With the new 2008 Group Policy Preferences there are some great new tweak tools to manage without the need for login scripts. Windows XP machines are not compatible with these new GPOs without first installing an update for Group Policy Preference Client Side Extensions (CSE). This update is downloadable from Microsoft as an executable via KB943729. Unfortunately Microsoft didn’t package this in a .MSI file so it can’t be deployed through the entire organization via a GP Software Distribution rule. If you have WSUS in place then it can be deployed there, but if not you’ll need to go back to good ol’ login/startup scripts to get this pushed out to all your machines. First some credit to a post over at serverfault.com by Evan Anderson who outlined the strategy.
First drop the Windows-KB943729-x86-ENU.exe executable in a shared location and assign appropriate permissions for allowing domain computers to access the file. Create a new text file and paste the following script into the file and save it with a .CMD extension. (Don’t forget to edit the share path.)
@echo off
rem Check to see this is Windows XP
ver | find “Windows XP” >NUL
if errorlevel 1 goto endrem Check to see if the update is already installed
reg QUERY “HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdatesWindows XPSP20KB943729” >NUL 2>NUL
if errorlevel 1 goto install_update
goto end:install_update
\PUT_YOUR_SHARE_PATH_HEREWindows-KB943729-x86-ENU.exe /passive /norestart:end
Then create a new GPO and link it to the OU where all the XP computers reside. Then edit the policy under Computer Configuration -> Windows Settings -> Scripts -> Startup Scripts. Click on “Show Files” and copy the new script into the folder location that is opened up and then select that script.
Optional: Close the “Startup Scripts” dialog. Go to Computer Configuration -> Administrative Templates -> System -> Scripts. Locate the policy setting in the right pane “Run startup scripts visible” and set the setting to “Enabled”. This will let you see the script run in a Window during boot on the clients. Once you know the script is running okay you can turn this setting off.
Run gpupdate on a test machine and reboot and your script should install the CSE update for you!