Important information about XP SP2 .ADM Files

  • Thread starter Thread starter Mark Williams [MSFT]
  • Start date Start date
M

Mark Williams [MSFT]

As you know, Microsoft has recently announcement the pending availability of
Windows XP Service Pack 2. I won't describe the multitude of benefits
associated with this service pack, especially from a security perspective
(these are well documented here:
http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to bring
your attention to an important issue related to Group Policy.

Many of the central features in Windows XP Service Pack 2, such the Windows
Firewall and enhanced Internet Explorer functionality, can be managed
through Group Policy. In fact, my team has been heavily involved with
supporting the teams who have added the 600+ new policy settings available
in the XP SP2 versions of the .adm files. XP SPS2 is the most policy-enabled
operating system / service pack we have ever shipped. Numerically, much of
this increase in policy settings is attributable to repeated "groups" of
policy settings in IE (across the various IE zones) but there is still a
much richer set of policy settings that, we believe, is a key factor
improving the manageability of Windows XP through Group Policy. By way of
example, the new Windows Firewall (turned on by default in XP SP2) has a
broad range of policy settings to "custom fit" this component to your
specific needs - which ports and programs you allow, management of remote
administration and file/print services ports and so on. All told, Group
Policy represents the primary mechanism through which you can manage the new
features of XP SP2 in an Active Directory environment.

As well as highlighting these changes, I wanted to bring your attention to
an important issue around the use of the .ADM files we ship with XP SP2.
These files use syntax that has been available for some time but which has
exposed some issues with earlier versions of the Group Policy Object Editor
(GPEdit). In a nutshell, if you load the XP SP2 files from earlier versions
of GPEdit (across Windows 2000, XP or Windows Server 2003), GPEdit will
generate multiple "string too long" error messages.

By default GPEdit compares the timestamps of the files stored in a GPO (in
Sysvol) with those on the administrative machine and, if the latter are more
recent, will upload the .ADM files to the GPO, in Sysvol. What this means is
that the act of viewing a GPO (no changes to the GPO are necessary) will
result in the new .ADM files being uploaded and, eventually, used by other
versions of GPEdit around your network that are not yet running XP SP2. NOTE
THAT THIS IS PURELY AN ADMINISTRATIVE ISSUE - this has no implications for
the actual application of Group Policy to machines or users.

To this end we are making available a number of hotfixes that will resolve
this issue. The Windows 2000 fix is available today and we expect to be the
others (for Windows Server 2003 and XP SP1) to be available later this week.
Initially, the fixes will be available through Microsoft Product Support
Services (PSS) but in due course we plan to release these directly to the
Microsoft Download Center.

Further details of this can be found in KB 842933
(http://support.microsoft.com/default.aspx?kbid=842933). We will be updating
this regularly as the fixes become available through PSS and, subsequently,
through the Download Center.

Please let us know if you have any questions.

Mark Williams
Program Manager, Group Policy
http://www.microsoft.com/technet/grouppolicy

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Mark,

Are not the file in "C:\WINDOWS\ServicePackFiles\i386" after a SP2 install
the required files? Can these not be applied to your domain controllers and
all other machines used to set Group Policy?

Andrew
 
Hi Andrew,

If you are talking about AFTER the install, the .adm files are in
%windir%\inf. By default these will be copied up to the GPO (Sysvol) when
you view or edit the GPO from GPEdit. If you then walk to the domain
controller (suitably patched with the fixes we'll be making available very
soon) then you will see the new policy settings. The new policy settings
cannot be applied TO the domain controller (Windows Server 2003 or Windows
2000 Server don't have the appropriate support for these policy settings)
but you can apply these settings FROM the domain controller (namely, edit a
GPO including the new policy settings and target XP SP2 machines
accordingly).

Make sense?

Mark Williams
Program Manager, Group Policy
http://www.microsoft.com/technet/grouppolicy

This posting is provided "AS IS" with no warranties, and confers no rights
 
I installed SP2 in an AD environment. When I'm trying to open the
local group policy, I'm getting a couple of error messages:

"Administrative Templates

The following error occurred in
C:\WINDOWS\System32\GroupPolicy\Adm\system.adm on line 62: Error 64
string specified more than once

The file cannot be loaded"

The second message is the same error on line "6537".

Is this related with the original problem? Thanks for the post!
 
Mark,

Is it possible to identify the new policies introduced by XP and XP SP2
within the GPO? (besides printed documentation...)

As I'm sure 2000 Pro will ignore some of the new policies only intended
for XP, it'd be good if I could see in the object description whether or
not that object would apply to 2000, XP or XP SP2 clients only...

Adrian
 
Hi Adrian,

The Supported tag in the .adm file specifies which Operating Systems and
Service Packs supported any specific policy setting. This is displayed in
the Requirements field in GPEdit. Also, you can see a list of all policy
settings (and the Supported information) in the spreadsheet at the following
location:

http://go.microsoft.com/fwlink/?linkid=15165

I hope this helps.

--
Mark Williams
Program Manager, Group Policy
http://www.microsoft.com/technet/grouppolicy

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Mark,

I've just applied the hotfix to my W2K DC, and uploaded the .adm files
from a XP SP2 Pro machine. I don't see the "Requirements" field in
GPedit (I admin from the local W2K DC, not from the Pro laptop - does
that make a difference??)

Adrian
 
Back
Top