"Windows Cannot Read Template Information" Error Message When You Try to View a Windows XP-based Template in a Windows 2000 Domain

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
If you create and edit a security template by using the Security Configuration and Analysis tool on a Windows XP-based computer, and then you import this template into a Group Policy object on a Windows 2000 domain controller, you cannot view the template. This is true even though no errors are reported during the import operation.

When you try to use the Group Policy editor to view the security settings in the Group Policy object where the template was imported, you receive the following error message (with a red cross next to it):
Windows cannot read template information
The following events are also logged in Event Viewer when the Group Policy setting is applied to a Windows 2000 client:

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
User: N/A
Description:Security policies are propagated with warning. 0x4b8 : An extended error has occurred.Please look for more details in TroubleShooting section in Security Help.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Description:The Group Policy client-side extension Security was passed flags (1) and returned a failure status code of (1208).
In Windows XP, the following new Security Descriptor Definition Language (SDDL) objects have been defined:
  • AN - Anonymous Logon
  • LS - Local Service Account
  • NS - Network Service Account
  • RD - Remote Desktop Users
  • NO - Network Configuration Operators
  • MU - Performance Monitor Users
  • LU - Performance Log Users
Because these SDDL objects do not exist in Windows 2000, you cannot view the template in Windows 2000.
To view the template and to apply it to Windows 2000, create the template in Windows 2000.

If you want to solve the problem that occurs if you edit domain Group Policy, apply the hotfix that is described in the following Knowledge Base article:
837166 Group Policy that you edit in Windows XP does not work in Windows 2000
To work around this issue, view the template by using Windows XP or Microsoft Windows Server 2003.
This behavior is by design.
If you create the template by using Windows XP, and it contains the new SDDL objects, the template is correctly applied to Windows XP and Windows Server 2003-based computers. Additionally, you can view the template by using the Group Policy Management Console (GPMC) tool in Windows XP and Windows Server 2003.

However, the Group Policy object generates the event IDs that are described in the "Symptoms" section when the template is applied to Windows 2000 clients. This occurs because Windows 2000 clients cannot resolve the new SDDL objects.

Article ID: 827012 - Last Review: 02/27/2014 21:19:46 - Revision: 2.1

Microsoft Windows XP Home Edition SP1, Microsoft Windows XP Home Edition, Microsoft Windows XP Professional SP1, Microsoft Windows XP Professional, Microsoft Windows 2000 Service Pack 4, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 1, Microsoft Windows 2000 Server

  • kbnosurvey kbarchive kberrmsg kbprb KB827012