What's New for Administrative Template Files in Windows XP SP2
Applies To: Windows Server 2003
Windows XP SP2 includes modifications to tools used to administer Group Policy. This includes changes to the LISTBOX ADDITIVE behavior, which is implemented through an update to gptext.dll. This section includes details of these changes.
For information about managing new features released in Windows XP SP2, see Managing Windows XP Service Pack 2 Features Using Group Policy at http://go.microsoft.com/fwlink/?LinkId=31974.
Changes to LISTBOX ADDITIVE
Policy settings defined by the LISTBOX keyword allow you to manage multiple values under one registry key. When LISTBOX is used, the specified settings are written as a REG_SZ registry value type, which allows for multiple values to be stored within one registry key.
An example of the use of LISTBOX is the Windows Firewall: Define Port Exceptions policy setting, located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall, under both the Domain Profile and Standard Profile nodes.
By default, when LISTBOX policy settings are used in multiple GPOs, the list of the values written to the registry is defined entirely by the last GPO applied ("last writer wins"). The additive keyword changes the behavior so that the aggregate values from multiple GPOs are applied. For example, suppose that you have two GPOs with the following values for the Windows Firewall: Define Port Exceptions policy setting:
GPO x. Sets values A, B, and C.
GPO y. Sets values D, E, and F.
Without the additive keyword, only the values D, E, and F in GPO y are applied to the registry of targeted computers. This is because GPO y is the last GPO applied. With the additive keyword, all of the values from both GPOs are applied: A, B, C, D, E, and F.
The LISTBOX ADDITIVE behavior in Windows XP with SP2 gives you more flexibility in determining the values that will be applied to targets in a given Active Directory container. For example, the ability to disable policy settings from lower precedent GPOs is a key tenet of Group Policy management. Prior to Windows XP with SP2, the disabled behavior had no effect for policy settings that used LISTBOX ADDITIVE. Furthermore, prior to Windows XP with SP2, LISTBOX ADDITIVE was only found in several, rarely used policy settings affecting offline files. In Windows XP with SP2, LISTBOX ADDITIVE is used more prominently including policy settings that affect Windows Firewall and Internet Explorer.
Therefore, in Windows XP with SP2, the disabled behavior now functions as expected: removing any entries inherited from other lower precedent GPOs.
For example, suppose GPOs with values A, B, and C is normally applied to all computers in a domain. But, as an OU administrator, you wish to prevent these values from taking effect on computers in your OU. You can create a new GPO to disable values A, B, and C. This is illustrated in the following example:
GPO x. Enables values A, B, and C for all computers in the domain.
GPO z. Disables values A, B, and C. for all computers in your OU.
GPO y. Enables values D, E, and F for all computers in the domain.
In this scenario, the values D, E, and F are applied to the computers in your OU.
Because, the disabled functionality only works when using the latest version of the gptext.dll, all policy settings that use LISTBOX ADDITIVE are enclosed by the #if version > 5 ...#end if construct. This eliminates the possibility of having multiple administrators experiencing different disabled behavior if they are using earlier versions of gptext.dll. Consequently, the policy settings that use LISTBOX ADDITIVE are not visible when editing a GPO from a computer running Windows Server 2003, Windows XP with SP1, or Windows 2000 operating systems.
If you have administrative workstations that are not using Windows XP with SP2, you will need to install a hotfix in order to manage these policy settings. For more information, see the "'String too long...' Hotfix for Earlier Operating Systems or Service Packs" section later in this document.
Managing Policy Settings on Earlier Operating Systems or Service Packs
The .adm files that use the LISTBOX ADDITIVE syntax do not fully load on earlier versions of the Group Policy Object Editor (gpedit), which is present by default in Windows Server 2003, Windows XP with SP1, and Windows 2000. If attempted, multiple error messages will appear when the system.adm and inetres.adm files are loaded in earlier versions of gpedit.
The error message is "The following entry in the [strings] section is too long and has been truncated." This occurs because earlier versions of gpedit cannot correctly handle the "#if version >= 5 / #endif" construct in the inetres.adm and system.adm files. Although clicking OK on all the pop-up error messages does result in the .adm files loading correctly, the new Windows XP SP2 policy settings that use the LISTBOX syntax will not be displayed. (This problem does not occur on computers running Windows XP with SP2 or computers that have been updated with the latest version of gpedit.)
This issue is of particular significance because of the way .adm files are distributed through a domain. By default, when a GPO is opened, a comparison is made between the timestamps of the .adm files stored in the GPO being edited and those on the local computer. If the local .adm files have a more recent timestamp then they are uploaded to the domain controller and replicated throughout the domain. From that point, all earlier versions of gpedit use the new .adm files. This scenario is illustrated in the following steps.
Install Windows XP SP2 on the administrative computer.
Open existing GPO in Group Policy Object Editor. The .adm file stored on the administrative computer is uploaded to domain controller. GPO is "upgraded" to Windows XP SP2.
This .adm file is replicated to all domain controllers in the domain.
If the GPO is opened by other administrative workstations in the domain that are not running Windows XP with SP2 or the latest version of gpedit, error messages appear.
"String Too Long..." Hotfix for Earlier Operating Systems and Service Packs
If you or other administrators in your organization are going to manage policy settings on computers running earlier operating systems or service packs (for example, Windows Server 2003 or Windows XP with SP1), you need to install a hotfix in order for policy settings to appear correctly in the Group Policy Object Editor.
These hotfixes are available for the following:
Windows Server 2003
Windows XP with SP1
To obtain these hotfixes, see article 842933, ""The following entry in the [strings] section is too long and has been truncated" error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000," in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=4441.
If you are going to manage policy settings from workstation computers running Windows XP with SP2 only, you will be able to manage policy settings without applying any hotfixes. For example, you will be able to run the Group Policy Object Editor and view all the new policy settings delivered with Windows XP SP2.
|Opening a GPO on a computer running Windows XP with SP2 causes all other administrative workstations to use the new .adm files (note that no changes need be made to the GPO for this to occur). This will generate error messages when earlier versions of gpedit are loaded. For more information about this issue, see article 842933, ""The following entry in the [strings] section is too long and has been truncated" error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000," in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=4441.|
By installing the hotfix for Windows Server 2003, Windows XP with Service Pack 1, and Windows 2000, you ensure that the Windows XP SP2 .adm files load correctly on these platforms.