Problems with domain GPOs after updating client machines to XP SP2
Hi,
I have a Windows 2000 server SP4, XP SP1, one domain active directory network.
I have several GPOs implemented in the domain.
I installed XP SP2 without troubles. All programs seems to be running fine and I can logon to the domain and access resources. However, the policies are not being applied. I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine.
I have run some test in order to find the problem:
1.- I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine. Under this curcumstances, not a single GPO is being applied. Before XP SP2, the GPOs that concerder this account were correctly applied. In particular, one GPO implied showing a text dialog to the user right after hitting CTRL+ALT+DEL. It worked before, it does not work now (this is just an example, not a single GPO is being applied to this administrator account).
1.- The gpresults shows the message "The following GPOs were not applied because they were filtered out" for every GPO in the domain assigned to this user. This is true both for machine configuration and user configuration. The rest of the information of the gpresult command is fine: user info, group membership, etc.
2.- If I log on as a different user in the same machine, with different administrative rights in the machine (for instance, a Power user that it is also not a member of the administrators in the local machine), and I run the gpresults command, I do not get that message. The user policies seems to be applied correctly. However, I would say that the behaviour is erratic. It is like the local machine rights are prevaling over the domain policies (for instance, I have a policy to avoid changing the Desktop settings. This policiy worked fine before SP2 and the user could open the dialog but all tabs were absent. Now, the user is able to open this dialog, open some tabs, and some items can be changed, others not).
3.- I have downloaded and installed the new version of the Group Policy Management Console SP1. In the console I have checked the state of the policies. In almost every policy of the domain, under Security Filtering for the policy, I have the Authenticated users group as the only one to be affected by the GPOs. I do not have this group anywere in Active directory, neither I have ever used it or noticed it before. No other group is present in this security filtering list.
4.- I have disabled the Firewall, but all remains the same.
All this problems appeared after XP SP2, so it is obvious that this update is the cause.
Were is the problem?
Thanks in advance for your reply,
I have a Windows 2000 server SP4, XP SP1, one domain active directory network.
I have several GPOs implemented in the domain.
I installed XP SP2 without troubles. All programs seems to be running fine and I can logon to the domain and access resources. However, the policies are not being applied. I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine.
I have run some test in order to find the problem:
1.- I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine. Under this curcumstances, not a single GPO is being applied. Before XP SP2, the GPOs that concerder this account were correctly applied. In particular, one GPO implied showing a text dialog to the user right after hitting CTRL+ALT+DEL. It worked before, it does not work now (this is just an example, not a single GPO is being applied to this administrator account).
1.- The gpresults shows the message "The following GPOs were not applied because they were filtered out" for every GPO in the domain assigned to this user. This is true both for machine configuration and user configuration. The rest of the information of the gpresult command is fine: user info, group membership, etc.
2.- If I log on as a different user in the same machine, with different administrative rights in the machine (for instance, a Power user that it is also not a member of the administrators in the local machine), and I run the gpresults command, I do not get that message. The user policies seems to be applied correctly. However, I would say that the behaviour is erratic. It is like the local machine rights are prevaling over the domain policies (for instance, I have a policy to avoid changing the Desktop settings. This policiy worked fine before SP2 and the user could open the dialog but all tabs were absent. Now, the user is able to open this dialog, open some tabs, and some items can be changed, others not).
3.- I have downloaded and installed the new version of the Group Policy Management Console SP1. In the console I have checked the state of the policies. In almost every policy of the domain, under Security Filtering for the policy, I have the Authenticated users group as the only one to be affected by the GPOs. I do not have this group anywere in Active directory, neither I have ever used it or noticed it before. No other group is present in this security filtering list.
4.- I have disabled the Firewall, but all remains the same.
All this problems appeared after XP SP2, so it is obvious that this update is the cause.
Were is the problem?
Thanks in advance for your reply,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
JamesDS,
Thank for your reply. I did as you suggest and try to edit the GPO on a non-SP2 XP machine. I got the message "The following entry in the [strings] section is too long and has been truncated", several times.
It seems that you guide me in the right way to find the reason of the problem. However, how should I proceed now? I have checked the link you provide, but it is not clear whether I should install the patch in the non-SP2 machines, in the SP2 machine, in the 2000 server, or in all of them. At the moment, the non-SP2 machines are working fine and the policies are being applied correctly. The only issue is that "string too long..." message in those machine. I do not get this message in the SP2 machine, but in that machine the policies are not being applied. Should I apply the patch only to the SP2 machine?
I do not recall doing anything special after installing the SP2, except for rebooting. After rebooting the machine, I noticed that the policies were not being applied. Then I opened the GPO editor in that SP2 machine. According to your message, this action updated the AD templates in the Windows 2000 server (or is it in the XP machine only?). But, why the GPOs were not applied after rebooting the SP2 machine and before opening the GPO editor in the SP2 machine? It seems to me that the templates were updated just upon rebooting, or even before, when the SP2 was installed. Does this make sense?
Thank for your reply. I did as you suggest and try to edit the GPO on a non-SP2 XP machine. I got the message "The following entry in the [strings] section is too long and has been truncated", several times.
It seems that you guide me in the right way to find the reason of the problem. However, how should I proceed now? I have checked the link you provide, but it is not clear whether I should install the patch in the non-SP2 machines, in the SP2 machine, in the 2000 server, or in all of them. At the moment, the non-SP2 machines are working fine and the policies are being applied correctly. The only issue is that "string too long..." message in those machine. I do not get this message in the SP2 machine, but in that machine the policies are not being applied. Should I apply the patch only to the SP2 machine?
I do not recall doing anything special after installing the SP2, except for rebooting. After rebooting the machine, I noticed that the policies were not being applied. Then I opened the GPO editor in that SP2 machine. According to your message, this action updated the AD templates in the Windows 2000 server (or is it in the XP machine only?). But, why the GPOs were not applied after rebooting the SP2 machine and before opening the GPO editor in the SP2 machine? It seems to me that the templates were updated just upon rebooting, or even before, when the SP2 was installed. Does this make sense?
flechazul
Everthing you have said makes sense.
The action of opening up the GPO editor on a WIndows XP machine updates the ADM files on the whole domain :(
Microsoft have only just found out about this bug and the fix is not that widely used yet. Re-reading the KB it suggests that you should be installing the patch on every machine affected - IE all non-XPSP2 machines and the domain controllers and servers too!
Given the problem that this will probably cause you, I suggest you contact microsoft support about this to see if there is an alternative solution - such as restoring the OLD ADM files.
Cheers
JamesDS
Everthing you have said makes sense.
The action of opening up the GPO editor on a WIndows XP machine updates the ADM files on the whole domain :(
Microsoft have only just found out about this bug and the fix is not that widely used yet. Re-reading the KB it suggests that you should be installing the patch on every machine affected - IE all non-XPSP2 machines and the domain controllers and servers too!
Given the problem that this will probably cause you, I suggest you contact microsoft support about this to see if there is an alternative solution - such as restoring the OLD ADM files.
Cheers
JamesDS
ASKER
Hi JamesDS,
I have finally solved the problem, after contacting Microsoft. Here it is the whole picture:
1.- Windows 2000 single native domain. Server running Windows 2000 SP4. Logged to the domain and to the Xp machine with administrator rights. XP SP1 machine updated to SP2. The updated machine contained the latest version of the Windows 2000-2003 admin.pak
2.- The installation went fine. Inmediately after rebooting (iwthout doing any further action), none of the domain policies were applied to that machine. The policies still applied fine to rest of machines in the network (XP SP1) and to the servers. However, when I tried to edit any GPO on the server, or in any SP1 machine with admin.pak installed, I got the message: "The following entry in the [strings] section is too long and has been truncated". After clearing the messages, the user can edit the GPO. This message does not appear on the SP2 machine. The user could safely edit the policy in the SP2 machine.
3.- I clean installed an XP machine. I installed SP2 on that machine. I did not install the admin.pak. The policies applied fine on that machine. Therefore, the problem seemed to be related to the presence of the admin.pak on the machine.
4.- Microsoft guided me to the solution described on http://support.microsoft.com/default.aspx?scid=kb;EN-US;842933 (same link that you provided)
5.- The fix needs to be applied to every server and every other machine affected. It does not need to be applied to the SP2 machine. There seems to be no other workaround. Restoring the old ADM files is not an option if the machines are going to be updated to SP2.
Thank for your help
I have finally solved the problem, after contacting Microsoft. Here it is the whole picture:
1.- Windows 2000 single native domain. Server running Windows 2000 SP4. Logged to the domain and to the Xp machine with administrator rights. XP SP1 machine updated to SP2. The updated machine contained the latest version of the Windows 2000-2003 admin.pak
2.- The installation went fine. Inmediately after rebooting (iwthout doing any further action), none of the domain policies were applied to that machine. The policies still applied fine to rest of machines in the network (XP SP1) and to the servers. However, when I tried to edit any GPO on the server, or in any SP1 machine with admin.pak installed, I got the message: "The following entry in the [strings] section is too long and has been truncated". After clearing the messages, the user can edit the GPO. This message does not appear on the SP2 machine. The user could safely edit the policy in the SP2 machine.
3.- I clean installed an XP machine. I installed SP2 on that machine. I did not install the admin.pak. The policies applied fine on that machine. Therefore, the problem seemed to be related to the presence of the admin.pak on the machine.
4.- Microsoft guided me to the solution described on http://support.microsoft.com/default.aspx?scid=kb;EN-US;842933 (same link that you provided)
5.- The fix needs to be applied to every server and every other machine affected. It does not need to be applied to the SP2 machine. There seems to be no other workaround. Restoring the old ADM files is not an option if the machines are going to be updated to SP2.
Thank for your help
flechazul
Welcome, glad to help.
This is one of those situations where the problem is so new that almost none of us have come across it. I was aware that there was an issue, courtesy of NTBugTraq, but the precise fix is often not obvious until you do it yourself.
Your experiences and invaluable feedback on the solution make an excellent contribition to EE - Thank you!
Cheers
JamesDS
Welcome, glad to help.
This is one of those situations where the problem is so new that almost none of us have come across it. I was aware that there was an issue, courtesy of NTBugTraq, but the precise fix is often not obvious until you do it yourself.
Your experiences and invaluable feedback on the solution make an excellent contribition to EE - Thank you!
Cheers
JamesDS
Please activate SceCli Logging (http://support.microsoft.com/default.aspx?kbid=245422) and post Winlogon.log file here.
Should help narrowing around the problem.
Andy.