Microsoft KB Archive/932461

= You cannot determine Group Policy security settings on a Windows Server 2003, Enterprise Edition-based computer =

Article ID: 932461

Article Last Modified on 5/16/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
You experience the following symptoms on a Microsoft Windows Server 2003, Enterprise Edition-based computer:  You cannot determine Group Policy security settings. When you import a new Secedit.sdb database, the import process fails. Additionally, you receive the following error message:

An extended error has occurred. Import failed.

 If you delete the Secedit.sdb database, it is not rebuilt.



CAUSE
This problem occurs if specific Group Policy security settings are changed from their default settings. These security settings specify the minimum required security setting of server-side and client-side network connections for programs that use the NTLM security support provider (SSP).



RESOLUTION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this issue, change the specific Group Policy settings to their default values. To do this, follow these steps:  Click Start, click Run, type Regedit, and then click OK. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

</li> Right-click NtlmMinServerSec, and then click Modify.</li> In the Value data box, type 0, and then click OK.</li> Right-click NtlmMinClientSec, and then click Modify.</li> In the Value data box, type 0, and then click OK.</li> Exit Registry Editor.</li></ol>

<div class="moreinformation_section">

NTLMv2 authentication
Session security determines the minimum security standards for client sessions and for server sessions. The following policies determine the minimum security standards for a program-to-program communications session on a server for a client:
 * Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
 * Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients

Note These policies are located under Computer Settings\Windows Settings\Security Settings\Local Policies\Security Options in the Microsoft Management Console (MMC) Group Policy Object Editor snap-in.

The options for these security settings are as follows:
 * Require message integrity
 * Require message confidentiality
 * Require NTLM version 2 session security
 * Require 128-bit encryption

By default, there are no requirements for these settings.

Historically, Windows NT has supported the following two variants of challenge/response authentication for network logons:
 * LM challenge/response
 * NTLM version 1 challenge/response

LM allows for interoperability with the installed base of clients and servers. NTLM provides improved security for connections between clients and servers.

The following registry subkeys correspond to the challenge/response authentication variants:

Note If you select the Require NTLMv2 session security option, and then you set the LAN Manager authentication level to Send LM & NTLM responses (level 0), the two settings may conflict. In this case, the following error message may be logged in the Secpol.msc file or in the GPEdit.msc file:

Windows cannot open the local policy database. An unknown error occurred when attempting to open the database.

Keywords: kberrmsg kbtshoot kbexpertiseadvanced kbprb KB932461

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.