Problems with domain GPOs after updating client machines to XP SP2

Posted on 2004-09-21
Last Modified: 2010-04-14

I have a Windows 2000 server SP4, XP SP1, one domain active directory network.

I have several GPOs implemented in the domain.

I installed XP SP2 without troubles. All programs seems to be running fine and I can logon to the domain and access resources. However, the policies are not being applied. I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine.

I have run some test in order to find the problem:

1.- I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine. Under this curcumstances, not a single GPO is being applied. Before XP SP2, the GPOs that concerder this account were correctly applied. In particular, one GPO implied showing a text dialog to the user right after hitting CTRL+ALT+DEL. It worked before, it does not work now (this is just an example, not a single GPO is being applied to this administrator account).
1.- The gpresults shows the message "The following GPOs were not applied because they were filtered out" for every GPO in the domain assigned to this user. This is true both for machine configuration and user configuration. The rest of the information of the gpresult command is fine: user info, group membership, etc.
2.- If I log on as a different user in the same machine, with different administrative rights in the machine (for instance, a Power user that it is also not a member of the administrators in the local machine), and I run the gpresults command, I do not get that message. The user policies seems to be applied correctly. However, I would say that the behaviour is erratic. It is like the local machine rights are prevaling over the domain policies (for instance, I have a policy to avoid changing the Desktop settings. This policiy worked fine before SP2 and the user could open the dialog but all tabs were absent. Now, the user is able to open this dialog, open some tabs, and some items can be changed, others not).
3.- I have downloaded and installed the new version of the Group Policy Management Console SP1. In the console I have checked the state of the policies. In almost every policy of the domain, under Security Filtering for the policy, I have the Authenticated users group as the only one to be affected by the GPOs. I do not have this group anywere in Active directory, neither I have ever used it or noticed it before. No other group is present in this security filtering list.
4.- I have disabled the Firewall, but all remains the same.

All this problems appeared after XP SP2, so it is obvious that this update is the cause.

Were is the problem?

Thanks in advance for your reply,
Question by:flechazul
  • 3
  • 2
LVL 16

Accepted Solution

JamesDS earned 125 total points
ID: 12110977
Windows XP SP2 comes with a new set of .ADM files - the templates for your GPOs. You probably opened up your GPOs on a XP SP2 machine and it promptly updated the AD templates on the AD - which likely caused your problem as these templates are not compatible with

Test this by trying to edit your GPOs from a NON SP2 machine and look for an error message, then go here;en-us;842933



Expert Comment

ID: 12111043

Please activate SceCli Logging ( and post Winlogon.log file here.

Should help narrowing around the problem.


Author Comment

ID: 12113132

Thank for your reply. I did as you suggest and try to edit the GPO on a non-SP2 XP machine. I got the message "The following entry in the [strings] section is too long and has been truncated", several times.

It seems that you guide me in the right way to find the reason of the problem. However, how should I proceed now? I have checked the link you provide, but it is not clear whether I should install the patch in the non-SP2 machines, in the SP2 machine, in the 2000 server, or in all of them. At the moment, the non-SP2 machines are working fine and the policies are being applied correctly. The only issue is that "string too long..." message in those machine. I do not get this message in the SP2 machine, but in that machine the policies are not being applied. Should I apply the patch only to the SP2 machine?

I do not recall doing anything special after installing the SP2, except for rebooting. After rebooting the machine, I noticed that the policies were not being applied. Then I opened the GPO editor in that SP2 machine. According to your message, this action updated the AD templates in the Windows 2000 server (or is it in the XP machine only?). But, why the GPOs were not applied after rebooting the SP2 machine and before opening the GPO editor in the SP2 machine? It seems to me that the templates were updated just upon rebooting, or even before, when the SP2 was installed. Does this make sense?
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

LVL 16

Expert Comment

ID: 12115303
Everthing you have said makes sense.
The action of opening up the GPO editor on a WIndows XP machine updates the ADM files on the whole domain :(

Microsoft have only just found out about this bug and the fix is not that widely used yet. Re-reading the KB it suggests that you should be installing the patch on every machine affected - IE all non-XPSP2 machines and the domain controllers and servers too!

Given the problem that this will probably cause you, I suggest you contact microsoft support about this to see if there is an alternative solution - such as restoring the OLD ADM files.



Author Comment

ID: 12141328
Hi JamesDS,

I have finally solved the problem, after contacting Microsoft. Here it is the whole picture:

1.- Windows 2000 single native domain. Server running Windows 2000 SP4. Logged to the domain and to the Xp machine with administrator rights. XP SP1 machine updated to SP2. The updated machine contained the latest version of the Windows 2000-2003 admin.pak
2.- The installation went fine. Inmediately after rebooting (iwthout doing any further action), none of the domain policies were applied to that machine. The policies still applied fine to rest of machines in the network (XP SP1) and to the servers. However, when I tried to edit any GPO on the server, or in any SP1 machine with admin.pak installed, I got the message: "The following entry in the [strings] section is too long and has been truncated". After clearing the messages, the user can edit the GPO. This message does not appear on the SP2 machine. The user could safely edit the policy in the SP2 machine.
3.- I clean installed an XP machine. I installed SP2 on that machine. I did not install the admin.pak. The policies applied fine on that machine. Therefore, the problem seemed to be related to the presence of the admin.pak on the machine.
4.- Microsoft guided me to the solution described on;EN-US;842933 (same link that you provided)
5.- The fix needs to be applied to every server and every other machine affected. It does not need to be applied to the SP2 machine. There seems to be no other workaround. Restoring the old ADM files is not an option if the machines are going to be updated to SP2.

Thank for your help
LVL 16

Expert Comment

ID: 12141385
Welcome, glad to help.

This is one of those situations where the problem is so new that almost none of us have come across it. I was aware that there was an issue, courtesy of NTBugTraq, but the precise fix is often not obvious until you do it yourself.

Your experiences and invaluable feedback on the solution make an excellent contribition to EE - Thank you!



Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Read our guide on how to survive being on-call.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question