Wednesday, July 9, 2008

Cannot open Local or Group Security Policy Console

A colleague of mine just had an issue that I thought might be worth posting about as I could not find an MS article for the fix. We had a request to change the LAN Manager Authentication Level set to Send LM and NTLM - use NTLMv2 session security if negotiated - (default) send LM & NTLM responses setting.

However, when navigating to Security Options under Local Computer Policy >Windows Settings > Security Settings > Local Policies, the following error was generated: -

"The Group Policy security settings that apply to this machine could not be determined. The error returned when trying to retrieve these settings from the local security policy database (%windir%\security\database\secedit.sdb) was: The parameter is incorrect."

We also had the application vendor contact us stating that the Windows Sharepoint Services sites were down. Checking the event log showed many errors. The vendor and my colleague thought that the vendor had corrupted to WSS database and were considering a re-install.

Using standard troubleshooting techniques I started by checking what was last changed. So I opened the Local Security Policy Console via Administrative Tools and wow I received the security policy database error.

I opened a command prompt and browsed to C:\Windows\Security\database. I then backed up the C:\Windows\Security folder. I then tried to check the SDB file state using esentutl.exe. Those familiar with Exchange will understand this fully.

i.e. esentutl.exe /mh C:\Windows\Security\database\secedit.sdb

This showed that the database was in a clean shutdown state. I thought ok lets try to repair : -

i.e. esentutl /p secedit.sdb
esentutl /d secedit.sdb

After this I still had the same error. So I restored the backup copy of the C:\Windows\Security folder I made before I changed anything. I was then able to find mention of a registry key that could cause this issue. According to MS PSS when you change the NTLM setting this can write extra entries to the following registry key. If any entries other than “Default” and “Auth2” exist in this key it can generate this error. I there exported this key and deleted the extra two entries.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth2"="RASSFM"
"ntlmminclientsec"=dword:20080030
"ntlmminserversec"=dword:20080030

Please note after deleting these entries there can be a delay before the problem resolves. I allowed about 30 minutes and then checked and the problem was resolved I could open the Local Security Policy and the WSS errors were gone.

Further Information
You cannot determine Group Policy security settings on a Windows Server 2003, Enterprise Edition-based computer
http://support.microsoft.com/kb/932461

1 comment:

michoos said...

That was a useful solution which helped me get rid of the error. thanks for the posting. sometimes you win before microsoft !. keep posting