I've had a number of questions around the *.ADM templates that come with a Windows XP Service Pack 2 machine and what they do to the GPOs in an Active Directory Domain. With people using Server 2003 SP1 systems, I might get more questions being asked.  Both systems increase the length of strings beyond what the MMC console can take on a older OS (by older I mean PRE-XP-SP2).

I've already wirtten an article outlining the ADM template update process, how they get copied up to the domain controllers AND about how you need to choose the right process for your organization - default works great for almost all situations.

To make a long blog post shorter and to come to the point:
If you edit a GPO with an XP-SP2 or Server 2003 SP1 management console with the updated *.ADM templates, the default action is that the templates will be copied up to the Domain Controllers and overwrite the old ones. As a result of this action - all admin workstations (and servers) that are NOT XP-SP2 or Server 2003 SP1 need to be patched with the appropriate patch if they are going to be used to manage GPOs.

(that was short?)

You might want to read the details contained in Knowledge Base article 842933. It can be found here. Not to worry - no major testing require of this patch. No reboots are required (unless the GPO MMC or GPMC is open at the time of the patch - in which case, close it and patch again). Only the systems used to manage GPOs need to be patched. They apply to workstations that are running:

  • Windows XP PRIOR to Service Pack 2
  • All Windows 2000 Pro systems
  • Windows Server 2003 PRIOR to SP1
  • All Windows Server 2000 systems

 If you don't patch them - don't worry - you won't "break" your GPO by editing it with an older version of the console. You'll just have to be proficient at clicking 20 or so times on the OK button. ;-)