Professor Windows - February 2002
Managing a Windows 2000 Domain with Windows XP Professional Clients Present
During my work with early adopters of new Microsoft operating systems (OS), I always tried to ask myself what is the added-value that our partners and customers get from this new operating system. And yes, we all have seen the product sheet and the new and improved features list, but what I'm aiming here is at the feeling that when I'm out there on a customer site, as a technical person, I want to let the IT manager or the system administrator see some cool and helpful aspects of the new OS that can really express the evolution (or sometimes, revolution) that the product brings.
This column discusses practical stuff that you can do with a Windows XP Professional client on your Windows 2000 domain network starting today, plus a small surprise from me to you.
What is Windows XP Professional (in a nutshell)?
Windows XP Professional is the latest client operating system for businesses. It is built on the Windows 2000 code-base, and therefore has all the capabilities we've seen from Windows 2000 Professional, plus new and improved features in many aspects of the new OS. It brings greater security to protect your business data, including the ability to encrypt your files and folders, including your offline folders, and for more than one user (multi-user EFS). It also comes with some great new management tools (some of them are discussed further in this column). It includes a new Help and Support center, which centralizes all the help topics, diagnostic tools, remote control and remote assistance for users, step-by-step help on configuration and troubleshooting, and many others. Windows XP Professional installs with Internet Explorer (IE) 6.0, the latest web browser. It also includes a 64-Bit edition, and is the first Windows OS to use the new IA-64 architecture.
To read and know more about Windows XP, try the following:
Managing your Active Directory Domain
When working with Windows 2000, we're used to manage most of our daily chores from the Active Directory (AD) Users & Computers MMC Snap-In. Windows XP Professional uses the MMC snap-ins from the Windows .NET Server files (previously known as Whistler Server, the next Server release). Don't try to run and use the Windows 2000 adminpak.msi file on your Windows XP Professional client. You can get the adminpak.msi file from the i386 folder on the Windows .NET Server Beta CD (Beta 3 is the latest release at the time of this writing), or on the Server itself.
Running this MSI file will install by default all the MMC-based management tools. As discussed in the previous column, if you only want the Active Directory Management Tools, you can use msiexec.exe to extract only the three AD-related MMC Snap-ins out of the adminpak.msi file using the following command:
msiexec /i adminpak.msi ADDLOCAL= FeADTools /qb
Once you get the AD MMC snap-in installed comes the cool part to those of you who haven't tried it yet, the new Windows.NET Server AD Users & Computers MMC snap-in includes some new features.
First of all, you can use drag and drop inside the AD Users & Computers MMC.
Yes, yes, I know - some of you wished for this capability since the release of Windows 2000, and yet others are probably not too keen about the possibility to accidentally drag and drop an object to somewhere you didn't really want, but the feature is there, and eventually it's a good change, which enables us to quickly and easily move objects in the domain tree.
Another feature is called "Saved Queries." This feature enables you to build XML-based queries into your AD Users & Computers MMC and refresh them from time to time to get the updated results. This gives you the ability to actually create custom views and reports on your directory objects based upon a certain criteria that you give. For example, you can build a search query for all the users with a certain description, or all the computers which has a certain operating system version or build number. Along with the capability to pick up your search criteria from a pull-down menu of attributes to each object, since "Saved Queries" essentially builds an XML file to each query, it also enables us to edit or write our own search criteria(s) using XML syntax. Here's a look at how those saved queries look like from your AD MMC (see Figure 1):
If your browser does not support inline frames, click here to view on a separate page.
Figure 1 Saved Queries
Please notice that query definitions for your "Saved Queries" are kept locally on the computer you've created them. Therefore, if you want to view the queries you've created on other computers as well, you will need to re-create the queries, or alternatively use the import/export option when you right click a query definition. The Export query definition option uses XML files which you can move around from one computer to another, and then use Import query definition on the AD Users & Computers MMC.
We also have another interesting addition inside the new Windows XP/.NET AD Users & Computers MMC called Resultant Set of Policy (RSOP). It works similar to the known command-line tool from the Windows 2000 Resource Kit called gpresult.exe, which by the way exists also in the Windows XP operating system.
This enables you to calculate and predict the effective policy of a certain user or computer, or even a group of users or computers, in one of two modes: Logging and Planning. Logging shows the current effective policy settings that the user has, while planning deals with "What if" scenarios, and is used to anticipate the effective policies that will be applied in a given context. For example: What is my effective policy if I move my user to a different Organizational unit, and when logging to a certain PC? And how will these settings change (if at all) when I edit the user's group membership, or log on to a different PC/Server? These are the kinds of questions the RSOP tool planning-mode can answer.
There are other features that will be available, as the adminpak.msi file of Windows .NET Server is not yet completed and released. One of these is the ability to edit multiple objects and change certain attributes to all of these objects in a single operation. This can be done in Windows 2000 today using scripting technologies.
If the topic of automating management tasks via script interests you, let us knowand I'd be happy to discuss it in one of my future columns.
Windows XP Professional includes two new significant capabilities in the fields of remote communication between PCs, known as Remote Desktop and Remote Assistance. Remote Desktop essentially brings the terminal services capability to the end user, to the client PC. It enables you to remotely log on to a session on a Windows XP Professional client, the same as you would logon to a Terminal Services session on the Server, and using the same terminal client you currently have. It does differ from the Windows Server Terminal Services in the fact that it is limited to one connection only. In fact, there can be only one active user working on a Windows XP Professional workstation in a given time. When you initiate a Remote Desktop session to your Windows XP computer, the currently logged-on user is logged off first, and the computer is locked. Remote Assistance helps you to fully take control of an Windows XP client computer, whilst both the inviter and the support person can use the keyboard and mouse on that computer. The Remote Assistance screen includes chat, audio and video capabilities, along with file transfer and full desktop control that can be used during the remote support operation. You can invite someone to help you remotely from the Windows XP Help & Support Center. You can also send an invitation to remotely connect to someone else's computer from the Help & Support Center. You need Windows XP on both ends (both the remote computer and the connecting client computer). Both of these new features can be configured/enabled by right-clicking My Computer, choosing properties, and selecting the Remote tab.
Let's try and compare these two remote capabilities to understand how they really differ from each other:
- Using Remote Assistance, the user invites someone else to come and take control of the computer via Email, MSN Messenger or a file, and once initiated, they can use chat, file transfer and full control of the user's desktop. The inviter can terminate the session by pressing the ESC key.
- In Remote Desktop, only one user is active at a given time, while in RA (Remote Assistance), both users are active.
- Remote Desktop can use any Windows Terminal Client (RDP 5.0 or RDP 5.1) to connect to that computer, even from Windows 9x/2000 computers. Remote Assistance requires both ends to run Windows XP.
- The request for Remote Assistance can be limited to certain duration.
- Remote Assistance doesn't require a local account on the computer you are connecting to. Remote Desktop, however, requires a local or a domain account in order to login to the remote Windows XP computer.
- Finally, Remote Desktop is only available in Windows XP Professional. Remote Assistance is available on Windows XP Home Edition also (can be used for home support of friends and family).
Windows XP comes with the new Terminal Services Client (RDC- Remote Desktop Connection, also known as MSTSC.exe). The RDC works with RDP 5.1 protocol which leverages some cool new terminal features when working with other RDP 5.1 computers (e.g. Windows XP and Windows .NET Server). These features include drives re-direction, where you can see your client drives from My Computer on the Remote computer, and copy-paste files and folders between the drives. Speaking of copy-paste operations, the RDP 5.1 client also has a shared clipboard, which means you can copy-paste easily between the terminal services session and the client (which can be quite handy). You can do this in Windows 2000 using rdpclip.exe (a Windows 2000 Resource Kit tool). In Windows XP/.NET Server this capability is built-in. We also re-direct ports, printers and sound cards. You can hear at your client-side speakers any sound that is running from the terminal services session on the remote computer. Last but definitely not least, there's support for more than 256 colors (up to 24-bit) in MSTSC, the Remote Desktop Connection terminal services client.
Tip On the Windows XP CD, under \SUPPORT\TOOLS you'll find a file called MSRDPCLI.exe. This file contains the setup for the Terminal Client Software (Remote Desktop Connection, or MSTSC.exe) for Windows 9x/2000 computers. You can run this file to install the new terminal services client to perform Remote Control to your Windows XP Professional computers (And Windows terminal services servers) from Windows 95/98, for example.
As for the surprise I mentioned in the beginning of the article, I wrote a small tool called Remote Control Add-on for Active Directory Users & Computers that extends the Active Directory MMC with a custom action of "Remote Control" when you right click a computer accounts (see Figure 2 below). Using this tool you can leverage Terminal Services technologies and connect to Windows 2000/.NET Terminal servers, as well as Windows XP Professional clients, straight from the AD MMC.
Please note that this tool is not supported by Microsoft. The use of the tool is at your own risk. You can download Remote Control Add-on for Active Directory Users & Computers from here .
If your browser does not support inline frames, click here to view on a separate page.
Figure 2 "Remote Control" add-on
Windows XP Group Policies
Windows XP Professional introduces some new and useful group policy settings. There are a bit more than 200 new policy settings that come along with Windows XP Professional. Some of the settings are specific to Windows XP due to new features that are not supported on Windows 2000, while others can be used in Active Directory to be applied to desktops running Windows 2000 as well. All Windows 2000 policies fully work with Windows XP. The new policy settings that apply only to Windows XP Professional will be ignored by any clients running Windows 2000.
You can use the updated Administrative Template files (.adm) that come with Windows XP to apply the new Windows XP-related policy settings in your domain. The *.adm files are the files that provide policy information for items that are under the Administrative Templates folder in the MMC of the Group Policy Snap-in.
Windows XP contains the following updated administrative template files:
- System.adm (Used for the core system settings)
- wmplayer.adm (for Windows Media settings)
- Conf.adm (for NetMeeting)
- Inetres.adm (Used for Internet Explorer)
You can upgrade your *.adm files in a Windows 2000 computer (so you can manage your Windows XP clients GPO settings) by using the *.adm files from a Windows XP computer. These files are in located in the \Windows\INF directory. You need to copy these files to the local Windows 2000 computer or a file share. Then, from the Windows 2000-based computer, open a Group Policy object properties in Group Policy MMC Snap-in, and right click the Administrative templates. Select Add/Remove Templates in order to use (update) the *.adm files from the Windows XP computer.
It's important to note that Windows XP clients can apply their group policies asynchronously during boot and logon, which enables them to process their cached policies even when they cannot detect the network. Compared to Windows 2000 synchronous work during the boot and logon processes, this gives faster boot and login times to Windows XP clients which don't have to wait for the network. While this is essentially a good thing, some administrators don't want to delay applying software installations or folder re-directions, and may wish to convert this behavior (as in Windows 2000). You can make Windows XP Professional work synchronously during boot and logon processes by enabling the setting Always wait for the network at computer startup and logon, which is located in the Group Policy snapin at "Computer Configuration", under \Administrative Templates\System\Logon.
I only introduced a few aspects here, but I hope you can get the picture of how it looks when you run Windows XP Professional in your Windows 2000 domain environment. There are many tools and tips you can use with Windows XP Professional which I will try to cover in a future Professor Windows column. Take care in the meantime, and feel free to send in your feedbacks.
For any questions or feedback regarding the content of this column, please write to Microsoft TechNet.