The Case of the Disappearing User Settings

Administering mixed Windows platforms? Then be sure to manage Group Policy Objects from one machine or you'll run into this baffling feature of Windows 2003.

• By Bill Boswell
• 09/09/2003

Bill: Am I going crazy or do Group Policy Objects sometimes disappear in Windows Server 2003? I created a GPO on a Windows 2003 machine with lots of settings for my Windows XP desktops. I went back a couple of days later and not only are all those settings gone, so are all of the Windows XP settings in general. What gives?
—Adam

Adam, what you're seeing is a feature in Windows that controls the storage and update of template files used for building Group Policy Objects. I've worked with Jeremy Moskowitz, a colleague and authority on this subject, to chart out this behavior. It's definitely not intuitive. Let's start with some background information:

Get Help from Bill Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

When you create a GPO, you run an MMC console snap-in called the Group Policy Editor. (This is true even if you use the Windows 2003 Group Policy Management Console to organize your policies.) When you launch the GPE, it reaches into the %windir%\INF folder on the machine where you launch it to find files that hold the administrative template policy settings. These files have an ADM extension, so you'll hear them called the ADM template files.
This is an important point, so let me repeat it: The ADM files used by the Group Policy Editor when creating a GPO come from the %windir%\INF folder on the machine running the editor, not from the PDC Emulator or the desktop's logon server.

When you create a GPO, the GPE creates a policy folder in Sysvol to hold files that support the GPO. This policy folder gets a unique name that looks like a long number. That number is called a Globally Unique Identifier (GUID). The GPE uses that GUID to create attributes in Active Directory that point at the GPO. In addition to the GPO support files, the Group Policy Editor stores a copy of the ADM files it used when it created the GPO.

When you edit a GPO following its creation and drill down to the Administrative Template settings, the Group Policy Editor uses the cached ADM files in Sysvol to display available policy settings.

Here's a quick summary: Every GPO gets a unique policy folder in Sysvol. The Group Policy Editor stashes a copy of the ADM files it used to create the GPO in this policy folder. The ADM files come from the machine running the Group Policy Editor.

Things get interesting at this point. Let's say you install the Windows 2003 admin tools on a Windows XP SP1 desktop and you use this machine to create your GPOs.

So, you now have a set of files in Sysvol that support the GPO you just created from an Windows XP SP1 desktop. The File Replication Service replicates these files to every domain controller in the domain. Your Windows XP desktops download the GPO files from the Windows 2000 and Windows 2003 domain controllers they use for logon servers. At this point, life is sweet and you can go home at night and actually enjoy your free time.

Now you decide to spend a long Sunday afternoon installing Service Pack 4 on your Windows 2000 domain controllers. At the end of the afternoon, you use one of these domain controllers to peek at the GPO you created a few days ago from your Windows XP SP1 workstation.

Because the timestamp on the ADM files on the Window 2000 SP4 server are later than the timestamp on the Windows XP SP1 ADM files, the Windows 2000 SP4 ADM files overwrite the current ADM files and all your Windows XP policy settings disappear.

Believe it or not, what happened is not a bug. It's a feature. It's by design. And it gets worse. The Windows XP SP2 beta is coming to a close soon, and Windows 2003 SP1 is not far away from release, either. Depending on when the Microsoft team approves the gold code, you may end up overwriting the GPO files several more times as you upgrade your Windows 2003 and Windows XP machines with the new service packs.

There's a group policy in Windows 2003 that tells a machine not to overwrite the current ADM file, but that policy only affects Windows 2003 servers, as of this writing.

So, if you have a mixed environment of Windows platforms, here's my advice: You and anyone else on your team need to agree to use one set of machines to manage Group Policy Objects. On each machine, make an innocuous change to the ADM files so as to update the timestamp to the current date (or use a utility that does this for you.) When you distribute new service packs, make sure that updating the ADM template file timestamps gets included in your change control process.

And as you do this, remind yourself: This is fun. This is fun. This is fun.

Hope this helps.