Why does SteadyState ADM break GPO viewability? RRS feed

  • Question

  • We're trying to implement Windows Steady State (WSS) v2.5, and we're having a problem with the ADM template that comes with the WSS install.

    We take the "SCTsettings.adm" that installs with WSS, copy it to a Vista (or Server 2008 x64) machine running Group Policy Management Console (GPMC) v6 and add the template to a new, blank GPO. If we go look at the settings tab, it looks fine (with no settings yet).

    I didn't get very granular in my testing, but the problem is easily reproduceable.  Go edit the ADM settings in User Config->Policies->Admin Templates->Classic Admin Templates->"All Windows SteadyState Restrictions"of the GPO. Some changes (enable the "Start menu Restrictions" with the default, sub settings checked) still allow the GPO settings to be viewed in the GPMC.  If you enable the "General Windows Restrictions" something breaks, and the GPO settings tab only gives a message:

    This occurs in both Vista and Server 2008, and if we remove the ADM, the GPO remains "broken". We can continue to edit the GPO and it appears to function. We just can't get a report on the settings.

    Frustratingly, if we bring up GPMC in XP, it displays all the settings without a hitch. We are not using the GPMC in XP anymore per a certain GPO guru's caution (Jeremy Moskowitz) that once you start working with GPOs in Vista, you should not attempt to also edit them from XP.  Here is a screenshot showing the same GPO settings in XP.

    Can anyone enlighten us as to what is going on and how to fix things?  It was suggested that this is a bug in the GPMC, but I'm hoping there is a faster solution.

    Information on when a more Vista oriented version of WSS (read: ADMX template and/or 64-bit), might be coming along would be appreciated too.

    Thursday, December 11, 2008 4:07 PM

All replies

  • So nobody else has seen this problem??

    Could someone with Vista or Server 2008 just try creating a new GPO, adding the ADM template for WSS, and making a few changes to see if you get the same result?

    Does it work fine for everybody else, or does nobody else has the same configuration?

    Wednesday, December 17, 2008 3:30 PM
  • I'd really appreciate anybody either confirming that they see this problem too or denying that it is a problem and GPMC works with the WSS ADM just fine for them .

    I'd really hate to call MS Product Support Services and have them say, "Gee, works for us.  Rebuild your domain and try again."! 

    Tuesday, January 6, 2009 6:26 PM
  • Same problem here, too - Windows Server 2008 DC environment and Vista clients.

    As I found out in another thread (cached page on Google), the "General Windows Restrictions" from the SteadyState policy break the view!

    I took a look at the SteadyState .adm file which settings were made by the "General Windows Restrictions". The only values standing out as being a bit odd were the GUID like "CodeIdentifiers" structure (Software Restriction policy - user).

    In fact, the CodeIdentifiers section is populated with partially incorrect values. You will get an exception in the policy editor when double-clicking on the user's Software Restriction Policy, "Designated File Types". Opening the "Designated File Types Properties", clicking on OK twice may already fix the policy/issue.

    I do, however, recommend to fully reset the user-based Software Restriction by deleting it and rebuilding it by hand (write the path rules down or make a screenshot beforehand). Thing is, creating a fresh policy would properly populate the "Designated File Types" properties with some default values. Take a look at the machine-based Software Restriction policy for reference. Or here:
    What is more, as soon as the report view in GPMC starts working it will show that there is invalid item data in the policy/rule entries - so my gut says it's highly recommended to rebuild the user-based Software Restrictions to remove any structural/integrity issues from the policy which probably might cause further diffuse troubles.

    I can only speculate that Windows XP had a different CodeIdentifiers format and that the policy was written in regard to the XP registry structure. Or XP just handles the erroneous/incomplete settings better. But as a conclusion I would say this is actually a template problem and is not a GPMC bug or malfunction. It should be fixed by the SteadyState team.

    Another culprit beaten! Such a ____! ;-)

    Now I can lunch in peace :-)


    Regards, Markus
    • Edited by IT-Marky Wednesday, May 6, 2009 2:11 PM Reset of Software Restriction Policy now recommended after testing
    Tuesday, May 5, 2009 10:18 AM
  • This is still an issue that needs to be fixed.  I cannot view SteadyState GPO settings from my Windows 7 PC or I get this error:

    An error occurred while generating report:
    Object reference not set to an instance of an object.

    I have to log into a Server 2003 Domain Controller to view settings.
    Has anyone found an official fix (not hacking around with a homemade fix)?
    Tuesday, November 24, 2009 4:41 PM
  • Has anyone ever found a fix for this?  I am having the same issue and would like to avoid rebuilding the GPOs if I can.  For now at least.

    Monday, August 13, 2012 9:05 PM