Wednesday, 20 June 2007

SBS 2K3 - Group Policy computer settings not applied

In the continuing saga of merging two FAT32 partitions on a set of TravelMate 8210 laptops we just delivered, we ran into a strange problem.

We have a set of GPOs set at the domain level for the various security needs of this particular firm.

We kept getting the following error when the policies from those GPOs were trying to be set:

Event ID 1202 - SceCli: Security policies were propagated with warning: 0x4b8: An extended error has occur ed.
Clicking on the link in the error brings up the Help & Support Center pointing to KB 324383: Troubleshooting SCECLI 1202 Events.

Scroll down to the 0x4b8 section and they ask you to change a registry setting to enable debug logging. Run a gpupdate /force instead of secedit BTW.

That didn't work for us, so, off to the next search that landed us on: KB 260715: Event ID 1000 and 1202 After Configuring Policies. Again, no help or at least the article couldn't help us, but it did bring up the following error when we went to check the local policy settings for the administrator:

Security Templates: The Group Policy security settings that apply to this machine could not be determined.
The error returned when trying to retrieve these settings from the local security policy database (%windir%\security\database\secedit.sdb) was: The parameter is incorrect.

All local security settings will be displayed, but no indication will be given as to whether or not a given security setting is defined by Group Policy.
Any local security setting modified through this User Interface may subsequently be overidden by domain-level policies.
Someone didn't have their spellcheck enabled on that last line - overridden! ;)

To check the local GP:
  1. Start-->Run
  2. gpedit.msc
  3. [Enter]
Therein we find the key! The local security database is somehow toast.

A quick search for the first line in the error error turned up the process we use to fix the database. Run the following command from the command line:

esentutl /p %windir%\security\database\secedit.sdb

And you will see the results will below:

Once that process finishes, run the following line from the same command line:

gpupdate /force

The system should ask to be rebooted once the domain GPOs have been processed. A successful SceCli should also now be in the App log.

Sure enough, once the system rebooted, all security policies were in place.

Buried about half way down (could have missed it) is the above command line fix: MCSE.MS: Re: Group Policy Security setting could not be determined.

Thanks to Doug Knox for sharing that fix!

Philip Elder
Microsoft Small Business Specialists

No comments: