Tardy policies

Looking after a mixed network can be very rewarding in terms of the skills learned trying to get various recalcitrant operating systems to co-habit, but it’s equally frustrating when those operating systems deal with the same thing in markedly different ways. I run a network that still boasts a solitary Windows 3.1 workstation (hey, it does the job it was meant for perfectly, so why change?), but at least it and the 95 and 98 boxes aren’t on the main domain.

The main domain does, however, have to cope with four separate operating systems – Windows 2000, 2003, XP and Vista – and if there’s one area where the mixture proves inflammable it’s exactly where you wouldn’t wish it, in Group Policy. The reason for this is that Windows 2000 Workstation handles Group Policy updates in a totally different way from XP and Vista. (I’m ignoring the Windows 2003 domain controller/servers, as they’ll just confuse the issue, and anyway it’s on the workstations that the major problems occur.) Put simply, the way Windows 2000 handles Group Policy updates is so vastly superior to XP and Vista that if you didn’t know about these differences before, you’re not going to be happy once I tell you about them. I can almost hear some people grumble that they don’t run Windows 2000 any more so why does it matter, but it does. The issue isn’t over whether you run the operating system but about how it works compared to the two later releases.

The key difference between the versions lies in something called Fast Boot, the technology Microsoft introduced when Windows XP first shipped, the feature that takes you to the login screen faster with both XP and Vista (which works exactly the same as XP in this instance) than it did under 2000, barring one specific eventuality that I’ll come to later.

The reason Windows 2000 took longer to boot was that it was doing more processing at startup. When you switch on a 2000 system, it starts to communicate with the domain controller, and once it’s established contact it sets about examining the Computer half of Group Policy in the order Site > Domain > Organisational Unit (OU). If policy changes have been made it applies them straightaway, and once it’s finished chatting with the domain controller and all its tasks are done, only then will it show you the login prompt. Type in your username and password and the system logs you in to the domain, at which point the User portion of Group Policy gets checked (once again in Site > Domain > OU order), and only after that checking is over and any changes applied are you presented with a Windows desktop, letting you get on with your work. This often made for very slow logins, so Microsoft introduced Fast Boot for Windows XP and carried it through to Vista – I can only assume it thought people might bitch if it took longer to get into Vista than it had with XP. From a domain admin’s point of view, though, it would have been a lot better if they’d reverted to the old 2000 system.

There is, in fact, one circumstance where both XP and Vista act in the same way as Windows 2000, and that’s when a user logs on to a system that’s been added to the network for the first time. At that point, the two halves of Group Policy are both thoroughly examined and everything set up there gets run. In every other case, when you log on to XP or Vista something quite different happens. You should all be familiar with “Last Known Good”, an old friend that’s rescued many a user whose PC just wouldn’t boot after a shutdown or a restart. What fewer people are aware of, however, is that in its desire to make the logon experience faster for XP and Vista users, Microsoft coded both those operating systems to employ a variant of Last Known Good Group Policy whenever they start up and log on.