SP4 Might Overwrite Local Security Policy Settings
If you use either a Group Policy Object (GPO) or the Microsoft Management Console (MMC) Local Security Policy snap-in to modify system security settings, the Windows 2000 Service Pack 4 (SP4) Setup utility can, in some cases, overwrite the active values with those that are stored in the most recent secedit.sdb template. For compatibility with Windows Server 2003 platforms, SP4 adds two new security-related privileges: "impersonate a client" and "create global objects." The security policy bug occurs when Setup adds these new privileges to the local user rights list. The documentation provides no details about why the security template might not contain current security settings but does state that after an SP4 upgrade, security options might revert to previous settings. While Microsoft continues to debug this problem, you can avoid this problem by forcing a refresh of the secedit.sdb security template---to do so, open the system's Local Security Policy before you start an SP4 upgrade. Read the Microsoft article "Local Security Policy Values Revert to the Values That Are Stored in SecEdit.sdb After You Install Windows 2000 Service Pack 4" (http://support.microsoft.com/?kbid=827664) for more details.
Terminal Services Shared File Bug Fix The network redirector mrxsmb.sys creates one data structure per computer for every user that accesses a shared file on a Win2K system. The redirector per-computer data structure causes problems when a Win2K system is configured as a Win2K Server Terminal Services server and multiple Terminal Services clients access the same file. To properly maintain connection information, the redirector needs one data structure for each client session. In the current implementation, when two or more Terminal Services clients open the same file and one of the clients closes the file, the redirector incorrectly closes the connection for all Terminal Services clients. You can find documentation about the unexpected behavior in two Microsoft articles: "Programs Run from Network Share on TS Close or Generate Errors" (http://support.microsoft.com/?kbid=294816) and "PRB: 'Error reading file' Error Message on Windows 2000 Terminal Services" (http://support.microsoft.com/?kbid=299603). Microsoft now has a permanent solution for this problem, which exists in all versions of Win2K through SP4. Call Microsoft Product Support Services (PSS) and ask for the June 4 version of the redirector components mrxsmb.sys and rdbss.sys. These new components have an option you can enable to create data structures on a per-user, rather than a per-computer, basis. On Terminal Services servers, after you install the new redirector, you need to activate the per-user data structure feature by modifying the registry. Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxSmb\Parameters registry subkey, and add the value entry MultiUserEnabled:REG_DWORD: 1 in the right pane. Note that this modification is unnecessary on Win2K systems that aren't configured as Terminal Servers. For more information about this problem and solution, read the Microsoft article "Problems When More Than One User Accesses the Same File Through Terminal Services" (http://support.microsoft.com/?kbid=818528).
Major Citrix Logon Delays on SP4 Systems When you use a Citrix client to connect to a Win2K SP4 system running Citrix MetaFrame or Citrix 1.8 installation, plus Terminal Services, clients might wait for 5 to 30 minutes for the desktop to appear. This problem occurs only for clients running the ICA protocol and connecting to a Win2K system on which you have redirected printing to a local printer on the client system. PSS has a bug fix that solves this problem--updates to 12 files, most of which have a file release date of July 17. When you call PSS, cite the Microsoft article "Very Long Logon Time When You Try to Connect to Citrix MetaFrame or Citrix 1.8" (http://support.microsoft.com/?kbid=824309) as a reference.