Problem solve Get help with specific problems with your technologies, process and projects.

Beware of WinXP XP2 and group policy issue

After installing Windows XP, group policy-based software distribution does not always occur with the first or second reboot. Find out what you can do about this.

Please let us know how useful you find this tip by rating it below. Do you have a useful Windows tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize!

After you install Windows XP, you may notice an issue when you configure the Windows firewall group policy settings: Group policy-based software distribution does not always occur with the first or second reboot and other group policies are not always applied.

In group policy, there are two sets of identical policies for the firewall: Domain Profile and Standard Profile. As the names imply, while connected to the domain, the Domain Profile policies apply, and while disconnected, the Standard Profile policies apply.

The computer determines if it is connected to the domain by checking its current domain to see whether it matches the domain name in the "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\Group Policy\History\NetworkName" registry setting. This setting is populated the last time the group policies were successfully applied.

As I mentioned earlier, group policies are not successfully applied until the second or third reboot -- it's hit or miss. In the case of my company, we needed all group policy settings to be applied the first time the computer was rebooted after the image was applied. While searching through policies, I ran across the following setting: "Always wait for the network for computer startup and logon. It is located under 'Computer Configuration\Administrative Templates\System\Logon.'"

The explanation of the policy reads as follows: "[This policy] determines whether Windows XP waits for the network during computer startup and user logon. By default, Windows XP does not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group policy is applied in the background once the network becomes available. Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes.

To operate safely, these extensions require that no users are logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, it may take up to two logons to detect changes made to the user object, such as adding a roaming profile path, home directory or user object logon script.

If a user with a roaming profile, home directory or user object logon script logs on to a computer, Windows XP always waits for network initialization before logging on a user. If a user has never logged on to this computer before, Windows XP always waits for the network to be initialized.

If you enable this setting, logons are performed the same way they are for Windows 2000 clients, in that Windows XP waits for the network to be fully initialized before users are logged on. Group policy is applied in the foreground, synchronously. If you disable or do not configure this setting, Windows does not wait for the network to be fully initialized and users are logged on with cached credentials. Group policy is applied asynchronously in the background.

If you want to guarantee the application of Folder Redirection, Software Installation or roaming user-profile settings in just one logon, enable this setting to ensure that Windows waits for the network to be available before applying policy.

Note: For servers, the startup and logon processing always behaves as if this policy setting is enabled."

The policy above explains the exact issue we encountered at our company. I quickly enabled the setting, but, to my dismay, this is one of the settings that is not applied until the second or third reboot. However, we finally resolved the issue by enabling this setting in the local policies on our image.

(Bruce Vangrouw contributed information for this article.)

Rod Trent, manager of and a Microsoft MVP, is an expert on Microsoft Systems Management Server. He has more than 18 years of IT experience -- eight of which have been dedicated to SMS. He is the author of Microsoft SMS Installer, Admin911: SMS , and IIS 5.0: A Beginner's Guide and has written, literally, thousands of articles on technology topics.

Dig Deeper on Windows legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.