Microsoft KB Archive/306100

= Inconsistent Group Membership State after a Restricted Group Policy Is Enabled =

Article ID: 306100

Article Last Modified on 2/22/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q306100



SYMPTOMS
After you establish a Group Policy object (GPO) that defines restricted groups, and then apply the group policy, the resulting group membership on the destination computer may be incomplete.

The first indication of this problem may be error messages in the Application log from the &quot;SCECLI&quot; source. These messages mention that the security policy was not applied.

One way to check if an error occurred during the processing of any given group is to check the log file to determine if an error occurred. For additional information about how to enable debug logging, click the article number below to view the article in the Microsoft Knowledge Base:

245422 Enabling Logging for Security Configuration Client Processing

An example of this error might look like the following excerpt from the log that is listed in the preceding article:

Configure Group Membership...

Configure Power Users.

Match - administrator.

Match - newuser.

add User2.

Error 1387: A member could not be added to or removed from the local group because the member does not exist.

error adding User2.

Group Membership configuration completed with error



CAUSE
This problem can occur during the processing of the group policy. If one of the user accounts that is defined in the Restricted Groups policy cannot be validated (not found on the local computer or on the domain), that user and subsequent users in the group policy are not made members of the target group.



RESOLUTION
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:

  Date         Time      Version        Size     File name

---  05-Oct-2001  10:42:22  5.0.2195.4472  123,664  Adsldp.dll 05-Oct-2001 10:42:22  5.0.2195.4308  130,832  Adsldpc.dll 05-Oct-2001 10:42:24  5.0.2195.4016   62,736  Adsmsext.dll 05-Oct-2001 10:42:22  5.0.2195.4384  364,816  Advapi32.dll 05-Oct-2001 10:42:22  5.0.2195.4141  133,904  Dnsapi.dll 05-Oct-2001 10:42:22  5.0.2195.4379   91,408  Dnsrslvr.dll 05-Oct-2001 10:43:12  5.0.2195.4411  529,168  Instlsa5.dll 05-Oct-2001 10:42:24  5.0.2195.4437  145,680  Kdcsvc.dll 04-Oct-2001 21:00:18  5.0.2195.4471  199,440  Kerberos.dll 04-Sep-2001 21:32:54  5.0.2195.4276   71,024  Ksecdd.sys 27-Sep-2001 15:58:44  5.0.2195.4411  511,248  Lsasrv.dll 06-Sep-2001 18:31:38  5.0.2195.4301   33,552  Lsass.exe 27-Sep-2001 15:59:06  5.0.2195.4285  114,448  Msv1_0.dll 05-Oct-2001 10:42:24  5.0.2195.4153  312,080  Netapi32.dll 05-Oct-2001 10:42:24  5.0.2195.4357  370,448  Netlogon.dll 05-Oct-2001 10:42:24  5.0.2195.4464  912,656  Ntdsa.dll 05-Oct-2001 10:42:24  5.0.2195.4433  387,856  Samsrv.dll 05-Oct-2001 10:42:24  5.0.2195.4117  111,376  Scecli.dll 05-Oct-2001 10:42:24  5.0.2195.4476  299,792  Scesrv.dll 05-Oct-2001 10:42:24  5.0.2195.4025   50,960  W32time.dll 01-Aug-2001 21:44:16  5.0.2195.4025   56,592  W32tm.exe 05-Oct-2001 10:42:22  5.0.2195.4433  125,712  Wldap32.dll



WORKAROUND
Use the logging that is previously described, isolate the user account that cannot be validated, and then remove the user from the restricted group in the GPO where it is defined.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbenv kbhotfixserver KB306100

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.