NetIQ Group Policy Administrator 4.5
NetIQ Group Policy Administrator 4.6
NetIQ Group Policy Administrator 5.0
Error: 'GPO import failed: GPR cannot import the GPOs with security descriptors larger than 7200 bytes.'
Unable to generate a Settings report or Health Check report on a GPO that has a large number of ACEs.
Report displays 'no settings defined' for all categories on a GPO that has a large number of ACEs.
The GPA console crashes while attempting to run a report on a GPO that has a large number of ACEs.
The GP Studio database has a size limitation of 7200 bytes for GPO security descriptors. If GPA was upgraded from a version prior to 4.5, there may be preexisting GPOs in the GP Repository that exceed this size limitation for the security descriptor and may cause the symptoms above.
In versions 4.5 and later, GPA displays the error message 'GPO import failed: GPR cannot import the GPOs with security descriptors larger than 7200 bytes' if you attempt to add an excess number of ACEs to a GPO inside the GP Repository, or if you attempt to import a GPO which has a security descriptor that exceeds the limitation of 7200 bytes.
The workaround is to reduce the number of groups in the security descriptor by creating a small number of new groups and placing the existing groups into the new groups. Remove the old groups from the security descriptor, and then add the new consolidated groups. Perform these changes in Active Directory. Adding the new consolidated groups and removing the old groups should reduce the size of the security descriptor. Then import the GPO into the GP Repository and run the Settings report and Health Check reports to confirm that they work. If the security descriptor is still too long, the import process generates a message stating 'GPO import failed: GPR cannot import the GPOs with security descriptors larger than 7200 bytes.'