This paper is written for Group Policy administrators or general administrators tasked with managing Group Policy in their organization. It assumes you currently use Group Policy to manage your users and computers in either a Microsoft Windows Server™ 2003 domain or a Windows 2000 Server domain and that you have an interest in managing computers running Windows XP with SP2. In addition, it assumes you are using the Group Policy Management Console (GPMC), which is the primary tool to view and manage Group Policy objects (GPOs). Editing GPOs from within GPMC opens the Group Policy Object Editor (gpedit.msc), which you can use to view all of the available policy settings for SP2. To download GPMC, see Group Policy Management Console with Service Pack 1 on the Microsoft Download Center Web site at

SP2 contains 609 new Administrative Template (.adm) policy settings. These policy settings cover the following areas.

  • Internet Explorer. New policy settings for both User and Computer Configuration provide you with a great deal of control over how Internet Explorer® is used in your organization. With these new policy settings, you can manage security settings (for example, those that appear in Internet Explorer under Tools, Internet Options, Security). Furthermore, with Security Feature policy settings, you can enable or disable Internet Explorer security features for various processes.

  • Windows Firewall. Enabled by default in SP2, you can use these policy settings to turn the firewall on or off, manage program and port exceptions, and define exceptions for specific scenarios such as enabling remote administration on target computers. Identical sets of policy settings are available in two profiles: A domain profile for use when computers are connected to the network containing your organization’s Active Directory® directory service domain and a Standard profile for use when computers are used outside your organization's network, such as home or mobile use.

  • Internet Communication Management. SP2 provides new policy settings for controlling how various components in Windows XP with SP2 communicate over the Internet for tasks that involve exchange of information between computers in an organization and the Internet.

  • Security. SP2 provides new policy settings to control security settings for Distributed COM (DCOM), and to centrally administer Security Center. The DCOM infrastructure includes new access control restrictions to help minimize the security risks posed by network attacks. Security Center is a new feature in SP2 which you can centrally administer with Group Policy, enabling you to monitor computers in your organization to ensure that they comply with the latest security updates and to provide user alerts if their computers pose a security risk.

  • Automatic Updates. SP2 provides new policy settings that administrators can use to manage the Install Updates and Shut Down option. This option provides ease of management for clients configured to run Automatic Updates.

  • Infrastructure. SP2 includes new policy settings to manage certain aspects of Terminal Services and User Profiles. You can use a policy setting to prevent users using Terminal Services clients from saving their passwords in the client, providing enhanced security. With the new User Profiles policy setting, you can retain data pertaining to Windows Installer and Software Installation when a user’s roaming user profile is deleted.

  • Network. SP2 provides new policy settings to manage the following network areas:

    • Background Intelligent Transfer Service (BITS), a file transfer service that transfers files in the foreground or background (default) between a client and a server by using only idle network bandwidth. You can use the BITS policy settings to specify limits on the network bandwidth that BITS uses.

    • Peer-To-Peer Networking. You can use the Peer-To-Peer Networking policy settings to enforce Group Policy-based configuration of certain aspects of the Microsoft Peer-to-Peer Networking Services, including turning off the Microsoft Peer-to-Peer Networking Services, specifying the seed server to use, and turning off multicast bootstrapping.

    • Remote procedure call (RPC). You can use the RPC policy settings to block remote anonymous access to RPC interfaces on the system, and to prevent anonymous access to the RPC Endpoint Mapper interface.

How to Use This Paper

This paper is designed to help guide you in two areas:

  • Deploying Group Policy settings delivered with SP2.The first section of this paper provides you with a roadmap and recommendations for testing and deploying Group Policy in Windows XP with SP2.

  • Assessing and using new policy settings. The remainder of this paper highlights the new areas of policy management and some key scenarios showing reasons for using the policy settings.

Group Policy Settings Reference

This paper should be used in conjunction with the Group Policy Settings Reference at, which includes all the Administrative Template policy settings dating back to Windows 2000. This reference provides full details of each policy setting including the purpose of the policy setting and the behavior for enabling, disabling, and not configuring the policy setting. It also includes registry paths for the corresponding registry key for each policy setting. You can use the reference to filter only the new policy settings released in SP2.

You can also view the same descriptions found in this reference in the Group Policy Object Editor. These descriptions are known as explain text.

Additional Information

Several other Microsoft resources provide more detailed information that is beyond the scope of this document.