Microsoft KB Archive/256000

From BetaArchive Wiki
Knowledge Base

Error Messages After Importing Basicdc.inf into Group Policy

Article ID: 256000

Article Last Modified on 2/28/2007


  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server

This article was previously published under Q256000


This error may occur after you import the Basicdc.inf file into the default domain controllers Group Policy object (GPO), the following error messages may be generated.

Application log:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 3/1/2000
Time: 6:16:43 PM
Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (13).

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 3/1/2000
Time: 6:16:43 PM
User: N/A
Description: Security policies are propagated with warning. 0xd : The data is invalid. Please look for more details in TroubleShooting section in Security Help.


Error 13: The data is invalid. Error convert %SYSVOL%\DOMAIN\POLICIES.
Error 13: The data is invalid. Error converting section File Security.


ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0xd.


This behavior occurs because three system environment variables (%SYSVOL%, %DSDIT%, and %DSLOG%) are referenced in the Basicdc.inf file, but exist only during the Dcpromo process. These error messages are generated each time the Default Domain Controllers policy is applied.


To resolve this issue, do not import the Basicdc.inf file into the default domain controllers Group Policy object (GPO). This security template modifies ACLS on files and folders in sysvol. The File Replication service may try to replicate these changes to other domain controllers depending on what version of NTFRS your domain controllers use.

Windows 2000-based domain controllers apply the policy when they are restarted, during policy updates, and then at regular intervals. The policy is updated every five minutes. If no change is pending, the policy is not applied. The policy is enforced every 16 hours regardless of whether there has been a change to the policy or not. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

279156 Effects of Setting File System Policy on a Disk Drive or Folder

321557 Improvements in the Post-SP2 Release of Ntfrs.exe

If you want to apply this policy periodically, a better solution is to apply it with the secedit command:

secedit /configure /cfg "%SYSTEMROOT%\security\templates\basicdc.inf" /db "%SYSTEMROOT%\security\database\basicdc.sdb" /log "%SYSTEMROOT%\security\database\basicdc.log" /verbose

First, you must create the following three system environment variables:

  1. At a command prompt, type net share sysvol, and then press ENTER. Note the path that is returned.
  2. Right-click My Computer, and then click Properties.
  3. On the Advanced tab, click Environment Variables.
  4. In the System Variables section, click New.
  5. In the Variable Name box, type SYSVOL.
  6. In the Variable Value box, type the path that you noted in step 1, minus the last "\sysvol" item.
  7. Repeat these steps to create the %DSDIT% and %DSLOG% variables.

    You can view the path for these variables by examining these variables in the registry under the following key:


    For example the default location for Database log files path and DSA Working Directory are listed below:

    Database log files path:REG_SZ:C:\WINNT\NTDS (%DSLOG% equals C:\WINNT\NTDS)

    DSA Working Directory:REG_SZ:C:\WINNT\NTDS (%DSDIT% equals C:\WINNT\NTDS)

  8. At a command prompt, type the following command, and then press ENTER:

    secedit /configure /cfg "%SYSTEMROOT%\security\templates\basicdc.inf" /db "%SYSTEMROOT%\security\database\basicdc.sdb" /log "%SYSTEMROOT%\security\database\basicdc.log" /verbose

  9. Examine the Userenv.log file, Winlogon.log file, and Application event log. The error messages should no longer occur.
  10. If the error messages persist, restart the computer and confirm that the error messages no longer occur.

Important Implementing a security template on a domain controller may change the settings of the Default Domain Controller Policy or Default Domain Policy. The applied template may overwrite permissions on new files, registry keys, and system services that are created by other programs. You may have to restore these policies after you apply a security template. Before you follow these steps on a domain controller, create a backup of the SYSVOL share.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Keywords: kbdcpromo kbenv kberrmsg kbgpo kbprb KB256000