Discussion:
SceCli Error 1202 filling up the Event Log!
(too old to reply)
Cameron Dorrough
2005-02-22 04:12:30 UTC
Permalink
Since yesterday we are getting the following error on our main file server
every 5 minutes. There are no other errors and, up until now, the box
hasn't been touched for over a month and Group Policys haven't been touched.
Our other DC's are reporting that "Security policy has been applied
successfully".

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Description:
Security policies are propagated with warning. 0x4b8 : An extended error has
occurred.

I've read through the JSI and Microsoft articles I can find on this, but all
seem to rely on associated error messages to find the fault. FWIW, the
Winlogon.log file shows:

Error 1208: An extended error has occurred.
Error deleting SCP.

Help! What is going on??

Thanks,
Cameron:-)
Jerold Schulman
2005-02-22 13:38:08 UTC
Permalink
The folowing articels were returned from the KB with a boolean search (scecli and 1202 and (1208 or 0x4b8)):
http://support.microsoft.com?kbid=260715 "Event ID 1000 and 1202 After Configuring Policies "
http://support.microsoft.com?kbid=278316 "ESENT event IDs 1000 1202 412 and 454 are logged repeatedly in the Application log "
http://support.microsoft.com?kbid=285903 "At Startup Error 1332 Occurs Message Reports Lack of Mapping Between Account Names and Security IDs Inability to Find Power Users "
http://support.microsoft.com?kbid=296854 "Restricted Groups Are Limited to Local Domain Members Only "
http://support.microsoft.com?kbid=324383 "Troubleshooting SCECLI 1202 Events "
http://support.microsoft.com?kbid=827012 "#34Windows Cannot Read Template Information#34 Error Message When You Try to View a Windows XP-based Template in a Windows 2000 Domain "
http://support.microsoft.com?kbid=835901 "A Restricted Groups policy setting may not remove security identifiers in Windows 2000 Server "
Post by Cameron Dorrough
Since yesterday we are getting the following error on our main file server
every 5 minutes. There are no other errors and, up until now, the box
hasn't been touched for over a month and Group Policys haven't been touched.
Our other DC's are reporting that "Security policy has been applied
successfully".
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Security policies are propagated with warning. 0x4b8 : An extended error has
occurred.
I've read through the JSI and Microsoft articles I can find on this, but all
seem to rely on associated error messages to find the fault. FWIW, the
Error 1208: An extended error has occurred.
Error deleting SCP.
Help! What is going on??
Thanks,
Cameron:-)
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
Cameron Dorrough
2005-02-22 22:49:42 UTC
Permalink
Post by Cameron Dorrough
I've read through the JSI and Microsoft articles I can find on this,
but all seem to rely on ***associated error messages to find the fault***.
(emphasis added)

I've looked through most if not all of those articles but can find nothing
that refers to the "0x4b8 error every five minutes" on it's own.

Could you please point me in the right direction (ie. not around in
circles)?? :-)

Thanks,
Cameron:-)
Post by Cameron Dorrough
The folowing articels were returned from the KB with a boolean search
http://support.microsoft.com?kbid=260715 "Event ID 1000 and 1202 After Configuring Policies "
http://support.microsoft.com?kbid=278316 "ESENT event IDs 1000 1202 412
and 454 are logged repeatedly in the Application log "
Post by Cameron Dorrough
http://support.microsoft.com?kbid=285903 "At Startup Error 1332 Occurs
Message Reports Lack of Mapping Between Account Names and Security IDs
Inability to Find Power Users "
Post by Cameron Dorrough
http://support.microsoft.com?kbid=296854 "Restricted Groups Are Limited to
Local Domain Members Only "
Post by Cameron Dorrough
http://support.microsoft.com?kbid=324383 "Troubleshooting SCECLI 1202 Events "
http://support.microsoft.com?kbid=827012 "#34Windows Cannot Read Template
Information#34 Error Message When You Try to View a Windows XP-based
Template in a Windows 2000 Domain "
Post by Cameron Dorrough
http://support.microsoft.com?kbid=835901 "A Restricted Groups policy
setting may not remove security identifiers in Windows 2000 Server "
Post by Cameron Dorrough
On Tue, 22 Feb 2005 15:12:30 +1100, "Cameron Dorrough"
Post by Cameron Dorrough
Since yesterday we are getting the following error on our main file server
every 5 minutes. There are no other errors and, up until now, the box
hasn't been touched for over a month and Group Policys haven't been touched.
Our other DC's are reporting that "Security policy has been applied
successfully".
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Security policies are propagated with warning. 0x4b8 : An extended error has
occurred.
I've read through the JSI and Microsoft articles I can find on this, but all
seem to rely on associated error messages to find the fault. FWIW, the
Error 1208: An extended error has occurred.
Error deleting SCP.
Help! What is going on??
Thanks,
Cameron:-)
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
Cameron Dorrough
2005-02-22 23:01:08 UTC
Permalink
Okay, maybe I should have been a bit more specific..

The bottom part of my Winlogon.log shows:

Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----

Does anyone know how I can fix this?

Thanks,
Cameron:-)
Post by Jerold Schulman
The folowing articels were returned from the KB with a boolean search
http://support.microsoft.com?kbid=260715 "Event ID 1000 and 1202 After Configuring Policies "
http://support.microsoft.com?kbid=278316 "ESENT event IDs 1000 1202 412
and 454 are logged repeatedly in the Application log "
Post by Jerold Schulman
http://support.microsoft.com?kbid=285903 "At Startup Error 1332 Occurs
Message Reports Lack of Mapping Between Account Names and Security IDs
Inability to Find Power Users "
Post by Jerold Schulman
http://support.microsoft.com?kbid=296854 "Restricted Groups Are Limited to
Local Domain Members Only "
Post by Jerold Schulman
http://support.microsoft.com?kbid=324383 "Troubleshooting SCECLI 1202 Events "
http://support.microsoft.com?kbid=827012 "#34Windows Cannot Read Template
Information#34 Error Message When You Try to View a Windows XP-based
Template in a Windows 2000 Domain "
Post by Jerold Schulman
http://support.microsoft.com?kbid=835901 "A Restricted Groups policy
setting may not remove security identifiers in Windows 2000 Server "
Post by Jerold Schulman
On Tue, 22 Feb 2005 15:12:30 +1100, "Cameron Dorrough"
Post by Cameron Dorrough
Since yesterday we are getting the following error on our main file server
every 5 minutes. There are no other errors and, up until now, the box
hasn't been touched for over a month and Group Policys haven't been touched.
Our other DC's are reporting that "Security policy has been applied
successfully".
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Security policies are propagated with warning. 0x4b8 : An extended error has
occurred.
I've read through the JSI and Microsoft articles I can find on this, but all
seem to rely on associated error messages to find the fault. FWIW, the
Error 1208: An extended error has occurred.
Error deleting SCP.
Help! What is going on??
Thanks,
Cameron:-)
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
Glenn L
2005-03-01 00:04:02 UTC
Permalink
I suggest you turn up winlogon logging to possibly get more detail on this.


Registry Location -
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GPExtensions\
{827D319E-6EAC-11D2-A4EA-00C04F79F83A

Registry Setting - Add the REG_DWORD value "ExtensionDebugLevel"
and set it to 0x2

Then execute a gpupdate /force
verify you get the 1202 event

Then review and post the winlogon.log to this thread.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Okay, maybe I should have been a bit more specific..
Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
Does anyone know how I can fix this?
Thanks,
Cameron:-)
Post by Jerold Schulman
The folowing articels were returned from the KB with a boolean search
http://support.microsoft.com?kbid=260715 "Event ID 1000 and 1202 After
Configuring Policies "
Post by Jerold Schulman
http://support.microsoft.com?kbid=278316 "ESENT event IDs 1000 1202 412
and 454 are logged repeatedly in the Application log "
Post by Jerold Schulman
http://support.microsoft.com?kbid=285903 "At Startup Error 1332 Occurs
Message Reports Lack of Mapping Between Account Names and Security IDs
Inability to Find Power Users "
Post by Jerold Schulman
http://support.microsoft.com?kbid=296854 "Restricted Groups Are Limited to
Local Domain Members Only "
Post by Jerold Schulman
http://support.microsoft.com?kbid=324383 "Troubleshooting SCECLI 1202
Events "
Post by Jerold Schulman
http://support.microsoft.com?kbid=827012 "#34Windows Cannot Read Template
Information#34 Error Message When You Try to View a Windows XP-based
Template in a Windows 2000 Domain "
Post by Jerold Schulman
http://support.microsoft.com?kbid=835901 "A Restricted Groups policy
setting may not remove security identifiers in Windows 2000 Server "
Post by Jerold Schulman
On Tue, 22 Feb 2005 15:12:30 +1100, "Cameron Dorrough"
Post by Cameron Dorrough
Since yesterday we are getting the following error on our main file
server
Post by Jerold Schulman
Post by Cameron Dorrough
every 5 minutes. There are no other errors and, up until now, the box
hasn't been touched for over a month and Group Policys haven't been
touched.
Post by Jerold Schulman
Post by Cameron Dorrough
Our other DC's are reporting that "Security policy has been applied
successfully".
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Security policies are propagated with warning. 0x4b8 : An extended error
has
Post by Jerold Schulman
Post by Cameron Dorrough
occurred.
I've read through the JSI and Microsoft articles I can find on this, but
all
Post by Jerold Schulman
Post by Cameron Dorrough
seem to rely on associated error messages to find the fault. FWIW, the
Error 1208: An extended error has occurred.
Error deleting SCP.
Help! What is going on??
Thanks,
Cameron:-)
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
Cameron Dorrough
2005-03-01 02:22:04 UTC
Permalink
Thanks Glenn, I'd already set the ExtensionDebugLevel to 0x2.. is there
anything else I can do?

The App Log is filling up every couple of days with the SceCli error and
nothing else! If there were any other errors, this might have been fixed by
now. I'll include the entire Winlogon.log file below. None of it means
anything to me (or to Microsoft apparently):

*************************
Error 0 to send control flag 1 over to server.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

[Mapping] gpt00000.dom = Default Domain Policy
-------------------------------------------
03/01/2005 13:09:58
Administrative privileged user logged on.
Invoke Registry Value Delay Filter.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\disablecad
.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\dontdispla
ylastusername.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
ecaption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
etext.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\shutdownwi
thoutlogon.
Analyze machine\system\currentcontrolset\control\lsa\auditbaseobjects.
Analyze machine\system\currentcontrolset\control\lsa\crashonauditfail.
Analyze machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
Analyze machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Analyze machine\system\currentcontrolset\control\lsa\restrictanonymous.
Analyze machine\system\currentcontrolset\control\print\providers\lanman
print services\servers\addprinterdrivers.
Analyze machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown.
Analyze machine\system\currentcontrolset\control\session
manager\protectionmode.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
nect.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforc
edlogoff.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecu
ritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresec
uritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
eplaintextpassword.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
esecuritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requi
resecuritysignature.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswor
dchange.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requiresignors
eal.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongk
ey.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechan
nel.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechan
nel.
Analyze MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl.
Analyze MACHINE\Software\Microsoft\Non-Driver Signing\Policy.
Analyze MACHINE\Software\Microsoft\Driver Signing\Policy.
Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----

----Un-initialize configuration engine...

I am rather frustrated but I do appreciate your help.

BTW, 'gpupdate' doesn't seem to work, but 'secedit' does and that's how I
generated the above..

Thanks again,
Cameron:-)
Post by Glenn L
I suggest you turn up winlogon logging to possibly get more detail on this.
Registry Location -
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GPExtensions\
{827D319E-6EAC-11D2-A4EA-00C04F79F83A
Registry Setting - Add the REG_DWORD value "ExtensionDebugLevel"
and set it to 0x2
Then execute a gpupdate /force
verify you get the 1202 event
Then review and post the winlogon.log to this thread.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Okay, maybe I should have been a bit more specific..
Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
Does anyone know how I can fix this?
Thanks,
Cameron:-)
Post by Jerold Schulman
The folowing articels were returned from the KB with a boolean search
http://support.microsoft.com?kbid=260715 "Event ID 1000 and 1202 After
Configuring Policies "
Post by Jerold Schulman
http://support.microsoft.com?kbid=278316 "ESENT event IDs 1000 1202 412
and 454 are logged repeatedly in the Application log "
Post by Jerold Schulman
http://support.microsoft.com?kbid=285903 "At Startup Error 1332 Occurs
Message Reports Lack of Mapping Between Account Names and Security IDs
Inability to Find Power Users "
Post by Jerold Schulman
http://support.microsoft.com?kbid=296854 "Restricted Groups Are Limited to
Local Domain Members Only "
Post by Jerold Schulman
http://support.microsoft.com?kbid=324383 "Troubleshooting SCECLI 1202
Events "
Post by Jerold Schulman
http://support.microsoft.com?kbid=827012 "#34Windows Cannot Read Template
Information#34 Error Message When You Try to View a Windows XP-based
Template in a Windows 2000 Domain "
Post by Jerold Schulman
http://support.microsoft.com?kbid=835901 "A Restricted Groups policy
setting may not remove security identifiers in Windows 2000 Server "
Post by Jerold Schulman
On Tue, 22 Feb 2005 15:12:30 +1100, "Cameron Dorrough"
Post by Cameron Dorrough
Since yesterday we are getting the following error on our main file
server
Post by Jerold Schulman
Post by Cameron Dorrough
every 5 minutes. There are no other errors and, up until now, the box
hasn't been touched for over a month and Group Policys haven't been
touched.
Post by Jerold Schulman
Post by Cameron Dorrough
Our other DC's are reporting that "Security policy has been applied
successfully".
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Security policies are propagated with warning. 0x4b8 : An extended error
has
Post by Jerold Schulman
Post by Cameron Dorrough
occurred.
I've read through the JSI and Microsoft articles I can find on this, but
all
Post by Jerold Schulman
Post by Cameron Dorrough
seem to rely on associated error messages to find the fault. FWIW, the
Error 1208: An extended error has occurred.
Error deleting SCP.
Help! What is going on??
Thanks,
Cameron:-)
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
Glenn L
2005-03-01 04:45:39 UTC
Permalink
I have never seen "Error deleting SCP" and don't really know specifically
what SCP stands for.
I don't know of any increased logging short of attaching a debugger to
winlogon.exe to find out what scecli.dll is doing when it applies.
However, I suspect this can be fixed by simply blowing away the local
security database and have it recreated.

The procedure is straight forward, however you need to prepare for it and
plan for a short outage in service.
This is just a member server right?
the database (local group policy) contains out of the box security settings.
If you have made any modifications to the local group policy under "computer
configuration\windows settings\security settings, you should inventory those
settings.
Once the settings are inventoried, do the following:

browse to c:\windows\security\database & rename secedit.sdb
browse to c:\windows\security & rename edb.chk, edb.log, res1.log, &
res2.log
reboot the server. A new blank database, chkpoint, and logs will be
created.
All default out of the box security and local group policy settings are gone
at this point.
You need to reapply them to the server.
follow the procedure in http://support.microsoft.com/?kbid=313222
This works on W2K and W2K3 server as well.
Then reapply local security settings you inventoried previously.
At this point you should be able to execute a gpupdate /force and get a
*happy* scecli 1704 event.

Cheers!
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Thanks Glenn, I'd already set the ExtensionDebugLevel to 0x2.. is there
anything else I can do?
The App Log is filling up every couple of days with the SceCli error and
nothing else! If there were any other errors, this might have been fixed by
now. I'll include the entire Winlogon.log file below. None of it means
*************************
Error 0 to send control flag 1 over to server.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
[Mapping] gpt00000.dom = Default Domain Policy
-------------------------------------------
03/01/2005 13:09:58
Administrative privileged user logged on.
Invoke Registry Value Delay Filter.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\disablecad
.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\dontdispla
ylastusername.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
ecaption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
etext.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\shutdownwi
thoutlogon.
Analyze machine\system\currentcontrolset\control\lsa\auditbaseobjects.
Analyze machine\system\currentcontrolset\control\lsa\crashonauditfail.
Analyze
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
Analyze machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Analyze machine\system\currentcontrolset\control\lsa\restrictanonymous.
Analyze machine\system\currentcontrolset\control\print\providers\lanman
print services\servers\addprinterdrivers.
Analyze machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown.
Analyze machine\system\currentcontrolset\control\session
manager\protectionmode.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
nect.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforc
edlogoff.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecu
ritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresec
uritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
eplaintextpassword.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
esecuritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requi
resecuritysignature.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswor
dchange.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requiresignors
eal.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongk
ey.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechan
nel.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechan
nel.
Analyze MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl.
Analyze MACHINE\Software\Microsoft\Non-Driver Signing\Policy.
Analyze MACHINE\Software\Microsoft\Driver Signing\Policy.
Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
----Un-initialize configuration engine...
I am rather frustrated but I do appreciate your help.
BTW, 'gpupdate' doesn't seem to work, but 'secedit' does and that's how I
generated the above..
Thanks again,
Cameron:-)
Post by Glenn L
I suggest you turn up winlogon logging to possibly get more detail on
this.
Post by Glenn L
Registry Location -
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GPExtensions\
{827D319E-6EAC-11D2-A4EA-00C04F79F83A
Registry Setting - Add the REG_DWORD value "ExtensionDebugLevel"
and set it to 0x2
Then execute a gpupdate /force
verify you get the 1202 event
Then review and post the winlogon.log to this thread.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Okay, maybe I should have been a bit more specific..
Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
Does anyone know how I can fix this?
Thanks,
Cameron:-)
Post by Jerold Schulman
The folowing articels were returned from the KB with a boolean search
http://support.microsoft.com?kbid=260715 "Event ID 1000 and 1202 After
Configuring Policies "
Post by Jerold Schulman
http://support.microsoft.com?kbid=278316 "ESENT event IDs 1000 1202 412
and 454 are logged repeatedly in the Application log "
Post by Jerold Schulman
http://support.microsoft.com?kbid=285903 "At Startup Error 1332 Occurs
Message Reports Lack of Mapping Between Account Names and Security IDs
Inability to Find Power Users "
Post by Jerold Schulman
http://support.microsoft.com?kbid=296854 "Restricted Groups Are
Limited
to
Local Domain Members Only "
Post by Jerold Schulman
http://support.microsoft.com?kbid=324383 "Troubleshooting SCECLI 1202
Events "
Post by Jerold Schulman
http://support.microsoft.com?kbid=827012 "#34Windows Cannot Read
Template
Post by Glenn L
Post by Cameron Dorrough
Information#34 Error Message When You Try to View a Windows XP-based
Template in a Windows 2000 Domain "
Post by Jerold Schulman
http://support.microsoft.com?kbid=835901 "A Restricted Groups policy
setting may not remove security identifiers in Windows 2000 Server "
Post by Jerold Schulman
On Tue, 22 Feb 2005 15:12:30 +1100, "Cameron Dorrough"
Post by Cameron Dorrough
Since yesterday we are getting the following error on our main file
server
Post by Jerold Schulman
Post by Cameron Dorrough
every 5 minutes. There are no other errors and, up until now, the box
hasn't been touched for over a month and Group Policys haven't been
touched.
Post by Jerold Schulman
Post by Cameron Dorrough
Our other DC's are reporting that "Security policy has been applied
successfully".
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Security policies are propagated with warning. 0x4b8 : An extended
error
Post by Glenn L
Post by Cameron Dorrough
has
Post by Jerold Schulman
Post by Cameron Dorrough
occurred.
I've read through the JSI and Microsoft articles I can find on this,
but
Post by Glenn L
Post by Cameron Dorrough
all
Post by Jerold Schulman
Post by Cameron Dorrough
seem to rely on associated error messages to find the fault. FWIW,
the
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
Post by Cameron Dorrough
Error 1208: An extended error has occurred.
Error deleting SCP.
Help! What is going on??
Thanks,
Cameron:-)
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
Cameron Dorrough
2005-03-01 06:54:24 UTC
Permalink
Post by Glenn L
I have never seen "Error deleting SCP" and don't really know specifically
what SCP stands for.
I don't know of any increased logging short of attaching a debugger to
winlogon.exe to find out what scecli.dll is doing when it applies.
However, I suspect this can be fixed by simply blowing away the local
security database and have it recreated.
Thanks heaps, Glenn - that is exactly the sort of info I need! :-)

I will try that and let you know how I get on.

Cameron:-)
Cameron Dorrough
2005-03-01 22:21:35 UTC
Permalink
Glenn, it works!! :-)

I followed your procedure late last night and checked the event log this
morning and it is now full of nice blue information messages. Thanks
heaps - now I can get back to some real work! :-)

Stuff knows what went wrong - AFAIK nobody had touched the machine or
changed policy settings in ages..

I've left your instructions below in case anyone else ever has a similar
issue (one change - I had to boot into Safe mode to change the file names..
;-)

Have a great day.

Cameron:-)
Post by Glenn L
I have never seen "Error deleting SCP" and don't really know specifically
what SCP stands for.
I don't know of any increased logging short of attaching a debugger to
winlogon.exe to find out what scecli.dll is doing when it applies.
However, I suspect this can be fixed by simply blowing away the local
security database and have it recreated.
The procedure is straight forward, however you need to prepare for it and
plan for a short outage in service.
This is just a member server right?
the database (local group policy) contains out of the box security settings.
If you have made any modifications to the local group policy under "computer
configuration\windows settings\security settings, you should inventory those
settings.
browse to c:\windows\security\database & rename secedit.sdb
browse to c:\windows\security & rename edb.chk, edb.log, res1.log, &
res2.log
reboot the server. A new blank database, chkpoint, and logs will be
created.
All default out of the box security and local group policy settings are gone
at this point.
You need to reapply them to the server.
follow the procedure in http://support.microsoft.com/?kbid=313222
This works on W2K and W2K3 server as well.
Then reapply local security settings you inventoried previously.
At this point you should be able to execute a gpupdate /force and get a
*happy* scecli 1704 event.
Cheers!
--
Glenn L
CCNA, MCSE 2000/2003 + Security
LThibx
2005-03-31 20:57:03 UTC
Permalink
Glenn,

I have the same exact problem that Cameron Dorrough had reported. I am
attempting to bring a new Win2003 DC online which will eventually replace my
Win2000 DC (2 separate machines). I receive the same error on my Win2003
box. My Win2000 DC applies GP fine. I have attempted your solution, but
after restarting the Win2003 server, the secedit.sdb database does not get
rebuilt, thought the log and chk files do. I know receive different events
the in Applicaiton log, due the non existence of the secedit.sdb. I have
found KB article 278316 which describes how to recreate it, but when I
attempt to import any .inf template. I receive messages under two scenarios:



I have been unsuccessful in recreating the secedit.sdb. I found KB
articleCan you provide any insight?
Post by Glenn L
I have never seen "Error deleting SCP" and don't really know specifically
what SCP stands for.
I don't know of any increased logging short of attaching a debugger to
winlogon.exe to find out what scecli.dll is doing when it applies.
However, I suspect this can be fixed by simply blowing away the local
security database and have it recreated.
The procedure is straight forward, however you need to prepare for it and
plan for a short outage in service.
This is just a member server right?
the database (local group policy) contains out of the box security settings.
If you have made any modifications to the local group policy under "computer
configuration\windows settings\security settings, you should inventory those
settings.
browse to c:\windows\security\database & rename secedit.sdb
browse to c:\windows\security & rename edb.chk, edb.log, res1.log, &
res2.log
reboot the server. A new blank database, chkpoint, and logs will be
created.
All default out of the box security and local group policy settings are gone
at this point.
You need to reapply them to the server.
follow the procedure in http://support.microsoft.com/?kbid=313222
This works on W2K and W2K3 server as well.
Then reapply local security settings you inventoried previously.
At this point you should be able to execute a gpupdate /force and get a
*happy* scecli 1704 event.
Cheers!
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Thanks Glenn, I'd already set the ExtensionDebugLevel to 0x2.. is there
anything else I can do?
The App Log is filling up every couple of days with the SceCli error and
nothing else! If there were any other errors, this might have been fixed by
now. I'll include the entire Winlogon.log file below. None of it means
*************************
Error 0 to send control flag 1 over to server.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
[Mapping] gpt00000.dom = Default Domain Policy
-------------------------------------------
03/01/2005 13:09:58
Administrative privileged user logged on.
Invoke Registry Value Delay Filter.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\disablecad
.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\dontdispla
ylastusername.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
ecaption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
etext.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\shutdownwi
thoutlogon.
Analyze machine\system\currentcontrolset\control\lsa\auditbaseobjects.
Analyze machine\system\currentcontrolset\control\lsa\crashonauditfail.
Analyze
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
Analyze machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Analyze machine\system\currentcontrolset\control\lsa\restrictanonymous.
Analyze machine\system\currentcontrolset\control\print\providers\lanman
print services\servers\addprinterdrivers.
Analyze machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown.
Analyze machine\system\currentcontrolset\control\session
manager\protectionmode.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
nect.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforc
edlogoff.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecu
ritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresec
uritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
eplaintextpassword.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
esecuritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requi
resecuritysignature.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswor
dchange.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requiresignors
eal.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongk
ey.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechan
nel.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechan
nel.
Analyze MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl.
Analyze MACHINE\Software\Microsoft\Non-Driver Signing\Policy.
Analyze MACHINE\Software\Microsoft\Driver Signing\Policy.
Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
----Un-initialize configuration engine...
I am rather frustrated but I do appreciate your help.
BTW, 'gpupdate' doesn't seem to work, but 'secedit' does and that's how I
generated the above..
Thanks again,
Cameron:-)
Post by Glenn L
I suggest you turn up winlogon logging to possibly get more detail on
this.
Post by Glenn L
Registry Location -
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GPExtensions\
{827D319E-6EAC-11D2-A4EA-00C04F79F83A
Registry Setting - Add the REG_DWORD value "ExtensionDebugLevel"
and set it to 0x2
Then execute a gpupdate /force
verify you get the 1202 event
Then review and post the winlogon.log to this thread.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Okay, maybe I should have been a bit more specific..
Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
Does anyone know how I can fix this?
Thanks,
Cameron:-)
Post by Jerold Schulman
The folowing articels were returned from the KB with a boolean search
http://support.microsoft.com?kbid=260715 "Event ID 1000 and 1202 After
Configuring Policies "
Post by Jerold Schulman
http://support.microsoft.com?kbid=278316 "ESENT event IDs 1000 1202 412
and 454 are logged repeatedly in the Application log "
Post by Jerold Schulman
http://support.microsoft.com?kbid=285903 "At Startup Error 1332 Occurs
Message Reports Lack of Mapping Between Account Names and Security IDs
Inability to Find Power Users "
Post by Jerold Schulman
http://support.microsoft.com?kbid=296854 "Restricted Groups Are
Limited
to
Local Domain Members Only "
Post by Jerold Schulman
http://support.microsoft.com?kbid=324383 "Troubleshooting SCECLI 1202
Events "
Post by Jerold Schulman
http://support.microsoft.com?kbid=827012 "#34Windows Cannot Read
Template
Post by Glenn L
Post by Cameron Dorrough
Information#34 Error Message When You Try to View a Windows XP-based
Template in a Windows 2000 Domain "
Post by Jerold Schulman
http://support.microsoft.com?kbid=835901 "A Restricted Groups policy
setting may not remove security identifiers in Windows 2000 Server "
Post by Jerold Schulman
On Tue, 22 Feb 2005 15:12:30 +1100, "Cameron Dorrough"
Post by Cameron Dorrough
Since yesterday we are getting the following error on our main file
server
Post by Jerold Schulman
Post by Cameron Dorrough
every 5 minutes. There are no other errors and, up until now, the box
hasn't been touched for over a month and Group Policys haven't been
touched.
Post by Jerold Schulman
Post by Cameron Dorrough
Our other DC's are reporting that "Security policy has been applied
successfully".
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Security policies are propagated with warning. 0x4b8 : An extended
error
Post by Glenn L
Post by Cameron Dorrough
has
Post by Jerold Schulman
Post by Cameron Dorrough
occurred.
I've read through the JSI and Microsoft articles I can find on this,
but
Post by Glenn L
Post by Cameron Dorrough
all
Post by Jerold Schulman
Post by Cameron Dorrough
seem to rely on associated error messages to find the fault. FWIW,
the
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
Post by Cameron Dorrough
Error 1208: An extended error has occurred.
Error deleting SCP.
Help! What is going on??
Thanks,
Cameron:-)
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
LThibx
2005-03-31 21:15:02 UTC
Permalink
Please excuse my first post. My first message was inadvertantly posted
before it was complete.

Glenn,

I have the same exact problem that Cameron Dorrough had reported. I am
attempting to bring a new Win2003 DC online which will eventually replace my
Win2000 DC (2 separate machines). I receive the same error on my Win2003
box. My Win2000 DC applies GP fine. I have attempted your solution, but
after restarting the Win2003 server, the secedit.sdb database does not get
rebuilt, thought the log and chk files do.

I now receive different events the in Applicaiton log, due the non existence
of the secedit.sdb. I have found KB article 278316 which describes how to
recreate it, but when I attempt to import any .inf template. I receive
messages under two scenarios:
Using secedit.sdb as the database name to create, I receive 'Access is
denied.
Import Failed. Make sure that you have rith right permissions to this
object'.

Using some other db name, such as test.sdb, I receive 'An extended error
has
occured. Import Failed'

I receive the messages above regardless of the .inf I choose. I am logged
in as Admistrator.
Can you provide any insight?
Post by Cameron Dorrough
Glenn,
I have the same exact problem that Cameron Dorrough had reported. I am
attempting to bring a new Win2003 DC online which will eventually replace my
Win2000 DC (2 separate machines). I receive the same error on my Win2003
box. My Win2000 DC applies GP fine. I have attempted your solution, but
after restarting the Win2003 server, the secedit.sdb database does not get
rebuilt, thought the log and chk files do. I know receive different events
the in Applicaiton log, due the non existence of the secedit.sdb. I have
found KB article 278316 which describes how to recreate it, but when I
I have been unsuccessful in recreating the secedit.sdb. I found KB
articleCan you provide any insight?
Post by Glenn L
I have never seen "Error deleting SCP" and don't really know specifically
what SCP stands for.
I don't know of any increased logging short of attaching a debugger to
winlogon.exe to find out what scecli.dll is doing when it applies.
However, I suspect this can be fixed by simply blowing away the local
security database and have it recreated.
The procedure is straight forward, however you need to prepare for it and
plan for a short outage in service.
This is just a member server right?
the database (local group policy) contains out of the box security settings.
If you have made any modifications to the local group policy under "computer
configuration\windows settings\security settings, you should inventory those
settings.
browse to c:\windows\security\database & rename secedit.sdb
browse to c:\windows\security & rename edb.chk, edb.log, res1.log, &
res2.log
reboot the server. A new blank database, chkpoint, and logs will be
created.
All default out of the box security and local group policy settings are gone
at this point.
You need to reapply them to the server.
follow the procedure in http://support.microsoft.com/?kbid=313222
This works on W2K and W2K3 server as well.
Then reapply local security settings you inventoried previously.
At this point you should be able to execute a gpupdate /force and get a
*happy* scecli 1704 event.
Cheers!
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Thanks Glenn, I'd already set the ExtensionDebugLevel to 0x2.. is there
anything else I can do?
The App Log is filling up every couple of days with the SceCli error and
nothing else! If there were any other errors, this might have been fixed by
now. I'll include the entire Winlogon.log file below. None of it means
*************************
Error 0 to send control flag 1 over to server.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
[Mapping] gpt00000.dom = Default Domain Policy
-------------------------------------------
03/01/2005 13:09:58
Administrative privileged user logged on.
Invoke Registry Value Delay Filter.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\disablecad
.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\dontdispla
ylastusername.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
ecaption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
etext.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\shutdownwi
thoutlogon.
Analyze machine\system\currentcontrolset\control\lsa\auditbaseobjects.
Analyze machine\system\currentcontrolset\control\lsa\crashonauditfail.
Analyze
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
Analyze machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Analyze machine\system\currentcontrolset\control\lsa\restrictanonymous.
Analyze machine\system\currentcontrolset\control\print\providers\lanman
print services\servers\addprinterdrivers.
Analyze machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown.
Analyze machine\system\currentcontrolset\control\session
manager\protectionmode.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
nect.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforc
edlogoff.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecu
ritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresec
uritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
eplaintextpassword.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
esecuritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requi
resecuritysignature.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswor
dchange.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requiresignors
eal.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongk
ey.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechan
nel.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechan
nel.
Analyze MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl.
Analyze MACHINE\Software\Microsoft\Non-Driver Signing\Policy.
Analyze MACHINE\Software\Microsoft\Driver Signing\Policy.
Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
----Un-initialize configuration engine...
I am rather frustrated but I do appreciate your help.
BTW, 'gpupdate' doesn't seem to work, but 'secedit' does and that's how I
generated the above..
Thanks again,
Cameron:-)
Post by Glenn L
I suggest you turn up winlogon logging to possibly get more detail on
this.
Post by Glenn L
Registry Location -
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GPExtensions\
{827D319E-6EAC-11D2-A4EA-00C04F79F83A
Registry Setting - Add the REG_DWORD value "ExtensionDebugLevel"
and set it to 0x2
Then execute a gpupdate /force
verify you get the 1202 event
Then review and post the winlogon.log to this thread.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Okay, maybe I should have been a bit more specific..
Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
Does anyone know how I can fix this?
Thanks,
Cameron:-)
Post by Jerold Schulman
The folowing articels were returned from the KB with a boolean search
http://support.microsoft.com?kbid=260715 "Event ID 1000 and 1202 After
Configuring Policies "
Post by Jerold Schulman
http://support.microsoft.com?kbid=278316 "ESENT event IDs 1000 1202 412
and 454 are logged repeatedly in the Application log "
Post by Jerold Schulman
http://support.microsoft.com?kbid=285903 "At Startup Error 1332 Occurs
Message Reports Lack of Mapping Between Account Names and Security IDs
Inability to Find Power Users "
Post by Jerold Schulman
http://support.microsoft.com?kbid=296854 "Restricted Groups Are
Limited
to
Local Domain Members Only "
Post by Jerold Schulman
http://support.microsoft.com?kbid=324383 "Troubleshooting SCECLI 1202
Events "
Post by Jerold Schulman
http://support.microsoft.com?kbid=827012 "#34Windows Cannot Read
Template
Post by Glenn L
Post by Cameron Dorrough
Information#34 Error Message When You Try to View a Windows XP-based
Template in a Windows 2000 Domain "
Post by Jerold Schulman
http://support.microsoft.com?kbid=835901 "A Restricted Groups policy
setting may not remove security identifiers in Windows 2000 Server "
Post by Jerold Schulman
On Tue, 22 Feb 2005 15:12:30 +1100, "Cameron Dorrough"
Post by Cameron Dorrough
Since yesterday we are getting the following error on our main file
server
Post by Jerold Schulman
Post by Cameron Dorrough
every 5 minutes. There are no other errors and, up until now, the box
hasn't been touched for over a month and Group Policys haven't been
touched.
Post by Jerold Schulman
Post by Cameron Dorrough
Our other DC's are reporting that "Security policy has been applied
successfully".
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Security policies are propagated with warning. 0x4b8 : An extended
error
Post by Glenn L
Post by Cameron Dorrough
has
Post by Jerold Schulman
Post by Cameron Dorrough
occurred.
I've read through the JSI and Microsoft articles I can find on this,
but
Post by Glenn L
Post by Cameron Dorrough
all
Post by Jerold Schulman
Post by Cameron Dorrough
seem to rely on associated error messages to find the fault. FWIW,
the
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
Post by Cameron Dorrough
Error 1208: An extended error has occurred.
Error deleting SCP.
Help! What is going on??
Thanks,
Cameron:-)
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
Cameron Dorrough
2005-03-31 23:12:35 UTC
Permalink
Hi. A quick question: Are you doing this in Safe Mode??

My system has been fine ever since. Good luck :-)

Cameron:-)
Post by LThibx
Please excuse my first post. My first message was inadvertantly posted
before it was complete.
Glenn,
I have the same exact problem that Cameron Dorrough had reported. I am
attempting to bring a new Win2003 DC online which will eventually replace my
Win2000 DC (2 separate machines). I receive the same error on my Win2003
box. My Win2000 DC applies GP fine. I have attempted your solution, but
after restarting the Win2003 server, the secedit.sdb database does not get
rebuilt, thought the log and chk files do.
I now receive different events the in Applicaiton log, due the non existence
of the secedit.sdb. I have found KB article 278316 which describes how to
recreate it, but when I attempt to import any .inf template. I receive
Using secedit.sdb as the database name to create, I receive 'Access is
denied.
Import Failed. Make sure that you have rith right permissions to this
object'.
Using some other db name, such as test.sdb, I receive 'An extended error
has
occured. Import Failed'
I receive the messages above regardless of the .inf I choose. I am logged
in as Admistrator.
Can you provide any insight?
Post by Cameron Dorrough
Glenn,
I have the same exact problem that Cameron Dorrough had reported. I am
attempting to bring a new Win2003 DC online which will eventually replace my
Win2000 DC (2 separate machines). I receive the same error on my Win2003
box. My Win2000 DC applies GP fine. I have attempted your solution, but
after restarting the Win2003 server, the secedit.sdb database does not get
rebuilt, thought the log and chk files do. I know receive different events
the in Applicaiton log, due the non existence of the secedit.sdb. I have
found KB article 278316 which describes how to recreate it, but when I
I have been unsuccessful in recreating the secedit.sdb. I found KB
articleCan you provide any insight?
Post by Glenn L
I have never seen "Error deleting SCP" and don't really know specifically
what SCP stands for.
I don't know of any increased logging short of attaching a debugger to
winlogon.exe to find out what scecli.dll is doing when it applies.
However, I suspect this can be fixed by simply blowing away the local
security database and have it recreated.
The procedure is straight forward, however you need to prepare for it and
plan for a short outage in service.
This is just a member server right?
the database (local group policy) contains out of the box security settings.
If you have made any modifications to the local group policy under "computer
configuration\windows settings\security settings, you should inventory those
settings.
browse to c:\windows\security\database & rename secedit.sdb
browse to c:\windows\security & rename edb.chk, edb.log, res1.log, &
res2.log
reboot the server. A new blank database, chkpoint, and logs will be
created.
All default out of the box security and local group policy settings are gone
at this point.
You need to reapply them to the server.
follow the procedure in http://support.microsoft.com/?kbid=313222
This works on W2K and W2K3 server as well.
Then reapply local security settings you inventoried previously.
At this point you should be able to execute a gpupdate /force and get a
*happy* scecli 1704 event.
Cheers!
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Thanks Glenn, I'd already set the ExtensionDebugLevel to 0x2.. is there
anything else I can do?
The App Log is filling up every couple of days with the SceCli error and
nothing else! If there were any other errors, this might have been
fixed
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
by
now. I'll include the entire Winlogon.log file below. None of it means
*************************
Error 0 to send control flag 1 over to server.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
[Mapping] gpt00000.dom = Default Domain Policy
-------------------------------------------
03/01/2005 13:09:58
Administrative privileged user logged on.
Invoke Registry Value Delay Filter.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\disablecad
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\dontdispla
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
ylastusername.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
ecaption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
etext.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\shutdownwi
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
thoutlogon.
Analyze
machine\system\currentcontrolset\control\lsa\auditbaseobjects.
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Analyze
machine\system\currentcontrolset\control\lsa\crashonauditfail.
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Analyze
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
Analyze
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Analyze
machine\system\currentcontrolset\control\lsa\restrictanonymous.
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Analyze
machine\system\currentcontrolset\control\print\providers\lanman
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
print services\servers\addprinterdrivers.
Analyze machine\system\currentcontrolset\control\session
manager\memory
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
management\clearpagefileatshutdown.
Analyze machine\system\currentcontrolset\control\session
manager\protectionmode.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
nect.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforc
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
edlogoff.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecu
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
ritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresec
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
uritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
eplaintextpassword.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
esecuritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requi
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
resecuritysignature.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswor
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
dchange.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requiresignors
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
eal.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongk
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
ey.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechan
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
nel.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechan
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
nel.
Analyze MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl.
Analyze MACHINE\Software\Microsoft\Non-Driver Signing\Policy.
Analyze MACHINE\Software\Microsoft\Driver Signing\Policy.
Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
----Un-initialize configuration engine...
I am rather frustrated but I do appreciate your help.
BTW, 'gpupdate' doesn't seem to work, but 'secedit' does and that's how I
generated the above..
Thanks again,
Cameron:-)
Post by Glenn L
I suggest you turn up winlogon logging to possibly get more detail on
this.
Post by Glenn L
Registry Location -
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GPExtensions\
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
{827D319E-6EAC-11D2-A4EA-00C04F79F83A
Registry Setting - Add the REG_DWORD value
"ExtensionDebugLevel"
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
and set it to 0x2
Then execute a gpupdate /force
verify you get the 1202 event
Then review and post the winlogon.log to this thread.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Okay, maybe I should have been a bit more specific..
Parsing template
C:\WINNT\security\templates\policies\gpt00000.dom.
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
Does anyone know how I can fix this?
Thanks,
Cameron:-)
Post by Jerold Schulman
The folowing articels were returned from the KB with a boolean search
http://support.microsoft.com?kbid=260715 "Event ID 1000 and 1202 After
Configuring Policies "
Post by Jerold Schulman
http://support.microsoft.com?kbid=278316 "ESENT event IDs 1000
1202
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
412
and 454 are logged repeatedly in the Application log "
Post by Jerold Schulman
http://support.microsoft.com?kbid=285903 "At Startup Error 1332 Occurs
Message Reports Lack of Mapping Between Account Names and Security IDs
Inability to Find Power Users "
Post by Jerold Schulman
http://support.microsoft.com?kbid=296854 "Restricted Groups Are
Limited
to
Local Domain Members Only "
Post by Jerold Schulman
http://support.microsoft.com?kbid=324383 "Troubleshooting SCECLI 1202
Events "
Post by Jerold Schulman
http://support.microsoft.com?kbid=827012 "#34Windows Cannot Read
Template
Post by Glenn L
Post by Cameron Dorrough
Information#34 Error Message When You Try to View a Windows XP-based
Template in a Windows 2000 Domain "
Post by Jerold Schulman
http://support.microsoft.com?kbid=835901 "A Restricted Groups policy
setting may not remove security identifiers in Windows 2000 Server "
Post by Jerold Schulman
On Tue, 22 Feb 2005 15:12:30 +1100, "Cameron Dorrough"
Post by Cameron Dorrough
Since yesterday we are getting the following error on our main file
server
Post by Jerold Schulman
Post by Cameron Dorrough
every 5 minutes. There are no other errors and, up until now,
the
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
Post by Cameron Dorrough
box
hasn't been touched for over a month and Group Policys haven't been
touched.
Post by Jerold Schulman
Post by Cameron Dorrough
Our other DC's are reporting that "Security policy has been applied
successfully".
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Security policies are propagated with warning. 0x4b8 : An extended
error
Post by Glenn L
Post by Cameron Dorrough
has
Post by Jerold Schulman
Post by Cameron Dorrough
occurred.
I've read through the JSI and Microsoft articles I can find on this,
but
Post by Glenn L
Post by Cameron Dorrough
all
Post by Jerold Schulman
Post by Cameron Dorrough
seem to rely on associated error messages to find the fault.
FWIW,
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
the
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
Post by Cameron Dorrough
Error 1208: An extended error has occurred.
Error deleting SCP.
Help! What is going on??
Thanks,
Cameron:-)
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
LThibx
2005-04-01 15:05:05 UTC
Permalink
Cameron,

Thanks for responding.

Yes, my process was:
Boot to safe mode.
Rename the files as Glenn stated, including secedit.sdb, then reboot to
normal
mode.
In my case the secedit.sdb file does not get recreated. I even attempted to
recreate it manually using either the Security Configuration and Analysis
console (which I described in my previous message), or the command: "Secedit
/configure /db secedit.sdb /cfg 'DC Security.inf' /overwrite /log dcsec.log"

I even tried copying my secedit.sdb from my Win2000 machine. I get the same
1202 event and either 0x428 or 0x4b8.

BTW. I put my Win2003 original back in place. Until 3:35 this morning, I
receive the 1202 error with a code of 0x428. After 3:35 AM it changes to
0x4b8 (at this time I start receiving the 'error deleting scp' in
Winlogon.log. I have pasted the log at this time period:
----------------------------------------------------------------------------------------------
*** This generates a 0x428 - An exception error occurred in the service when
handling the control request ***
-------------------------------------------
Friday, April 01, 2005 3:30:43 AM
Administrative privileged user logged on.
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...
**************************

Error 0 to send control flag 1 over to server.

Make a local copy of
\\tclafayette1.local\sysvol\tclafayette1.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Make a local copy of
\\tclafayette1.local\sysvol\tclafayette1.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.dom.

This is not the last GPO.
-------------------------------------------
Friday, April 01, 2005 3:35:52 AM
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Copy undo values to the merged policy.


----Un-initialize configuration engine...

Process GP template gpt00001.inf.

This is the last GPO : domain policy is ignored on DC.
-------------------------------------------
Friday, April 01, 2005 3:35:53 AM
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00001.inf.


----Un-initialize configuration engine...
-------------------------------------------
Friday, April 01, 2005 3:35:53 AM
Administrative privileged user logged on.
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...
**************************
*** At this point the error code changes to 0x4b8 - An extended error has
occurred ***


Error 0 to send control flag 1 over to server.

Make a local copy of
\\tclafayette1.local\sysvol\tclafayette1.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Make a local copy of
\\tclafayette1.local\sysvol\tclafayette1.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.dom.

This is not the last GPO.
-------------------------------------------
Friday, April 01, 2005 3:41:02 AM
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine was initialized with one or more errors.----


----Un-initialize configuration engine..
----------------------------------------------------------------------------------------------
If I try to view / edit my local security policy (secpol), I can access
certain parts with no error. When I attempt to access \Computer
Configuration\Windows Settings\Local Policies\User Rights Assignment or
..\Security Options, I recieve an error on secedit.sdb: An extended error has
occurred.

I believe its time to call MS, I can find no other info. There is a hotfix
for this error - KB 320099. Cameron, I wonder, do you already have the
patch, and maybe this is why you were able to resolve your issue?
My scesrv.dll version is: 5.2.3790.0, the hotfix version is: 5.2.3790.132

Thanks for listening :-)
LThibx
Post by Cameron Dorrough
Hi. A quick question: Are you doing this in Safe Mode??
My system has been fine ever since. Good luck :-)
Cameron:-)
Post by LThibx
Please excuse my first post. My first message was inadvertantly posted
before it was complete.
Glenn,
I have the same exact problem that Cameron Dorrough had reported. I am
attempting to bring a new Win2003 DC online which will eventually replace
my
Post by LThibx
Win2000 DC (2 separate machines). I receive the same error on my Win2003
box. My Win2000 DC applies GP fine. I have attempted your solution, but
after restarting the Win2003 server, the secedit.sdb database does not get
rebuilt, thought the log and chk files do.
I now receive different events the in Applicaiton log, due the non
existence
Post by LThibx
of the secedit.sdb. I have found KB article 278316 which describes how to
recreate it, but when I attempt to import any .inf template. I receive
Using secedit.sdb as the database name to create, I receive 'Access is
denied.
Import Failed. Make sure that you have rith right permissions to this
object'.
Using some other db name, such as test.sdb, I receive 'An extended
error
Post by LThibx
has
occured. Import Failed'
I receive the messages above regardless of the .inf I choose. I am logged
in as Admistrator.
Can you provide any insight?
Post by Cameron Dorrough
Glenn,
I have the same exact problem that Cameron Dorrough had reported. I am
attempting to bring a new Win2003 DC online which will eventually
replace my
Post by LThibx
Post by Cameron Dorrough
Win2000 DC (2 separate machines). I receive the same error on my
Win2003
Post by LThibx
Post by Cameron Dorrough
box. My Win2000 DC applies GP fine. I have attempted your solution,
but
Post by LThibx
Post by Cameron Dorrough
after restarting the Win2003 server, the secedit.sdb database does not
get
Post by LThibx
Post by Cameron Dorrough
rebuilt, thought the log and chk files do. I know receive different
events
Post by LThibx
Post by Cameron Dorrough
the in Applicaiton log, due the non existence of the secedit.sdb. I have
found KB article 278316 which describes how to recreate it, but when I
attempt to import any .inf template. I receive messages under two
I have been unsuccessful in recreating the secedit.sdb. I found KB
articleCan you provide any insight?
Post by Glenn L
I have never seen "Error deleting SCP" and don't really know
specifically
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
what SCP stands for.
I don't know of any increased logging short of attaching a debugger to
winlogon.exe to find out what scecli.dll is doing when it applies.
However, I suspect this can be fixed by simply blowing away the local
security database and have it recreated.
The procedure is straight forward, however you need to prepare for it
and
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
plan for a short outage in service.
This is just a member server right?
the database (local group policy) contains out of the box security
settings.
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
If you have made any modifications to the local group policy under
"computer
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
configuration\windows settings\security settings, you should inventory
those
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
settings.
browse to c:\windows\security\database & rename secedit.sdb
browse to c:\windows\security & rename edb.chk, edb.log, res1.log, &
res2.log
reboot the server. A new blank database, chkpoint, and logs will be
created.
All default out of the box security and local group policy settings
are gone
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
at this point.
You need to reapply them to the server.
follow the procedure in http://support.microsoft.com/?kbid=313222
This works on W2K and W2K3 server as well.
Then reapply local security settings you inventoried previously.
At this point you should be able to execute a gpupdate /force and get
a
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
*happy* scecli 1704 event.
Cheers!
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Thanks Glenn, I'd already set the ExtensionDebugLevel to 0x2.. is
there
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
anything else I can do?
The App Log is filling up every couple of days with the SceCli error
and
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
nothing else! If there were any other errors, this might have been
fixed
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
by
now. I'll include the entire Winlogon.log file below. None of it
means
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
*************************
Error 0 to send control flag 1 over to server.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
[Mapping] gpt00000.dom = Default Domain Policy
-------------------------------------------
03/01/2005 13:09:58
Administrative privileged user logged on.
Invoke Registry Value Delay Filter.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\disablecad
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\dontdispla
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
ylastusername.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
ecaption.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
etext.
Analyze
machine\software\microsoft\windows\currentversion\policies\system\shutdownwi
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
thoutlogon.
Analyze
machine\system\currentcontrolset\control\lsa\auditbaseobjects.
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Analyze
machine\system\currentcontrolset\control\lsa\crashonauditfail.
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Analyze
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
Analyze
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Analyze
machine\system\currentcontrolset\control\lsa\restrictanonymous.
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Analyze
machine\system\currentcontrolset\control\print\providers\lanman
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
print services\servers\addprinterdrivers.
Analyze machine\system\currentcontrolset\control\session
manager\memory
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
management\clearpagefileatshutdown.
Analyze machine\system\currentcontrolset\control\session
manager\protectionmode.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
nect.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforc
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
edlogoff.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecu
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
ritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresec
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
uritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
eplaintextpassword.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
esecuritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requi
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
resecuritysignature.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswor
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
dchange.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requiresignors
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
eal.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongk
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
ey.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechan
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
nel.
Analyze
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechan
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
nel.
Analyze MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl.
Analyze MACHINE\Software\Microsoft\Non-Driver Signing\Policy.
Analyze MACHINE\Software\Microsoft\Driver Signing\Policy.
Parsing template C:\WINNT\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
----Un-initialize configuration engine...
I am rather frustrated but I do appreciate your help.
BTW, 'gpupdate' doesn't seem to work, but 'secedit' does and that's
how I
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
generated the above..
Thanks again,
Cameron:-)
Post by Glenn L
I suggest you turn up winlogon logging to possibly get more detail
on
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
this.
Post by Glenn L
Registry Location -
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GPExtensions\
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
{827D319E-6EAC-11D2-A4EA-00C04F79F83A
Registry Setting - Add the REG_DWORD value
"ExtensionDebugLevel"
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
and set it to 0x2
Then execute a gpupdate /force
verify you get the 1202 event
Then review and post the winlogon.log to this thread.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by Cameron Dorrough
Okay, maybe I should have been a bit more specific..
Parsing template
C:\WINNT\security\templates\policies\gpt00000.dom.
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Error 1208: An extended error has occurred.
Error deleting SCP.
----Configuration engine is initialized with error.----
Does anyone know how I can fix this?
Thanks,
Cameron:-)
Post by Jerold Schulman
The folowing articels were returned from the KB with a boolean
search
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
http://support.microsoft.com?kbid=260715 "Event ID 1000 and 1202
After
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Configuring Policies "
Post by Jerold Schulman
http://support.microsoft.com?kbid=278316 "ESENT event IDs 1000
1202
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
412
and 454 are logged repeatedly in the Application log "
Post by Jerold Schulman
http://support.microsoft.com?kbid=285903 "At Startup Error 1332
Occurs
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Message Reports Lack of Mapping Between Account Names and
Security IDs
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Inability to Find Power Users "
Post by Jerold Schulman
http://support.microsoft.com?kbid=296854 "Restricted Groups Are
Limited
to
Local Domain Members Only "
Post by Jerold Schulman
http://support.microsoft.com?kbid=324383 "Troubleshooting SCECLI
1202
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Events "
Post by Jerold Schulman
http://support.microsoft.com?kbid=827012 "#34Windows Cannot Read
Template
Post by Glenn L
Post by Cameron Dorrough
Information#34 Error Message When You Try to View a Windows
XP-based
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Template in a Windows 2000 Domain "
Post by Jerold Schulman
http://support.microsoft.com?kbid=835901 "A Restricted Groups
policy
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
setting may not remove security identifiers in Windows 2000
Server "
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
On Tue, 22 Feb 2005 15:12:30 +1100, "Cameron Dorrough"
Post by Cameron Dorrough
Since yesterday we are getting the following error on our main
file
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
server
Post by Jerold Schulman
Post by Cameron Dorrough
every 5 minutes. There are no other errors and, up until now,
the
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
Post by Cameron Dorrough
box
hasn't been touched for over a month and Group Policys haven't
been
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
touched.
Post by Jerold Schulman
Post by Cameron Dorrough
Our other DC's are reporting that "Security policy has been
applied
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
Post by Cameron Dorrough
successfully".
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Security policies are propagated with warning. 0x4b8 : An
extended
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
error
Post by Glenn L
Post by Cameron Dorrough
has
Post by Jerold Schulman
Post by Cameron Dorrough
occurred.
I've read through the JSI and Microsoft articles I can find on
this,
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
but
Post by Glenn L
Post by Cameron Dorrough
all
Post by Jerold Schulman
Post by Cameron Dorrough
seem to rely on associated error messages to find the fault.
FWIW,
Post by LThibx
Post by Cameron Dorrough
Post by Glenn L
Post by Cameron Dorrough
the
Post by Glenn L
Post by Cameron Dorrough
Post by Jerold Schulman
Post by Cameron Dorrough
Error 1208: An extended error has occurred.
Error deleting SCP.
Help! What is going on??
Thanks,
Cameron:-)
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
Cameron Dorrough
2005-04-03 23:34:46 UTC
Permalink
[snip]
I believe its time to call MS, I can find no other info. There is a hotfix
for this error - KB 320099. Cameron, I wonder, do you already have the
patch, and maybe this is why you were able to resolve your issue?
My scesrv.dll version is: 5.2.3790.0, the hotfix version is: 5.2.3790.132
I'm using ordinary Win2k Server with SP4 - no other fixes applied - and I
still have no idea why the problem happened in the first place...

IMHO, you've done pretty much all you can. If no-one else in this group can
help, then yep, it is probably time to make the call.
Thanks for listening :-)
LThibx
Glad to help.
Cameron:-)
Glenn L
2005-04-08 05:24:45 UTC
Permalink
You should post a fresh post in the group policy discussion groups on this.
Also, you are not likely to get too many eyes on a post that is over a month
old.

You can recreate the secedit.sdb database manually.
Here is the procedure. However, I think your box has bigger problems when
it cannot recreate it on its own. I don't have any ideas on that one.

open up the security configuration and analysis MMC snapin.
right click 'security configuration and analysis' and choose open database.
browse to c:\windows\security\database.
put secedit in the file name field and click open.
Then choose secsetup.inf from the windows\repair directory
You now have a new secedit.sdb populated with the settings in secsetup.inf
Close the security configuration and analysis snapin.
Reboot the computer.
Your 1202s should be gone.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by LThibx
[snip]
I believe its time to call MS, I can find no other info. There is a
hotfix
for this error - KB 320099. Cameron, I wonder, do you already have the
patch, and maybe this is why you were able to resolve your issue?
My scesrv.dll version is: 5.2.3790.0, the hotfix version is: 5.2.3790.132
I'm using ordinary Win2k Server with SP4 - no other fixes applied - and I
still have no idea why the problem happened in the first place...
IMHO, you've done pretty much all you can. If no-one else in this group can
help, then yep, it is probably time to make the call.
Thanks for listening :-)
LThibx
Glad to help.
Cameron:-)
LThibx
2005-04-08 15:19:05 UTC
Permalink
Glenn,

I just wanted to provide an update on my scenario. Since I posted my last
message, I had decided to start fresh. I completely scratched the machine
and reinstalled. (Actually, I did this twice). My procedure was:
1. Scratch and clean installation of Win2k3 Server.
2. Just for kicks, I ran secpol.msc and reviewed each section. I was able
to access all sections.
3. Did a DCPromo as a second DC in domain. Replicates fine. Soon I
begin to receive the 1202 errors with a code of 0x428.
4. I run secpol.msc and receive the errors I posted earler when
attempting to access the User Rights Assignments, and Security Options nodes.
BTW, at this point, if I attempt to create a new database (of any name) as
you described, I receive 'An extended error has occured, Import failed'.
5. Leaving this machine running, during the early morning, the code
changes from 0x428 to 0x4b8 - Error deleting SCP.
6. I applied W2k3 SP1, with hopes that this problem will go away.
Installed and applied fine. But I still receive the 1202 errors.
7. Also, my primary DC Win 2000 Server, does not have any such problems
and there is not problems accessing any nodes under local policy.

I agree that there is some other reason this is happening. In the past my
W2k DC had some issues and crashed a few times, and I had to recover AD. But
all seems well on that box.

I am now waiting to contact an OS support person from Dell.
Once this is resolved I will post the solution.

Thanks
LThibx
Post by Glenn L
You should post a fresh post in the group policy discussion groups on this.
Also, you are not likely to get too many eyes on a post that is over a month
old.
You can recreate the secedit.sdb database manually.
Here is the procedure. However, I think your box has bigger problems when
it cannot recreate it on its own. I don't have any ideas on that one.
open up the security configuration and analysis MMC snapin.
right click 'security configuration and analysis' and choose open database.
browse to c:\windows\security\database.
put secedit in the file name field and click open.
Then choose secsetup.inf from the windows\repair directory
You now have a new secedit.sdb populated with the settings in secsetup.inf
Close the security configuration and analysis snapin.
Reboot the computer.
Your 1202s should be gone.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Post by LThibx
[snip]
I believe its time to call MS, I can find no other info. There is a
hotfix
for this error - KB 320099. Cameron, I wonder, do you already have the
patch, and maybe this is why you were able to resolve your issue?
My scesrv.dll version is: 5.2.3790.0, the hotfix version is: 5.2.3790.132
I'm using ordinary Win2k Server with SP4 - no other fixes applied - and I
still have no idea why the problem happened in the first place...
IMHO, you've done pretty much all you can. If no-one else in this group can
help, then yep, it is probably time to make the call.
Thanks for listening :-)
LThibx
Glad to help.
Cameron:-)
Loading...