Group Policy

F

Fasahat

Dear Friends
I am getting this error on my Windows 2k Domain
Controller Application Log as,
Event ID=1000
Type =Error
Computer=DC
The Group Policy client side extension security was passed
flags(17) and returned a failure of status code of(5).

Source=Scecli
Event ID=1202
Type =Warning
Security Policies are Propogated with warning 0x5.Access
is denied.

i need your help guys

Best regards
Fasahat.
 
S

S.J.Haribabu

Hi,

I did research and found some articles on Error 1202

Troubleshooting SCECLI 1202 Events

SUMMARY
============
This article describes ways to troubleshoot and to resolve SCECLI 1202
events.

MORE INFORMATION
===================
The first step in troubleshooting these events is to identify the Win32
error code. This error code distinguishes the type of failure that causes
the SCECLI 1202 event. The following is an example of a SCECLI 1202 event.
The error code is shown in the Description field. In this example, the
error code is 0x534. The text after the error code is the error
description.
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User: N/A
Computer: %ComputerName%
Description: Security policies are propagated with warning. 0x534: No
mapping between account names and security IDs was done. Please look for
more details in TroubleShooting section in Security Help.

After you determine the error code, find that error code section in this
article, and then follow the troubleshooting steps in that section

0x5: Access denied.
==================
This error typically occurs when the system has not been granted the
correct permissions to update the access control list of a service. This
may occur if the Administrator defines permissions for a service in a
policy but does not grant the System account Full Control permissions.

To troubleshoot this issue, follow these steps:
======================================
Determine which service or which object is having the failure. To do this,
enable debug logging for the Security Configuration client-side extension.
To do this:
Start Registry Editor.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7
9F83A}

On the Edit menu, click Add Value, and then add the following registry
value:
Value name: ExtensionDebugLevel
Data type: DWORD
Value data: 2

Quit Registry Editor.
Refresh the policy settings to reproduce the failure. To refresh the policy
settings, type the following at the command prompt, and then press ENTER:
secedit /refreshpolicy machine_policy /enforce

This creates a file that is named Winlogon.log in the
%SYSTEMROOT%\Security\Logs folder.
At the command prompt, type the following, and then press ENTER:
find /i "error opening" %SYSTEMROOT%\security\logs\winlogon.log

The Find output identifies the service with the misconfigured
permissions--for example, "Error opening Dnscache." Dnscache is the short
name for the DNS Client service.
Find out which policy or which policies are trying to modify the service
permissions. To do this, type the following at the command prompt, and then
press ENTER:
find /i "service" %SYSTEMROOT%\security\templates\policies\gpt*.*".

The following is a sample command and its output:
d:\>find /i "dnscache" %windir%\security\templates\policies\gpt*.*

---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF

---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00002.INF
Dnscache,3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LA)"

---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00003.DOM

Determine which GPO contains the problem setting. Search the cached
security template that you identified in step 4 for the text "GPOPath=." In
this example, you would see the following:
GPOPath={6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE

Between "GPOPath=" and "\MACHINE" is the GUID of the GPO.
To find the friendly name of the GPO, use the Resource Kit utility
Gpotool.exe. Type the following at the command prompt, and then press ENTER:
gpotool /verbose

Search the output for the GUID that you identified in step 5. The four
lines that follow the GUID contain the friendly name of the policy. For
example:
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Policy OK
Details:
------------------------------------------------------------
DC: domcntlr1.wingtiptoys.com
Friendly name: Default Domain Controllers Policy

Now you have identified the service with the misconfigured permissions and
the problem GPO. To resolve the problem, search the System Services section
of the security policy for instances of the service with the misconfigured
permissions, and then take corrective action to grant the System account
Full Control permissions to the service.

For more information look at
http://support.microsoft.com/default.aspx?scid=kb;en-us;324383

Also look for Event ID 1000 and 1202 After Configuring Policies at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;260715

Thanks,

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Userenv/SceCli Event Messages 4
Event ID: 1000 and 1202 after loading image to machine 1
Event ID 1202 (SceCli) 0
application error 1202 and 1000 1
Event IDs 1000 and 1202 1
Group Policy Errors 6
SceCli Id.: 1202 1
Problems in event log 1

Top