We have a set of GPOs set at the domain level for the various security needs of this particular firm.
We kept getting the following error when the policies from those GPOs were trying to be set:
Event ID 1202 - SceCli: Security policies were propagated with warning: 0x4b8: An extended error has occur ed.Clicking on the link in the error brings up the Help & Support Center pointing to KB 324383: Troubleshooting SCECLI 1202 Events.
Scroll down to the 0x4b8 section and they ask you to change a registry setting to enable debug logging. Run a gpupdate /force instead of secedit BTW.
That didn't work for us, so, off to the next search that landed us on: KB 260715: Event ID 1000 and 1202 After Configuring Policies. Again, no help or at least the article couldn't help us, but it did bring up the following error when we went to check the local policy settings for the administrator:
Security Templates: The Group Policy security settings that apply to this machine could not be determined.Someone didn't have their spellcheck enabled on that last line - overridden! ;)
The error returned when trying to retrieve these settings from the local security policy database (%windir%\security\database\secedit.sdb) was: The parameter is incorrect.
All local security settings will be displayed, but no indication will be given as to whether or not a given security setting is defined by Group Policy.
Any local security setting modified through this User Interface may subsequently be overidden by domain-level policies.
To check the local GP:
A quick search for the first line in the error error turned up the process we use to fix the database. Run the following command from the command line:
esentutl /p %windir%\security\database\secedit.sdb
And you will see the results will below:
Once that process finishes, run the following line from the same command line:
The system should ask to be rebooted once the domain GPOs have been processed. A successful SceCli should also now be in the App log.
Sure enough, once the system rebooted, all security policies were in place.
Buried about half way down (could have missed it) is the above command line fix: MCSE.MS: Re: Group Policy Security setting could not be determined.
Thanks to Doug Knox for sharing that fix!
Microsoft Small Business Specialists