Microsoft KB Archive/929624

From BetaArchive Wiki

Article ID: 929624

Article Last Modified on 11/13/2007


APPLIES TO

  • Microsoft Windows XP Professional
  • Microsoft Windows XP Tablet PC Edition


SYMPTOMS

In Microsoft Windows XP, after you assign a Group Policy setting to a computer by using a Group Policy object (GPO), the setting may be removed intermittently. You may also experience the problem on startup.

The settings are removed even though you have not changed the policy and even though you have not removed the computer from scope of the GPO. When this problem occurs, the following event may be logged in the System log on the client computer:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 7
Date: date
Time: time
User: N/A
Computer: computer_name
Description: The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client computer_name in realm realm_name had a PAC which failed to verify or was modified. Contact your system administrator.

When you create a Netlogon.log on the computers that are having this problem, you can find the following lines in the Netlogon.log file:
[LOGON] SamLogon: Generic logon of <domain>\(null) from (null) Package:Kerberos Entered
[LOGON] SamLogon: Generic logon of <domain>\(null) from (null) Package:Kerberos Returns 0xC000005E

There may be other errors, but error 0xC000005E (STATUS_NO_LOGON_SERVERS) is the most likely one.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

109626 Enabling debug logging for the Net Logon service




If you turn on user environment debug logging, an entry that resembles the following is logged in the Userenv.log file:
For every policy affected:
ProcessGPO: Searching <cn=<policy guid>,cn=policies,cn=system,DC=<domain>>
ProcessGPO: Machine does not have access to the GPO and so will not be applied.
...
CheckForGPOsToRemove: GPO <name of GPO>needs to be removed
GetDeletedGPOList: Finished.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

221833 How to enable user environment debug logging in retail builds of Windows




Depending on the type of setting, various other messages may be logged in the registry or in the event log. The following extensions are affected:

  • Application deployment

    The following event may be logged in the Application log on the client computer:


    Event Type: Information
    Event Source: Application Management
    Event Category: None
    Event ID: 303
    Date: date
    Time: time
    User: SYSTEM
    Computer: computer_name
    Description: The removal of the assignment of application application_name from policy GPO_name succeeded.

  • Security Group Policy

    The Winlogon.log file has many entries that resemble the following:


    Undo value for undefined Group Policy setting security setting was reset successfully and removed.

    There will be one line per setting in the Group Policy .inf file for the various groups of security policy settings.

    For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    245422 How to Enable Logging for Security Configuration Client Processing in Windows 2000

  • Registry policy settings/Administrative templates.

    The Userenv.log will have many lines removing policy settings. For example:


    ParseRegistryFile: Entering with <C:\Documents and Settings\All Users\ntuser.pol>.
    DeleteRegistryValue: Deleted
    Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify
    DeleteRegistryValue: Deleted Software\Policies\Microsoft\Internet Explorer\Download\RunInvalidSignatures
    DeleteRegistryValue: Deleted Software\Policies\Microsoft\Internet
    Explorer\Infodelivery\Restrictions\NoJITSetup
    DeleteRegistryValue: Deleted Software\Policies\Microsoft\Internet
    Explorer\Infodelivery\Restrictions\NoUpdateCheck

These are the most common examples in which you experience missing settings. You may experience similar problems with startup scripts.

CAUSE

This problem occurs when a Kerberos Privilege Attribute Certificate (PAC) validation error during logon causes the computer to fall out of scope for all Group Policy objects. Therefore, all assigned applications become unmanaged and are uninstalled. The Kerberos PAC validation error may occur because of transient network errors.

RESOLUTION

This hotfix causes the logon to fail completely and not work with an empty token. This triggers the Group Policy engine to stop policy processing and not run with an empty token. This may cause policy updates to arrive at member computers more slowly than expected. However, the policy settings are no longer removed.

Hotfix information

A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451


Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support


Prerequisites

To apply this hotfix, you must have Microsoft Windows XP Service Pack 2 (SP2) installed. For more information about how to obtain Windows XP SP2, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack


Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File name File version File size Date Time Platform
Kerberos.dll 5.1.2600.3048 298,496 11-Dec-2006 13:58 x86


STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about the terms that are used to describe software updates, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates



Additional query words: userenv

Keywords: kbgpo kbkerberos kbfix kbhotfixserver kbqfe kbpubtypekc KB929624



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/929624&oldid=336800
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki