in mind one caveat related to these settings: If an ICS, ICF, or Network Bridging setup exists on a computer attached to your domain, Group Policy won't alter those settings. This phenomenon happens because the Group Policy settings are location aware (i.e., they apply only when the computer connects to the same DNS domain network that the computer was connected to when its settings were last updated).

User Configuration. Figure 3 shows the XP Pro Group Policy settings that apply to users. These settings are in the User Configuration node in the MMC Group Policy snap-in. The Explain tab on the Properties window for each setting provides a description. These settings provide granularity of control over network configuration operations. In the same breath, I should mention that you should cautiously read the description and behavioral information thoroughly before applying any of these settings, particularly in conjunction with the "Enable Windows 2000 Network Connections settings for Administrators" policy in a mixed-client environment.

Be in Control
XP's new networking offerings can make home networking a breeze or can wreak havoc on a corporate networking environment. Fortunately, the measures for controlling when and how you can use specific functionality are thorough and effective. Putting those measures in place is up to you.

Corrections to this Article:
  • In Ed Roth's "Windows XP's Advanced Networking Feature" (March 2003,, InstantDoc ID 37939), the instructions to upgrade the .adm file on a Windows 2000 system, Step 3, state: "From the MMC Active Directory Users and Computers snap-in, right-click the DC to which you want to apply the new settings, then select Properties." The sentence should have read: " ... right-click the domain container to which you want to apply the new settings, then select Properties." We regret any inconvenience this error might have caused.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.