Improve company productivity with a Business Account.Sign Up


Problems with domain GPOs after updating client machines to XP SP2

Posted on 2004-09-21
Medium Priority
Last Modified: 2010-04-14

I have a Windows 2000 server SP4, XP SP1, one domain active directory network.

I have several GPOs implemented in the domain.

I installed XP SP2 without troubles. All programs seems to be running fine and I can logon to the domain and access resources. However, the policies are not being applied. I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine.

I have run some test in order to find the problem:

1.- I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine. Under this curcumstances, not a single GPO is being applied. Before XP SP2, the GPOs that concerder this account were correctly applied. In particular, one GPO implied showing a text dialog to the user right after hitting CTRL+ALT+DEL. It worked before, it does not work now (this is just an example, not a single GPO is being applied to this administrator account).
1.- The gpresults shows the message "The following GPOs were not applied because they were filtered out" for every GPO in the domain assigned to this user. This is true both for machine configuration and user configuration. The rest of the information of the gpresult command is fine: user info, group membership, etc.
2.- If I log on as a different user in the same machine, with different administrative rights in the machine (for instance, a Power user that it is also not a member of the administrators in the local machine), and I run the gpresults command, I do not get that message. The user policies seems to be applied correctly. However, I would say that the behaviour is erratic. It is like the local machine rights are prevaling over the domain policies (for instance, I have a policy to avoid changing the Desktop settings. This policiy worked fine before SP2 and the user could open the dialog but all tabs were absent. Now, the user is able to open this dialog, open some tabs, and some items can be changed, others not).
3.- I have downloaded and installed the new version of the Group Policy Management Console SP1. In the console I have checked the state of the policies. In almost every policy of the domain, under Security Filtering for the policy, I have the Authenticated users group as the only one to be affected by the GPOs. I do not have this group anywere in Active directory, neither I have ever used it or noticed it before. No other group is present in this security filtering list.
4.- I have disabled the Firewall, but all remains the same.

All this problems appeared after XP SP2, so it is obvious that this update is the cause.

Were is the problem?

Thanks in advance for your reply,
Question by:flechazul
  • 3
  • 2
LVL 16

Accepted Solution

JamesDS earned 500 total points
ID: 12110977
Windows XP SP2 comes with a new set of .ADM files - the templates for your GPOs. You probably opened up your GPOs on a XP SP2 machine and it promptly updated the AD templates on the AD - which likely caused your problem as these templates are not compatible with

Test this by trying to edit your GPOs from a NON SP2 machine and look for an error message, then go here;en-us;842933



Expert Comment

ID: 12111043

Please activate SceCli Logging ( and post Winlogon.log file here.

Should help narrowing around the problem.


Author Comment

ID: 12113132

Thank for your reply. I did as you suggest and try to edit the GPO on a non-SP2 XP machine. I got the message "The following entry in the [strings] section is too long and has been truncated", several times.

It seems that you guide me in the right way to find the reason of the problem. However, how should I proceed now? I have checked the link you provide, but it is not clear whether I should install the patch in the non-SP2 machines, in the SP2 machine, in the 2000 server, or in all of them. At the moment, the non-SP2 machines are working fine and the policies are being applied correctly. The only issue is that "string too long..." message in those machine. I do not get this message in the SP2 machine, but in that machine the policies are not being applied. Should I apply the patch only to the SP2 machine?

I do not recall doing anything special after installing the SP2, except for rebooting. After rebooting the machine, I noticed that the policies were not being applied. Then I opened the GPO editor in that SP2 machine. According to your message, this action updated the AD templates in the Windows 2000 server (or is it in the XP machine only?). But, why the GPOs were not applied after rebooting the SP2 machine and before opening the GPO editor in the SP2 machine? It seems to me that the templates were updated just upon rebooting, or even before, when the SP2 was installed. Does this make sense?
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 16

Expert Comment

ID: 12115303
Everthing you have said makes sense.
The action of opening up the GPO editor on a WIndows XP machine updates the ADM files on the whole domain :(

Microsoft have only just found out about this bug and the fix is not that widely used yet. Re-reading the KB it suggests that you should be installing the patch on every machine affected - IE all non-XPSP2 machines and the domain controllers and servers too!

Given the problem that this will probably cause you, I suggest you contact microsoft support about this to see if there is an alternative solution - such as restoring the OLD ADM files.



Author Comment

ID: 12141328
Hi JamesDS,

I have finally solved the problem, after contacting Microsoft. Here it is the whole picture:

1.- Windows 2000 single native domain. Server running Windows 2000 SP4. Logged to the domain and to the Xp machine with administrator rights. XP SP1 machine updated to SP2. The updated machine contained the latest version of the Windows 2000-2003 admin.pak
2.- The installation went fine. Inmediately after rebooting (iwthout doing any further action), none of the domain policies were applied to that machine. The policies still applied fine to rest of machines in the network (XP SP1) and to the servers. However, when I tried to edit any GPO on the server, or in any SP1 machine with admin.pak installed, I got the message: "The following entry in the [strings] section is too long and has been truncated". After clearing the messages, the user can edit the GPO. This message does not appear on the SP2 machine. The user could safely edit the policy in the SP2 machine.
3.- I clean installed an XP machine. I installed SP2 on that machine. I did not install the admin.pak. The policies applied fine on that machine. Therefore, the problem seemed to be related to the presence of the admin.pak on the machine.
4.- Microsoft guided me to the solution described on;EN-US;842933 (same link that you provided)
5.- The fix needs to be applied to every server and every other machine affected. It does not need to be applied to the SP2 machine. There seems to be no other workaround. Restoring the old ADM files is not an option if the machines are going to be updated to SP2.

Thank for your help
LVL 16

Expert Comment

ID: 12141385
Welcome, glad to help.

This is one of those situations where the problem is so new that almost none of us have come across it. I was aware that there was an issue, courtesy of NTBugTraq, but the precise fix is often not obvious until you do it yourself.

Your experiences and invaluable feedback on the solution make an excellent contribition to EE - Thank you!



Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Read this post to discover how will you get your first iPhone App Approved by Apple. Make these necessary changes to prevent rejection of the app.
Hi, this video explains a free download that you can incorporate into your Access databases, or use stand-alone for contact management. Contacts -- Names, Addresses, Phone Numbers, eMail Addresses, Websites, Lists, Projects, Notes, Attachments…
In the video, one can understand the process of resizing images in single or bulk. Kernel Bulk Image Resizer is an easy to use tool for resizing large number of images. One can add and resize multiple images with this tool in single go. The video sh…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question