Resolution
NetIQ Group Policy Administrator 4.5
fact
NetIQ Group Policy Administrator 4.6
fact
NetIQ Group Policy Administrator 5.0
symptom
Error: 'GPO import failed: GPR cannot import the GPOs with security descriptors larger than 7200 bytes.'
symptom
Unable to generate a Settings report or Health Check report on a GPO that has a large number of ACEs.
symptom
Report displays 'no settings defined' for all categories on a GPO that has a large number of ACEs.
symptom
The GPA console crashes while attempting to run a report on a GPO that has a large number of ACEs.
cause
The GP Studio database has a size limitation of 7200 bytes for GPO security descriptors. If GPA was upgraded from a version prior to 4.5, there may be preexisting GPOs in the GP Repository that exceed this size limitation for the security descriptor and may cause the symptoms above.
In versions 4.5 and later, GPA displays the error message 'GPO import failed: GPR cannot import the GPOs with security descriptors larger than 7200 bytes' if you attempt to add an excess number of ACEs to a GPO inside the GP Repository, or if you attempt to import a GPO which has a security descriptor that exceeds the limitation of 7200 bytes.
fix
The workaround is to reduce the number of groups in the security descriptor by creating a small number of new groups and placing the existing groups into the new groups. Remove the old groups from the security descriptor, and then add the new consolidated groups. Perform these changes in Active Directory. Adding the new consolidated groups and removing the old groups should reduce the size of the security descriptor. Then import the GPO into the GP Repository and run the Settings report and Health Check reports to confirm that they work. If the security descriptor is still too long, the import process generates a message stating 'GPO import failed: GPR cannot import the GPOs with security descriptors larger than 7200 bytes.'