Sign in with
Sign up | Sign in
Your question

Important information about XP SP2 .ADM Files

Last response: in Windows 2000/NT
Share
Anonymous
August 9, 2004 3:26:23 PM

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

As you know, Microsoft has recently announcement the pending availability of
Windows XP Service Pack 2. I won't describe the multitude of benefits
associated with this service pack, especially from a security perspective
(these are well documented here:
http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to bring
your attention to an important issue related to Group Policy.

Many of the central features in Windows XP Service Pack 2, such the Windows
Firewall and enhanced Internet Explorer functionality, can be managed
through Group Policy. In fact, my team has been heavily involved with
supporting the teams who have added the 600+ new policy settings available
in the XP SP2 versions of the .adm files. XP SPS2 is the most policy-enabled
operating system / service pack we have ever shipped. Numerically, much of
this increase in policy settings is attributable to repeated "groups" of
policy settings in IE (across the various IE zones) but there is still a
much richer set of policy settings that, we believe, is a key factor
improving the manageability of Windows XP through Group Policy. By way of
example, the new Windows Firewall (turned on by default in XP SP2) has a
broad range of policy settings to "custom fit" this component to your
specific needs - which ports and programs you allow, management of remote
administration and file/print services ports and so on. All told, Group
Policy represents the primary mechanism through which you can manage the new
features of XP SP2 in an Active Directory environment.

As well as highlighting these changes, I wanted to bring your attention to
an important issue around the use of the .ADM files we ship with XP SP2.
These files use syntax that has been available for some time but which has
exposed some issues with earlier versions of the Group Policy Object Editor
(GPEdit). In a nutshell, if you load the XP SP2 files from earlier versions
of GPEdit (across Windows 2000, XP or Windows Server 2003), GPEdit will
generate multiple "string too long" error messages.

By default GPEdit compares the timestamps of the files stored in a GPO (in
Sysvol) with those on the administrative machine and, if the latter are more
recent, will upload the .ADM files to the GPO, in Sysvol. What this means is
that the act of viewing a GPO (no changes to the GPO are necessary) will
result in the new .ADM files being uploaded and, eventually, used by other
versions of GPEdit around your network that are not yet running XP SP2. NOTE
THAT THIS IS PURELY AN ADMINISTRATIVE ISSUE - this has no implications for
the actual application of Group Policy to machines or users.

To this end we are making available a number of hotfixes that will resolve
this issue. The Windows 2000 fix is available today and we expect to be the
others (for Windows Server 2003 and XP SP1) to be available later this week.
Initially, the fixes will be available through Microsoft Product Support
Services (PSS) but in due course we plan to release these directly to the
Microsoft Download Center.

Further details of this can be found in KB 842933
(http://support.microsoft.com/default.aspx?kbid=842933). We will be updating
this regularly as the fixes become available through PSS and, subsequently,
through the Download Center.

Please let us know if you have any questions.

Mark Williams
Program Manager, Group Policy
http://www.microsoft.com/technet/grouppolicy

This posting is provided "AS IS" with no warranties, and confers no rights.
Anonymous
August 9, 2004 8:01:59 PM

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

Hey Mark-
Will the new SP2 ADMs be available as a separate download on the ADM
download site
(http://www.microsoft.com/downloads/details.aspx?FamilyI...)
soon?

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



"Mark Williams [MSFT]" <markwill@online.microsoft.com> wrote in message
news:%233iFY5jfEHA.596@TK2MSFTNGP11.phx.gbl...
> As you know, Microsoft has recently announcement the pending availability
> of Windows XP Service Pack 2. I won't describe the multitude of benefits
> associated with this service pack, especially from a security perspective
> (these are well documented here:
> http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to
> bring your attention to an important issue related to Group Policy.
>
> Many of the central features in Windows XP Service Pack 2, such the
> Windows Firewall and enhanced Internet Explorer functionality, can be
> managed through Group Policy. In fact, my team has been heavily involved
> with supporting the teams who have added the 600+ new policy settings
> available in the XP SP2 versions of the .adm files. XP SPS2 is the most
> policy-enabled operating system / service pack we have ever shipped.
> Numerically, much of this increase in policy settings is attributable to
> repeated "groups" of policy settings in IE (across the various IE zones)
> but there is still a much richer set of policy settings that, we believe,
> is a key factor improving the manageability of Windows XP through Group
> Policy. By way of example, the new Windows Firewall (turned on by default
> in XP SP2) has a broad range of policy settings to "custom fit" this
> component to your specific needs - which ports and programs you allow,
> management of remote administration and file/print services ports and so
> on. All told, Group Policy represents the primary mechanism through which
> you can manage the new features of XP SP2 in an Active Directory
> environment.
>
> As well as highlighting these changes, I wanted to bring your attention to
> an important issue around the use of the .ADM files we ship with XP SP2.
> These files use syntax that has been available for some time but which has
> exposed some issues with earlier versions of the Group Policy Object
> Editor (GPEdit). In a nutshell, if you load the XP SP2 files from earlier
> versions of GPEdit (across Windows 2000, XP or Windows Server 2003),
> GPEdit will generate multiple "string too long" error messages.
>
> By default GPEdit compares the timestamps of the files stored in a GPO (in
> Sysvol) with those on the administrative machine and, if the latter are
> more recent, will upload the .ADM files to the GPO, in Sysvol. What this
> means is that the act of viewing a GPO (no changes to the GPO are
> necessary) will result in the new .ADM files being uploaded and,
> eventually, used by other versions of GPEdit around your network that are
> not yet running XP SP2. NOTE THAT THIS IS PURELY AN ADMINISTRATIVE ISSUE -
> this has no implications for the actual application of Group Policy to
> machines or users.
>
> To this end we are making available a number of hotfixes that will resolve
> this issue. The Windows 2000 fix is available today and we expect to be
> the others (for Windows Server 2003 and XP SP1) to be available later this
> week. Initially, the fixes will be available through Microsoft Product
> Support Services (PSS) but in due course we plan to release these directly
> to the Microsoft Download Center.
>
> Further details of this can be found in KB 842933
> (http://support.microsoft.com/default.aspx?kbid=842933). We will be
> updating this regularly as the fixes become available through PSS and,
> subsequently, through the Download Center.
>
> Please let us know if you have any questions.
>
> Mark Williams
> Program Manager, Group Policy
> http://www.microsoft.com/technet/grouppolicy
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
Anonymous
August 9, 2004 8:07:37 PM

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

Hi Darren,

Yes, I plan to have these updated by the end of this week. I'll post to this
newsgroup when they are available.

Mark Williams
Program Manager, Group Policy
http://www.microsoft.com/technet/grouppolicy

This posting is provided "AS IS" with no warranties, and confers no rights.

"Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
news:o yvSVTmfEHA.2896@TK2MSFTNGP11.phx.gbl...
> Hey Mark-
> Will the new SP2 ADMs be available as a separate download on the ADM
> download site
> (http://www.microsoft.com/downloads/details.aspx?FamilyI...)
> soon?
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Management
> http://www.gpoguy.com
>
>
>
> "Mark Williams [MSFT]" <markwill@online.microsoft.com> wrote in message
> news:%233iFY5jfEHA.596@TK2MSFTNGP11.phx.gbl...
>> As you know, Microsoft has recently announcement the pending availability
>> of Windows XP Service Pack 2. I won't describe the multitude of benefits
>> associated with this service pack, especially from a security perspective
>> (these are well documented here:
>> http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to
>> bring your attention to an important issue related to Group Policy.
>>
>> Many of the central features in Windows XP Service Pack 2, such the
>> Windows Firewall and enhanced Internet Explorer functionality, can be
>> managed through Group Policy. In fact, my team has been heavily involved
>> with supporting the teams who have added the 600+ new policy settings
>> available in the XP SP2 versions of the .adm files. XP SPS2 is the most
>> policy-enabled operating system / service pack we have ever shipped.
>> Numerically, much of this increase in policy settings is attributable to
>> repeated "groups" of policy settings in IE (across the various IE zones)
>> but there is still a much richer set of policy settings that, we believe,
>> is a key factor improving the manageability of Windows XP through Group
>> Policy. By way of example, the new Windows Firewall (turned on by default
>> in XP SP2) has a broad range of policy settings to "custom fit" this
>> component to your specific needs - which ports and programs you allow,
>> management of remote administration and file/print services ports and so
>> on. All told, Group Policy represents the primary mechanism through which
>> you can manage the new features of XP SP2 in an Active Directory
>> environment.
>>
>> As well as highlighting these changes, I wanted to bring your attention
>> to an important issue around the use of the .ADM files we ship with XP
>> SP2. These files use syntax that has been available for some time but
>> which has exposed some issues with earlier versions of the Group Policy
>> Object Editor (GPEdit). In a nutshell, if you load the XP SP2 files from
>> earlier versions of GPEdit (across Windows 2000, XP or Windows Server
>> 2003), GPEdit will generate multiple "string too long" error messages.
>>
>> By default GPEdit compares the timestamps of the files stored in a GPO
>> (in Sysvol) with those on the administrative machine and, if the latter
>> are more recent, will upload the .ADM files to the GPO, in Sysvol. What
>> this means is that the act of viewing a GPO (no changes to the GPO are
>> necessary) will result in the new .ADM files being uploaded and,
>> eventually, used by other versions of GPEdit around your network that are
>> not yet running XP SP2. NOTE THAT THIS IS PURELY AN ADMINISTRATIVE
>> ISSUE - this has no implications for the actual application of Group
>> Policy to machines or users.
>>
>> To this end we are making available a number of hotfixes that will
>> resolve this issue. The Windows 2000 fix is available today and we expect
>> to be the others (for Windows Server 2003 and XP SP1) to be available
>> later this week. Initially, the fixes will be available through Microsoft
>> Product Support Services (PSS) but in due course we plan to release these
>> directly to the Microsoft Download Center.
>>
>> Further details of this can be found in KB 842933
>> (http://support.microsoft.com/default.aspx?kbid=842933). We will be
>> updating this regularly as the fixes become available through PSS and,
>> subsequently, through the Download Center.
>>
>> Please let us know if you have any questions.
>>
>> Mark Williams
>> Program Manager, Group Policy
>> http://www.microsoft.com/technet/grouppolicy
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>
>
Related resources
Anonymous
August 10, 2004 6:41:01 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Mark,

Are not the file in "C:\WINDOWS\ServicePackFiles\i386" after a SP2 install
the required files? Can these not be applied to your domain controllers and
all other machines used to set Group Policy?

Andrew

"Mark Williams [MSFT]" wrote:

> Hi Darren,
>
> Yes, I plan to have these updated by the end of this week. I'll post to this
> newsgroup when they are available.
>
> Mark Williams
> Program Manager, Group Policy
> http://www.microsoft.com/technet/grouppolicy
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
> news:o yvSVTmfEHA.2896@TK2MSFTNGP11.phx.gbl...
> > Hey Mark-
> > Will the new SP2 ADMs be available as a separate download on the ADM
> > download site
> > (http://www.microsoft.com/downloads/details.aspx?FamilyI...)
> > soon?
> >
> > --
> > Darren Mar-Elia
> > MS-MVP-Windows Management
> > http://www.gpoguy.com
> >
> >
> >
> > "Mark Williams [MSFT]" <markwill@online.microsoft.com> wrote in message
> > news:%233iFY5jfEHA.596@TK2MSFTNGP11.phx.gbl...
> >> As you know, Microsoft has recently announcement the pending availability
> >> of Windows XP Service Pack 2. I won't describe the multitude of benefits
> >> associated with this service pack, especially from a security perspective
> >> (these are well documented here:
> >> http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to
> >> bring your attention to an important issue related to Group Policy.
> >>
> >> Many of the central features in Windows XP Service Pack 2, such the
> >> Windows Firewall and enhanced Internet Explorer functionality, can be
> >> managed through Group Policy. In fact, my team has been heavily involved
> >> with supporting the teams who have added the 600+ new policy settings
> >> available in the XP SP2 versions of the .adm files. XP SPS2 is the most
> >> policy-enabled operating system / service pack we have ever shipped.
> >> Numerically, much of this increase in policy settings is attributable to
> >> repeated "groups" of policy settings in IE (across the various IE zones)
> >> but there is still a much richer set of policy settings that, we believe,
> >> is a key factor improving the manageability of Windows XP through Group
> >> Policy. By way of example, the new Windows Firewall (turned on by default
> >> in XP SP2) has a broad range of policy settings to "custom fit" this
> >> component to your specific needs - which ports and programs you allow,
> >> management of remote administration and file/print services ports and so
> >> on. All told, Group Policy represents the primary mechanism through which
> >> you can manage the new features of XP SP2 in an Active Directory
> >> environment.
> >>
> >> As well as highlighting these changes, I wanted to bring your attention
> >> to an important issue around the use of the .ADM files we ship with XP
> >> SP2. These files use syntax that has been available for some time but
> >> which has exposed some issues with earlier versions of the Group Policy
> >> Object Editor (GPEdit). In a nutshell, if you load the XP SP2 files from
> >> earlier versions of GPEdit (across Windows 2000, XP or Windows Server
> >> 2003), GPEdit will generate multiple "string too long" error messages.
> >>
> >> By default GPEdit compares the timestamps of the files stored in a GPO
> >> (in Sysvol) with those on the administrative machine and, if the latter
> >> are more recent, will upload the .ADM files to the GPO, in Sysvol. What
> >> this means is that the act of viewing a GPO (no changes to the GPO are
> >> necessary) will result in the new .ADM files being uploaded and,
> >> eventually, used by other versions of GPEdit around your network that are
> >> not yet running XP SP2. NOTE THAT THIS IS PURELY AN ADMINISTRATIVE
> >> ISSUE - this has no implications for the actual application of Group
> >> Policy to machines or users.
> >>
> >> To this end we are making available a number of hotfixes that will
> >> resolve this issue. The Windows 2000 fix is available today and we expect
> >> to be the others (for Windows Server 2003 and XP SP1) to be available
> >> later this week. Initially, the fixes will be available through Microsoft
> >> Product Support Services (PSS) but in due course we plan to release these
> >> directly to the Microsoft Download Center.
> >>
> >> Further details of this can be found in KB 842933
> >> (http://support.microsoft.com/default.aspx?kbid=842933). We will be
> >> updating this regularly as the fixes become available through PSS and,
> >> subsequently, through the Download Center.
> >>
> >> Please let us know if you have any questions.
> >>
> >> Mark Williams
> >> Program Manager, Group Policy
> >> http://www.microsoft.com/technet/grouppolicy
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >>
> >
> >
>
>
>
Anonymous
August 10, 2004 1:38:19 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Hi Andrew,

If you are talking about AFTER the install, the .adm files are in
%windir%\inf. By default these will be copied up to the GPO (Sysvol) when
you view or edit the GPO from GPEdit. If you then walk to the domain
controller (suitably patched with the fixes we'll be making available very
soon) then you will see the new policy settings. The new policy settings
cannot be applied TO the domain controller (Windows Server 2003 or Windows
2000 Server don't have the appropriate support for these policy settings)
but you can apply these settings FROM the domain controller (namely, edit a
GPO including the new policy settings and target XP SP2 machines
accordingly).

Make sense?

Mark Williams
Program Manager, Group Policy
http://www.microsoft.com/technet/grouppolicy

This posting is provided "AS IS" with no warranties, and confers no rights

"Andrew Harris" <AndrewHarris@discussions.microsoft.com> wrote in message
news:7FEEDF76-7E8A-4666-B63D-C758048A337E@microsoft.com...
> Mark,
>
> Are not the file in "C:\WINDOWS\ServicePackFiles\i386" after a SP2 install
> the required files? Can these not be applied to your domain controllers
> and
> all other machines used to set Group Policy?
>
> Andrew
>
> "Mark Williams [MSFT]" wrote:
>
>> Hi Darren,
>>
>> Yes, I plan to have these updated by the end of this week. I'll post to
>> this
>> newsgroup when they are available.
>>
>> Mark Williams
>> Program Manager, Group Policy
>> http://www.microsoft.com/technet/grouppolicy
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in
>> message
>> news:o yvSVTmfEHA.2896@TK2MSFTNGP11.phx.gbl...
>> > Hey Mark-
>> > Will the new SP2 ADMs be available as a separate download on the ADM
>> > download site
>> > (http://www.microsoft.com/downloads/details.aspx?FamilyI...)
>> > soon?
>> >
>> > --
>> > Darren Mar-Elia
>> > MS-MVP-Windows Management
>> > http://www.gpoguy.com
>> >
>> >
>> >
>> > "Mark Williams [MSFT]" <markwill@online.microsoft.com> wrote in message
>> > news:%233iFY5jfEHA.596@TK2MSFTNGP11.phx.gbl...
>> >> As you know, Microsoft has recently announcement the pending
>> >> availability
>> >> of Windows XP Service Pack 2. I won't describe the multitude of
>> >> benefits
>> >> associated with this service pack, especially from a security
>> >> perspective
>> >> (these are well documented here:
>> >> http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to
>> >> bring your attention to an important issue related to Group Policy.
>> >>
>> >> Many of the central features in Windows XP Service Pack 2, such the
>> >> Windows Firewall and enhanced Internet Explorer functionality, can be
>> >> managed through Group Policy. In fact, my team has been heavily
>> >> involved
>> >> with supporting the teams who have added the 600+ new policy settings
>> >> available in the XP SP2 versions of the .adm files. XP SPS2 is the
>> >> most
>> >> policy-enabled operating system / service pack we have ever shipped.
>> >> Numerically, much of this increase in policy settings is attributable
>> >> to
>> >> repeated "groups" of policy settings in IE (across the various IE
>> >> zones)
>> >> but there is still a much richer set of policy settings that, we
>> >> believe,
>> >> is a key factor improving the manageability of Windows XP through
>> >> Group
>> >> Policy. By way of example, the new Windows Firewall (turned on by
>> >> default
>> >> in XP SP2) has a broad range of policy settings to "custom fit" this
>> >> component to your specific needs - which ports and programs you allow,
>> >> management of remote administration and file/print services ports and
>> >> so
>> >> on. All told, Group Policy represents the primary mechanism through
>> >> which
>> >> you can manage the new features of XP SP2 in an Active Directory
>> >> environment.
>> >>
>> >> As well as highlighting these changes, I wanted to bring your
>> >> attention
>> >> to an important issue around the use of the .ADM files we ship with XP
>> >> SP2. These files use syntax that has been available for some time but
>> >> which has exposed some issues with earlier versions of the Group
>> >> Policy
>> >> Object Editor (GPEdit). In a nutshell, if you load the XP SP2 files
>> >> from
>> >> earlier versions of GPEdit (across Windows 2000, XP or Windows Server
>> >> 2003), GPEdit will generate multiple "string too long" error messages.
>> >>
>> >> By default GPEdit compares the timestamps of the files stored in a GPO
>> >> (in Sysvol) with those on the administrative machine and, if the
>> >> latter
>> >> are more recent, will upload the .ADM files to the GPO, in Sysvol.
>> >> What
>> >> this means is that the act of viewing a GPO (no changes to the GPO are
>> >> necessary) will result in the new .ADM files being uploaded and,
>> >> eventually, used by other versions of GPEdit around your network that
>> >> are
>> >> not yet running XP SP2. NOTE THAT THIS IS PURELY AN ADMINISTRATIVE
>> >> ISSUE - this has no implications for the actual application of Group
>> >> Policy to machines or users.
>> >>
>> >> To this end we are making available a number of hotfixes that will
>> >> resolve this issue. The Windows 2000 fix is available today and we
>> >> expect
>> >> to be the others (for Windows Server 2003 and XP SP1) to be available
>> >> later this week. Initially, the fixes will be available through
>> >> Microsoft
>> >> Product Support Services (PSS) but in due course we plan to release
>> >> these
>> >> directly to the Microsoft Download Center.
>> >>
>> >> Further details of this can be found in KB 842933
>> >> (http://support.microsoft.com/default.aspx?kbid=842933). We will be
>> >> updating this regularly as the fixes become available through PSS and,
>> >> subsequently, through the Download Center.
>> >>
>> >> Please let us know if you have any questions.
>> >>
>> >> Mark Williams
>> >> Program Manager, Group Policy
>> >> http://www.microsoft.com/technet/grouppolicy
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>
>> >>
>> >
>> >
>>
>>
>>
Anonymous
August 10, 2004 6:26:22 PM

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

I installed SP2 in an AD environment. When I'm trying to open the
local group policy, I'm getting a couple of error messages:

"Administrative Templates

The following error occurred in
C:\WINDOWS\System32\GroupPolicy\Adm\system.adm on line 62: Error 64
string specified more than once

The file cannot be loaded"

The second message is the same error on line "6537".

Is this related with the original problem? Thanks for the post!
Anonymous
August 15, 2004 4:22:48 PM

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

Mark,

Is it possible to identify the new policies introduced by XP and XP SP2
within the GPO? (besides printed documentation...)

As I'm sure 2000 Pro will ignore some of the new policies only intended
for XP, it'd be good if I could see in the object description whether or
not that object would apply to 2000, XP or XP SP2 clients only...

Adrian

Mark Williams [MSFT] wrote:
> As you know, Microsoft has recently announcement the pending availability of
> Windows XP Service Pack 2. I won't describe the multitude of benefits
> associated with this service pack, especially from a security perspective
> (these are well documented here:
> http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to bring
> your attention to an important issue related to Group Policy.
>
> Many of the central features in Windows XP Service Pack 2, such the Windows
> Firewall and enhanced Internet Explorer functionality, can be managed
> through Group Policy. In fact, my team has been heavily involved with
> supporting the teams who have added the 600+ new policy settings available
> in the XP SP2 versions of the .adm files. XP SPS2 is the most policy-enabled
> operating system / service pack we have ever shipped. Numerically, much of
> this increase in policy settings is attributable to repeated "groups" of
> policy settings in IE (across the various IE zones) but there is still a
> much richer set of policy settings that, we believe, is a key factor
> improving the manageability of Windows XP through Group Policy. By way of
> example, the new Windows Firewall (turned on by default in XP SP2) has a
> broad range of policy settings to "custom fit" this component to your
> specific needs - which ports and programs you allow, management of remote
> administration and file/print services ports and so on. All told, Group
> Policy represents the primary mechanism through which you can manage the new
> features of XP SP2 in an Active Directory environment.
>
> As well as highlighting these changes, I wanted to bring your attention to
> an important issue around the use of the .ADM files we ship with XP SP2.
> These files use syntax that has been available for some time but which has
> exposed some issues with earlier versions of the Group Policy Object Editor
> (GPEdit). In a nutshell, if you load the XP SP2 files from earlier versions
> of GPEdit (across Windows 2000, XP or Windows Server 2003), GPEdit will
> generate multiple "string too long" error messages.
>
> By default GPEdit compares the timestamps of the files stored in a GPO (in
> Sysvol) with those on the administrative machine and, if the latter are more
> recent, will upload the .ADM files to the GPO, in Sysvol. What this means is
> that the act of viewing a GPO (no changes to the GPO are necessary) will
> result in the new .ADM files being uploaded and, eventually, used by other
> versions of GPEdit around your network that are not yet running XP SP2. NOTE
> THAT THIS IS PURELY AN ADMINISTRATIVE ISSUE - this has no implications for
> the actual application of Group Policy to machines or users.
>
> To this end we are making available a number of hotfixes that will resolve
> this issue. The Windows 2000 fix is available today and we expect to be the
> others (for Windows Server 2003 and XP SP1) to be available later this week.
> Initially, the fixes will be available through Microsoft Product Support
> Services (PSS) but in due course we plan to release these directly to the
> Microsoft Download Center.
>
> Further details of this can be found in KB 842933
> (http://support.microsoft.com/default.aspx?kbid=842933). We will be updating
> this regularly as the fixes become available through PSS and, subsequently,
> through the Download Center.
>
> Please let us know if you have any questions.
>
> Mark Williams
> Program Manager, Group Policy
> http://www.microsoft.com/technet/grouppolicy
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
Anonymous
August 16, 2004 12:34:27 PM

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

Hi Adrian,

The Supported tag in the .adm file specifies which Operating Systems and
Service Packs supported any specific policy setting. This is displayed in
the Requirements field in GPEdit. Also, you can see a list of all policy
settings (and the Supported information) in the spreadsheet at the following
location:

http://go.microsoft.com/fwlink/?linkid=15165

I hope this helps.

--
Mark Williams
Program Manager, Group Policy
http://www.microsoft.com/technet/grouppolicy

This posting is provided "AS IS" with no warranties, and confers no rights.
"Adrian Marsh" <hidden@somewhere.com> wrote in message
news:uWv9zorgEHA.384@TK2MSFTNGP10.phx.gbl...
> Mark,
>
> Is it possible to identify the new policies introduced by XP and XP SP2
> within the GPO? (besides printed documentation...)
>
> As I'm sure 2000 Pro will ignore some of the new policies only intended
> for XP, it'd be good if I could see in the object description whether or
> not that object would apply to 2000, XP or XP SP2 clients only...
>
> Adrian
>
> Mark Williams [MSFT] wrote:
>> As you know, Microsoft has recently announcement the pending availability
>> of Windows XP Service Pack 2. I won't describe the multitude of benefits
>> associated with this service pack, especially from a security perspective
>> (these are well documented here:
>> http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to
>> bring your attention to an important issue related to Group Policy.
>>
>> Many of the central features in Windows XP Service Pack 2, such the
>> Windows Firewall and enhanced Internet Explorer functionality, can be
>> managed through Group Policy. In fact, my team has been heavily involved
>> with supporting the teams who have added the 600+ new policy settings
>> available in the XP SP2 versions of the .adm files. XP SPS2 is the most
>> policy-enabled operating system / service pack we have ever shipped.
>> Numerically, much of this increase in policy settings is attributable to
>> repeated "groups" of policy settings in IE (across the various IE zones)
>> but there is still a much richer set of policy settings that, we believe,
>> is a key factor improving the manageability of Windows XP through Group
>> Policy. By way of example, the new Windows Firewall (turned on by default
>> in XP SP2) has a broad range of policy settings to "custom fit" this
>> component to your specific needs - which ports and programs you allow,
>> management of remote administration and file/print services ports and so
>> on. All told, Group Policy represents the primary mechanism through which
>> you can manage the new features of XP SP2 in an Active Directory
>> environment.
>>
>> As well as highlighting these changes, I wanted to bring your attention
>> to an important issue around the use of the .ADM files we ship with XP
>> SP2. These files use syntax that has been available for some time but
>> which has exposed some issues with earlier versions of the Group Policy
>> Object Editor (GPEdit). In a nutshell, if you load the XP SP2 files from
>> earlier versions of GPEdit (across Windows 2000, XP or Windows Server
>> 2003), GPEdit will generate multiple "string too long" error messages.
>>
>> By default GPEdit compares the timestamps of the files stored in a GPO
>> (in Sysvol) with those on the administrative machine and, if the latter
>> are more recent, will upload the .ADM files to the GPO, in Sysvol. What
>> this means is that the act of viewing a GPO (no changes to the GPO are
>> necessary) will result in the new .ADM files being uploaded and,
>> eventually, used by other versions of GPEdit around your network that are
>> not yet running XP SP2. NOTE THAT THIS IS PURELY AN ADMINISTRATIVE
>> ISSUE - this has no implications for the actual application of Group
>> Policy to machines or users.
>>
>> To this end we are making available a number of hotfixes that will
>> resolve this issue. The Windows 2000 fix is available today and we expect
>> to be the others (for Windows Server 2003 and XP SP1) to be available
>> later this week. Initially, the fixes will be available through Microsoft
>> Product Support Services (PSS) but in due course we plan to release these
>> directly to the Microsoft Download Center.
>>
>> Further details of this can be found in KB 842933
>> (http://support.microsoft.com/default.aspx?kbid=842933). We will be
>> updating this regularly as the fixes become available through PSS and,
>> subsequently, through the Download Center.
>>
>> Please let us know if you have any questions.
>>
>> Mark Williams
>> Program Manager, Group Policy
>> http://www.microsoft.com/technet/grouppolicy
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
August 16, 2004 12:51:04 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Mark, I noticed you said there is a hotfix out for windows server 2000 with
sp4.. Though when I go to the link it says I must call to get the hotfix is
there anywhere else I can get this hotfix with out calling?

"Mark Williams [MSFT]" wrote:

> As you know, Microsoft has recently announcement the pending availability of
> Windows XP Service Pack 2. I won't describe the multitude of benefits
> associated with this service pack, especially from a security perspective
> (these are well documented here:
> http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to bring
> your attention to an important issue related to Group Policy.
>
> Many of the central features in Windows XP Service Pack 2, such the Windows
> Firewall and enhanced Internet Explorer functionality, can be managed
> through Group Policy. In fact, my team has been heavily involved with
> supporting the teams who have added the 600+ new policy settings available
> in the XP SP2 versions of the .adm files. XP SPS2 is the most policy-enabled
> operating system / service pack we have ever shipped. Numerically, much of
> this increase in policy settings is attributable to repeated "groups" of
> policy settings in IE (across the various IE zones) but there is still a
> much richer set of policy settings that, we believe, is a key factor
> improving the manageability of Windows XP through Group Policy. By way of
> example, the new Windows Firewall (turned on by default in XP SP2) has a
> broad range of policy settings to "custom fit" this component to your
> specific needs - which ports and programs you allow, management of remote
> administration and file/print services ports and so on. All told, Group
> Policy represents the primary mechanism through which you can manage the new
> features of XP SP2 in an Active Directory environment.
>
> As well as highlighting these changes, I wanted to bring your attention to
> an important issue around the use of the .ADM files we ship with XP SP2.
> These files use syntax that has been available for some time but which has
> exposed some issues with earlier versions of the Group Policy Object Editor
> (GPEdit). In a nutshell, if you load the XP SP2 files from earlier versions
> of GPEdit (across Windows 2000, XP or Windows Server 2003), GPEdit will
> generate multiple "string too long" error messages.
>
> By default GPEdit compares the timestamps of the files stored in a GPO (in
> Sysvol) with those on the administrative machine and, if the latter are more
> recent, will upload the .ADM files to the GPO, in Sysvol. What this means is
> that the act of viewing a GPO (no changes to the GPO are necessary) will
> result in the new .ADM files being uploaded and, eventually, used by other
> versions of GPEdit around your network that are not yet running XP SP2. NOTE
> THAT THIS IS PURELY AN ADMINISTRATIVE ISSUE - this has no implications for
> the actual application of Group Policy to machines or users.
>
> To this end we are making available a number of hotfixes that will resolve
> this issue. The Windows 2000 fix is available today and we expect to be the
> others (for Windows Server 2003 and XP SP1) to be available later this week.
> Initially, the fixes will be available through Microsoft Product Support
> Services (PSS) but in due course we plan to release these directly to the
> Microsoft Download Center.
>
> Further details of this can be found in KB 842933
> (http://support.microsoft.com/default.aspx?kbid=842933). We will be updating
> this regularly as the fixes become available through PSS and, subsequently,
> through the Download Center.
>
> Please let us know if you have any questions.
>
> Mark Williams
> Program Manager, Group Policy
> http://www.microsoft.com/technet/grouppolicy
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
Anonymous
August 16, 2004 4:20:39 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Hi Dan,

The Windows 2000 fix is available here:

http://www.microsoft.com/downloads/details.aspx?FamilyI...

--
Mark Williams
Program Manager, Group Policy
http://www.microsoft.com/technet/grouppolicy

This posting is provided "AS IS" with no warranties, and confers no rights.
"Dan" <Dan@discussions.microsoft.com> wrote in message
news:5CA0E63D-9223-4958-AF94-6C608A3BABA6@microsoft.com...
> Mark, I noticed you said there is a hotfix out for windows server 2000
> with
> sp4.. Though when I go to the link it says I must call to get the hotfix
> is
> there anywhere else I can get this hotfix with out calling?
>
> "Mark Williams [MSFT]" wrote:
>
>> As you know, Microsoft has recently announcement the pending availability
>> of
>> Windows XP Service Pack 2. I won't describe the multitude of benefits
>> associated with this service pack, especially from a security perspective
>> (these are well documented here:
>> http://www.microsoft.com/windowsxp/sp2/default.mspx), but I do want to
>> bring
>> your attention to an important issue related to Group Policy.
>>
>> Many of the central features in Windows XP Service Pack 2, such the
>> Windows
>> Firewall and enhanced Internet Explorer functionality, can be managed
>> through Group Policy. In fact, my team has been heavily involved with
>> supporting the teams who have added the 600+ new policy settings
>> available
>> in the XP SP2 versions of the .adm files. XP SPS2 is the most
>> policy-enabled
>> operating system / service pack we have ever shipped. Numerically, much
>> of
>> this increase in policy settings is attributable to repeated "groups" of
>> policy settings in IE (across the various IE zones) but there is still a
>> much richer set of policy settings that, we believe, is a key factor
>> improving the manageability of Windows XP through Group Policy. By way of
>> example, the new Windows Firewall (turned on by default in XP SP2) has a
>> broad range of policy settings to "custom fit" this component to your
>> specific needs - which ports and programs you allow, management of remote
>> administration and file/print services ports and so on. All told, Group
>> Policy represents the primary mechanism through which you can manage the
>> new
>> features of XP SP2 in an Active Directory environment.
>>
>> As well as highlighting these changes, I wanted to bring your attention
>> to
>> an important issue around the use of the .ADM files we ship with XP SP2.
>> These files use syntax that has been available for some time but which
>> has
>> exposed some issues with earlier versions of the Group Policy Object
>> Editor
>> (GPEdit). In a nutshell, if you load the XP SP2 files from earlier
>> versions
>> of GPEdit (across Windows 2000, XP or Windows Server 2003), GPEdit will
>> generate multiple "string too long" error messages.
>>
>> By default GPEdit compares the timestamps of the files stored in a GPO
>> (in
>> Sysvol) with those on the administrative machine and, if the latter are
>> more
>> recent, will upload the .ADM files to the GPO, in Sysvol. What this means
>> is
>> that the act of viewing a GPO (no changes to the GPO are necessary) will
>> result in the new .ADM files being uploaded and, eventually, used by
>> other
>> versions of GPEdit around your network that are not yet running XP SP2.
>> NOTE
>> THAT THIS IS PURELY AN ADMINISTRATIVE ISSUE - this has no implications
>> for
>> the actual application of Group Policy to machines or users.
>>
>> To this end we are making available a number of hotfixes that will
>> resolve
>> this issue. The Windows 2000 fix is available today and we expect to be
>> the
>> others (for Windows Server 2003 and XP SP1) to be available later this
>> week.
>> Initially, the fixes will be available through Microsoft Product Support
>> Services (PSS) but in due course we plan to release these directly to the
>> Microsoft Download Center.
>>
>> Further details of this can be found in KB 842933
>> (http://support.microsoft.com/default.aspx?kbid=842933). We will be
>> updating
>> this regularly as the fixes become available through PSS and,
>> subsequently,
>> through the Download Center.
>>
>> Please let us know if you have any questions.
>>
>> Mark Williams
>> Program Manager, Group Policy
>> http://www.microsoft.com/technet/grouppolicy
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>
Anonymous
August 24, 2004 9:50:26 PM

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

Mark,

I've just applied the hotfix to my W2K DC, and uploaded the .adm files
from a XP SP2 Pro machine. I don't see the "Requirements" field in
GPedit (I admin from the local W2K DC, not from the Pro laptop - does
that make a difference??)

Adrian

Mark Williams [MSFT] wrote:

> Hi Adrian,
>
> The Supported tag in the .adm file specifies which Operating Systems and
> Service Packs supported any specific policy setting. This is displayed in
> the Requirements field in GPEdit. Also, you can see a list of all policy
> settings (and the Supported information) in the spreadsheet at the following
> location:
>
> http://go.microsoft.com/fwlink/?linkid=15165
>
> I hope this helps.
>
!