Tip

Beware of WinXP XP2 and group policy issue

Please let us know how useful you find this tip by rating it below. Do you have a useful Windows tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize!


After you install Windows XP, you may notice an issue when you configure the Windows firewall group policy settings: Group policy-based software distribution does not always occur with the first or second reboot and other group policies are not always applied.

In group policy, there are two sets of identical policies for the firewall: Domain Profile and Standard Profile. As the names imply, while connected to the domain, the Domain Profile policies apply, and while disconnected, the Standard Profile policies apply.

The computer determines if it is connected to the domain by checking its current domain to see whether it matches the domain name in the "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\Group Policy\History\NetworkName" registry setting. This setting is populated the last time the group policies were successfully applied.

As I mentioned earlier, group policies are not successfully applied until the second or third reboot -- it's hit or miss. In the case of my company, we needed all group policy settings to be applied the first time the computer was rebooted after the image was applied. While searching through policies, I ran across the following setting: "Always wait for the network for computer startup and logon. It is located under 'Computer Configuration\Administrative Templates\System\Logon.'"

The explanation of the policy reads as follows: "[This policy] determines whether Windows XP waits for the network during computer startup and user logon. By default, Windows XP does not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group policy is applied in the background once the network becomes available. Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes.

To operate safely, these extensions require that no users are logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, it may take up to two logons to detect changes made to the user object, such as adding a roaming profile path, home directory or user object logon script.

If a user with a roaming profile, home directory or user object logon script logs on to a computer, Windows XP always waits for network initialization before logging on a user. If a user has never logged on to this computer before, Windows XP always waits for the network to be initialized.

If you enable this setting, logons are performed the same way they are for Windows 2000 clients, in that Windows XP waits for the network to be fully initialized before users are logged on. Group policy is applied in the foreground, synchronously. If you disable or do not configure this setting, Windows does not wait for the network to be fully initialized and users are logged on with cached credentials. Group policy is applied asynchronously in the background.

If you want to guarantee the application of Folder Redirection, Software Installation or roaming user-profile settings in just one logon, enable this setting to ensure that Windows waits for the network to be available before applying policy.

Note: For servers, the startup and logon processing always behaves as if this policy setting is enabled."

The policy above explains the exact issue we encountered at our company. I quickly enabled the setting, but, to my dismay, this is one of the settings that is not applied until the second or third reboot. However, we finally resolved the issue by enabling this setting in the local policies on our image.

(Bruce Vangrouw contributed information for this article.)


Rod Trent, manager of myITforum.com and a Microsoft MVP, is an expert on Microsoft Systems Management Server. He has more than 18 years of IT experience -- eight of which have been dedicated to SMS. He is the author of Microsoft SMS Installer, Admin911: SMS, and IIS 5.0: A Beginner's Guide and has written, literally, thousands of articles on technology topics.


This was first published in April 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.