When you configure a Windows Vista-based computer by using a security template that contains security descriptors for WRP resources, the results are unpredictable

When you configure a Windows Vista-based computer by using a security template that contains security descriptors for Windows Resource Protection (WRP) resources, the results are unpredictable.

This problem occurs because security templates are always configured by using the LocalSystem account instead of by using the account of the user who is configuring the security template. WRP resources are configured as read-only for the LocalSystem account. To configure security descriptors for a WRP resource, the Security Templates snap-in must take ownership of the resource, configure the security descriptor, and then restore ownership to the TrustedInstaller group. This method does not work to recursively configure security descriptors for all members of a WRP container. The Security Templates snap-in can recursively take ownership of all members of a container and then configure the container's security descriptor. However, the Security Templates snap-in cannot restore ownership of a member to the prior owner without keeping a record of the prior owner of every member in the container. Therefore, configuring security descriptors for WRP resources leads to unpredictable results and is not supported.

To resolve this problem, do not use the Security Templates snap-in to set access control lists (ACLs) for WRP resources.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.