Solved

Problems with domain GPOs after updating client machines to XP SP2

Posted on 2004-09-21
6
188 Views
Last Modified: 2010-04-14
Hi,

I have a Windows 2000 server SP4, XP SP1, one domain active directory network.

I have several GPOs implemented in the domain.

I installed XP SP2 without troubles. All programs seems to be running fine and I can logon to the domain and access resources. However, the policies are not being applied. I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine.

I have run some test in order to find the problem:

1.- I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine. Under this curcumstances, not a single GPO is being applied. Before XP SP2, the GPOs that concerder this account were correctly applied. In particular, one GPO implied showing a text dialog to the user right after hitting CTRL+ALT+DEL. It worked before, it does not work now (this is just an example, not a single GPO is being applied to this administrator account).
1.- The gpresults shows the message "The following GPOs were not applied because they were filtered out" for every GPO in the domain assigned to this user. This is true both for machine configuration and user configuration. The rest of the information of the gpresult command is fine: user info, group membership, etc.
2.- If I log on as a different user in the same machine, with different administrative rights in the machine (for instance, a Power user that it is also not a member of the administrators in the local machine), and I run the gpresults command, I do not get that message. The user policies seems to be applied correctly. However, I would say that the behaviour is erratic. It is like the local machine rights are prevaling over the domain policies (for instance, I have a policy to avoid changing the Desktop settings. This policiy worked fine before SP2 and the user could open the dialog but all tabs were absent. Now, the user is able to open this dialog, open some tabs, and some items can be changed, others not).
3.- I have downloaded and installed the new version of the Group Policy Management Console SP1. In the console I have checked the state of the policies. In almost every policy of the domain, under Security Filtering for the policy, I have the Authenticated users group as the only one to be affected by the GPOs. I do not have this group anywere in Active directory, neither I have ever used it or noticed it before. No other group is present in this security filtering list.
4.- I have disabled the Firewall, but all remains the same.

All this problems appeared after XP SP2, so it is obvious that this update is the cause.

Were is the problem?

Thanks in advance for your reply,
0
Comment
Question by:flechazul
  • 3
  • 2
6 Comments
 
LVL 16

Accepted Solution

by:
JamesDS earned 125 total points
ID: 12110977
flechazul
Windows XP SP2 comes with a new set of .ADM files - the templates for your GPOs. You probably opened up your GPOs on a XP SP2 machine and it promptly updated the AD templates on the AD - which likely caused your problem as these templates are not compatible with

Test this by trying to edit your GPOs from a NON SP2 machine and look for an error message, then go here

http://support.microsoft.com/default.aspx?scid=kb;en-us;842933


Cheers

JamesDS
0
 
LVL 2

Expert Comment

by:ndy78
ID: 12111043
Hi,

Please activate SceCli Logging (http://support.microsoft.com/default.aspx?kbid=245422) and post Winlogon.log file here.

Should help narrowing around the problem.

Andy.
0
 

Author Comment

by:flechazul
ID: 12113132
JamesDS,

Thank for your reply. I did as you suggest and try to edit the GPO on a non-SP2 XP machine. I got the message "The following entry in the [strings] section is too long and has been truncated", several times.

It seems that you guide me in the right way to find the reason of the problem. However, how should I proceed now? I have checked the link you provide, but it is not clear whether I should install the patch in the non-SP2 machines, in the SP2 machine, in the 2000 server, or in all of them. At the moment, the non-SP2 machines are working fine and the policies are being applied correctly. The only issue is that "string too long..." message in those machine. I do not get this message in the SP2 machine, but in that machine the policies are not being applied. Should I apply the patch only to the SP2 machine?

I do not recall doing anything special after installing the SP2, except for rebooting. After rebooting the machine, I noticed that the policies were not being applied. Then I opened the GPO editor in that SP2 machine. According to your message, this action updated the AD templates in the Windows 2000 server (or is it in the XP machine only?). But, why the GPOs were not applied after rebooting the SP2 machine and before opening the GPO editor in the SP2 machine? It seems to me that the templates were updated just upon rebooting, or even before, when the SP2 was installed. Does this make sense?
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 16

Expert Comment

by:JamesDS
ID: 12115303
flechazul
Everthing you have said makes sense.
The action of opening up the GPO editor on a WIndows XP machine updates the ADM files on the whole domain :(

Microsoft have only just found out about this bug and the fix is not that widely used yet. Re-reading the KB it suggests that you should be installing the patch on every machine affected - IE all non-XPSP2 machines and the domain controllers and servers too!

Given the problem that this will probably cause you, I suggest you contact microsoft support about this to see if there is an alternative solution - such as restoring the OLD ADM files.

Cheers

JamesDS
0
 

Author Comment

by:flechazul
ID: 12141328
Hi JamesDS,

I have finally solved the problem, after contacting Microsoft. Here it is the whole picture:

1.- Windows 2000 single native domain. Server running Windows 2000 SP4. Logged to the domain and to the Xp machine with administrator rights. XP SP1 machine updated to SP2. The updated machine contained the latest version of the Windows 2000-2003 admin.pak
2.- The installation went fine. Inmediately after rebooting (iwthout doing any further action), none of the domain policies were applied to that machine. The policies still applied fine to rest of machines in the network (XP SP1) and to the servers. However, when I tried to edit any GPO on the server, or in any SP1 machine with admin.pak installed, I got the message: "The following entry in the [strings] section is too long and has been truncated". After clearing the messages, the user can edit the GPO. This message does not appear on the SP2 machine. The user could safely edit the policy in the SP2 machine.
3.- I clean installed an XP machine. I installed SP2 on that machine. I did not install the admin.pak. The policies applied fine on that machine. Therefore, the problem seemed to be related to the presence of the admin.pak on the machine.
4.- Microsoft guided me to the solution described on http://support.microsoft.com/default.aspx?scid=kb;EN-US;842933 (same link that you provided)
5.- The fix needs to be applied to every server and every other machine affected. It does not need to be applied to the SP2 machine. There seems to be no other workaround. Restoring the old ADM files is not an option if the machines are going to be updated to SP2.

Thank for your help
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12141385
flechazul
Welcome, glad to help.

This is one of those situations where the problem is so new that almost none of us have come across it. I was aware that there was an issue, courtesy of NTBugTraq, but the precise fix is often not obvious until you do it yourself.

Your experiences and invaluable feedback on the solution make an excellent contribition to EE - Thank you!

Cheers

JamesDS
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Virtualise server 2000 for Hyper V 4 832
Application Deployment 2 247
Dell PowerEdge raid drive replacement 13 480
windows explorer 21 171
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now