Article ID: 827012 - View products that this article applies to.
If you create and edit a security template by using the Security Configuration and Analysis tool on a Windows XP-based computer, and then you import this template into a Group Policy object on a Windows 2000 domain controller, you cannot view the template. This is true even though no errors are reported during the import operation.
When you try to use the Group Policy editor to view the security settings in the Group Policy object where the template was imported, you receive the following error message (with a red cross next to it):
The following events are also logged in Event Viewer when the Group Policy setting is applied to a Windows 2000 client:
Windows cannot read template information
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Description: Security policies are propagated with warning. 0x4b8 : An extended error has occurred. Please look for more details in TroubleShooting section in Security Help.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
User: NT AUTHORITY\SYSTEM
Description: The Group Policy client-side extension Security was passed flags (1) and returned a failure status code of (1208).
In Windows XP, the following new Security Descriptor Definition Language (SDDL) objects have been defined:
To view the template and to apply it to Windows 2000, create the template in Windows 2000.
If you want to solve the problem that occurs if you edit domain Group Policy, apply the hotfix that is described in the following Knowledge Base article:
(http://support.microsoft.com/kb/837166/ )Group Policy that you edit in Windows XP does not work in Windows 2000
To work around this issue, view the template by using Windows XP or Microsoft Windows Server 2003.
If you create the template by using Windows XP, and it contains the new SDDL objects, the template is correctly applied to Windows XP and Windows Server 2003-based computers. Additionally, you can view the template by using the Group Policy Management Console (GPMC) tool in Windows XP and Windows Server 2003.
However, the Group Policy object generates the event IDs that are described in the "Symptoms" section when the template is applied to Windows 2000 clients. This occurs because Windows 2000 clients cannot resolve the new SDDL objects.
Article ID: 827012 - Last Review: October 30, 2006 - Revision: 2.1