This article has been archived. It is offered "as is" and will no longer be updated.
If you create and edit a security template by using the Security Configuration and Analysis tool on a Windows XP-based computer, and then you import this template into a Group Policy object on a Windows 2000 domain controller, you cannot view the template. This is true even though no errors are reported during the import operation.
When you try to use the Group Policy editor to view the security settings in the Group Policy object where the template was imported, you receive the following error message (with a red cross next to it):
Windows cannot read template information
The following events are also logged in Event Viewer when the Group Policy setting is applied to a Windows 2000 client:
Event Type: Warning Event Source: SceCli Event Category: None Event ID: 1202 Date: Time: User: N/A Computer: Description:Security policies are propagated with warning. 0x4b8 : An extended error has occurred.Please look for more details in TroubleShooting section in Security Help.
Event Type: Error Event Source: Userenv Event Category: None Event ID: 1000 Date: Time: User: NT AUTHORITY\SYSTEM Computer: Description:The Group Policy client-side extension Security was passed flags (1) and returned a failure status code of (1208).
In Windows XP, the following new Security Descriptor Definition Language (SDDL) objects have been defined:
AN - Anonymous Logon
LS - Local Service Account
NS - Network Service Account
RD - Remote Desktop Users
NO - Network Configuration Operators
MU - Performance Monitor Users
LU - Performance Log Users
Because these SDDL objects do not exist in Windows 2000, you cannot view the template in Windows 2000.
To view the template and to apply it to Windows 2000, create the template in Windows 2000.
If you want to solve the problem that occurs if you edit domain Group Policy, apply the hotfix that is described in the following Knowledge Base article:
837166 Group Policy that you edit in Windows XP does not work in Windows 2000
To work around this issue, view the template by using Windows XP or Microsoft Windows Server 2003.
This behavior is by design.
If you create the template by using Windows XP, and it contains the new SDDL objects, the template is correctly applied to Windows XP and Windows Server 2003-based computers. Additionally, you can view the template by using the Group Policy Management Console (GPMC) tool in Windows XP and Windows Server 2003.
However, the Group Policy object generates the event IDs that are described in the "Symptoms" section when the template is applied to Windows 2000 clients. This occurs because Windows 2000 clients cannot resolve the new SDDL objects.