Group Policy Is Not Applied and You Receive No Error Message (310741)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q310741

SYMPTOMS

When you change a security setting in the machine Group Policy, the change is not applied to target computers. For example, user rights do not work.

You receive no error message or other warning in any of the troubleshooting tools.

CAUSE

This behavior occurs because the Gpttmpl.inf Group Policy template from the Group Policy directories on SYSVOL is copied to the following location

%windir%\Security\Templates\Policies

and then applied to the local security database from there.

The file names in this directory are Gptxxxxx.inf and Gptxxxxx.dom, where xxxxx is a number starting from 00000.

After the policy is applied, this temporary file is deleted. If this operation is unsuccessful (for example, because the file is in use by a virus scanner or the read-only flag is set), the policy engine may enter a mode where it does not correctly manage these temporary files, and therefore the application of Group Policy is broken.

RESOLUTION

To resolve this issue, delete all the files in %windir%\Security\Templates\Policies folder except Tmpgptfl.inf, and then make sure that the read-only attribute is cleared for this file.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

Currently, Microsoft can reproduce this issue only when the local files have the read-only attribute set. When the files are in use (for example, a program has them open), the behavior is different. In this case, you receive the following event log entries.

When the files Gpt.inf and Gptxxxxx.dom are in use:
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 08.04.2002
Time: 16:05:02
User: N/A
Computer: domain controller
Description:
Security policies are propagated with warning. 0x5 : Access is denied. Please look for more details in Troubleshooting section in Security Help.
When Tmpgptfl.inf is in use:
Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1001
Date: 08.04.2002
Time: 16:15:18
User: N/A
Computer: domain controller
Description:
Security policy cannot be propagated. Cannot access the template. Error code = 32.
\\domain name\sysvol\domain name\Policies\policy GUID\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
When there is a summary error, which may also be logged with a status code of 32:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 08.04.2002
Time: 16:05:02
User: NT AUTHORITY\SYSTEM
Computer: domain controller
Description:
The Group Policy client-side extension Security was passed flags (145) and returned a failure status code of (5).
Modification Type:MinorLast Reviewed:10/11/2004
Keywords:kbenv kbprb KB310741
©2004 Microsoft Corporation. All rights reserved.