Access Denied: Using One GPO to Control Both Windows XP and Windows 2000 Settings

Our domain organizational unit (OU) structure is set up in such a way that I have a mix of Windows XP and Windows 2000 computers in the same OU. By looking at the local Group Policy Object (GPO) on an XP computer, I can tell that XP's Group Policy settings are different from Win2K's settings. How can I use GPOs that are stored in Active Directory (AD) to manage these Group Policy settings? Also, can I use one GPO linked to my OU to manage both kinds of computers?

You can manage both XP's new Group Policy settings and Win2K's settings from the same GPO. But first, you must update the GPO to include XP's new settings. To do so, copy the system.adm, wmplayer.adm, conf.adm, and inetres.adm files from %systemroot\inf% on an XP computer to a folder somewhere on your domain controller (DC). Then, from a Win2K computer, edit the GPO you want to update. Right-click Computer Configuration\Administrative Templates and select Add/Remove Templates. In the Add/Remove Templates dialog box, remove the existing copies of the above files and add the templates you copied from an XP computer.

After you load the new templates, the GPO won't look different when you edit it on a Win2K computer—you'll still see all the Win2K policies you're accustomed to. However, when you edit the same GPO from an XP computer, you'll see all of XP's new settings.

The reason you see different settings for the different OSs is that the same GPO holds both versions of policies, and each computer that applies the GPO looks for and applies the appropriate policies for that computer's version of Windows. However, to edit both versions of the policies, you must use an XP computer to edit the XP settings and a Win2K computer to edit the Win2K settings. To learn more, see Access Denied, "Using Win2K Group Policy to Manage New XP Group Policy Settings," November 2002, InstantDoc ID 26773.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.