When you use the Security Configuration and Analysis tool to create and edit a security template on Windows XP, and import the template into a Group Policy Object (GPO) on a Windows 2000 domain controller, it imports without any errors.

When you attempt to use the Group Policy editor to view the security settings in the GPO where the template was imported, you receive:

Windows cannot read template information.

When the GPO is applied to Windows 2000 clients, the following events are logged:

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: MM/DD/YY
Time: HH:MM:SS
User: N/A
Computer: <ComputerName>
Description: Security policies are propagated with warning. 0x4b8 : An extended error has occurred. Please look for more details in TroubleShooting section in Security Help.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: MM/DD/YY
Time: HH:MM:SS
User: NT AUTHORITY\SYSTEM
Computer: <ComputerName>
Description: The Group Policy client-side extension Security was passed flags (1) and returned a failure status code of (1208).

This problem is the result of new Security Descriptor Definition Language (SDDL) objects in Windows XP, which do NOT exist in Windows 2000. The new SDDL objects are:

AN - Anonymous Logon
LS - Local Service Account
NS - Network Service Account
RD - Remote Desktop Users
NO - Network Configuration Operators
MU - Performance Monitor Users
LU - Performance Log Users

To view the template and apply it to Windows 2000, you must create the template in Windows 2000.

NOTE: Templates with the new SDDL objects are correctly applied to Windows XP and Windows Server 2003. You can use the GPMC (Group Policy Management Console) to view the template in Windows XP and Windows Server 2003.