Microsoft KB Archive/827012

= &quot;Windows Cannot Read Template Information&quot; Error Message When You Try to View a Windows XP-based Template in a Windows 2000 Domain =

Article ID: 827012

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Service Pack 4
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Server

-





SYMPTOMS
If you create and edit a security template by using the Security Configuration and Analysis tool on a Windows XP-based computer, and then you import this template into a Group Policy object on a Windows 2000 domain controller, you cannot view the template. This is true even though no errors are reported during the import operation.

When you try to use the Group Policy editor to view the security settings in the Group Policy object where the template was imported, you receive the following error message (with a red cross next to it):

Windows cannot read template information

The following events are also logged in Event Viewer when the Group Policy setting is applied to a Windows 2000 client:

Event Type: Warning

Event Source: SceCli

Event Category: None

Event ID: 1202

Date:

Time:

User: N/A

Computer:

Description: Security policies are propagated with warning. 0x4b8 : An extended error has occurred. Please look for more details in TroubleShooting section in Security Help.

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1000

Date:

Time:

User: NT AUTHORITY\SYSTEM

Computer:

Description: The Group Policy client-side extension Security was passed flags (1) and returned a failure status code of (1208).



CAUSE
In Windows XP, the following new Security Descriptor Definition Language (SDDL) objects have been defined:
 * AN - Anonymous Logon
 * LS - Local Service Account
 * NS - Network Service Account
 * RD - Remote Desktop Users
 * NO - Network Configuration Operators
 * MU - Performance Monitor Users
 * LU - Performance Log Users

Because these SDDL objects do not exist in Windows 2000, you cannot view the template in Windows 2000.



RESOLUTION
To view the template and to apply it to Windows 2000, create the template in Windows 2000.

If you want to solve the problem that occurs if you edit domain Group Policy, apply the hotfix that is described in the following Knowledge Base article:

837166 Group Policy that you edit in Windows XP does not work in Windows 2000



WORKAROUND
To work around this issue, view the template by using Windows XP or Microsoft Windows Server 2003.



STATUS
This behavior is by design.



MORE INFORMATION
If you create the template by using Windows XP, and it contains the new SDDL objects, the template is correctly applied to Windows XP and Windows Server 2003-based computers. Additionally, you can view the template by using the Group Policy Management Console (GPMC) tool in Windows XP and Windows Server 2003.

However, the Group Policy object generates the event IDs that are described in the &quot;Symptoms&quot; section when the template is applied to Windows 2000 clients. This occurs because Windows 2000 clients cannot resolve the new SDDL objects.

Keywords: kberrmsg kbprb KB827012

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.