Article ID: 272560
Article Last Modified on 2/21/2007
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional Edition
This article was previously published under Q272560
SYMPTOMS
If you are deploying a program on a large number of domain controllers, and that program changes the default domain controller Group Policy for each computer on which that program is installed by using Microsoft Windows NT 4.0-style local security authority (LSA) application programming interface (API), when you later try to start the service on all of the computers, the account may not have the required privilege, and therefore the service may not start or may experience errors while the service is running.
For example, if you deploy a program that creates a user account that is used to run a service, this account requires at least the SeServiceLogonRight privilege.
This problem can also occur on Domain members (Professional and Servers) when LSA API is called and Group Policy is about to be applied at the same time.
This problem also occurs if Group Policy is not applied right after the computer restarts. The following error messages are logged in the event log:
During subsequent attempts to restart, Group Policy is applied correctly.
One program in which this problem is known to occur is the Microsoft Systems Management Server (SMS) version 2.0 client Setup for domain controllers. This program creates a SMS&_computer_name user account for the service, and an interim SMS#_computer_name user account is also created when the automatic installation is used. Both accounts require a number of user privileges.
CAUSE
This problem can occur if a racing condition occurs, especially if the list of users that require a certain privilege is long. The engine that manages the translation of LSA API calls to writing the Group Policy Inf file on the files system (in the Sysvol tree) can get into a situation where a particular change is lost.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name ------------------------------------------------------------------ 6/27/2001 12:19p 5.0.2195.3787 501,520 Lsasrv.dll (56-bit) 7/6/2001 10:55a 5.0.2195.3787 355,088 Advapi32.dll 7/6/2001 10:55a 5.0.2195.3649 135,440 Dnsapi.dll 7/6/2001 10:55a 5.0.2195.3649 94,992 Dnsrslvr.dll 7/6/2001 10:51a 5.0.2195.3787 519,440 Instlsa5.dll 7/6/2001 10:55a 5.0.2195.3817 142,608 Kdcsvc.dll 6/26/2001 08:15p 5.0.2195.3781 197,392 Kerberos.dll 6/26/2001 08:16p 5.0.2195.3781 69,456 Ksecdd.sys 6/27/2001 12:20p 5.0.2195.3787 501,520 Lsasrv.dll 6/26/2001 08:16p 5.0.2195.3781 33,552 Lsass.exe 7/6/2001 10:55a 5.0.2195.3776 306,448 Netapi32.dll 7/6/2001 10:55a 5.0.2195.3776 357,648 Netlogon.dll 7/6/2001 10:55a 5.0.2195.3826 909,072 Ntdsa.dll 7/6/2001 10:55a 5.0.2195.3781 382,224 Samsrv.dll 7/6/2001 10:55a 5.0.2195.3781 128,784 Scecli.dll 7/6/2001 10:55a 5.0.2195.3649 299,792 Scesrv.dll 7/6/2001 10:55a 5.0.2195.3649 48,400 W32time.dll 5/29/2001 09:26a 5.0.2195.3649 56,080 W32tm.exe
NOTE: When you deploy this hotfix in an SMS 2.0 environment, you should also install Service Pack 3 for SMS 2.0, and then install the Q278345.exe hot fix for SMS 2.0 Service Pack 3.
For additional information about the Q278345.exe hot fix for SMS 2.0 Service Pack 3, click the article number below to view the article in the Microsoft Knowledge Base:
278345 Competing Changes to SMSCliToknAcct& During Clisvc Startup
WORKAROUND
To work around this problem, use a group to grant the privilege, and make the user member of this group, instead of using many individual user accounts with a certain privilege. This is a good way to recover after this problem occurs, especially if it might take more time to find the user accounts that are missing from the list than it would to set up the group. Also, a short list of accounts in the policy helps the policy process faster.
STATUS
Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 3.
MORE INFORMATION
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Additional query words:
Keywords: kbhotfixserver kbqfe kbbug kbfix kbgpo kbnetwork kbsecurity kbwin2000presp2fix kbwin2000sp3fix KB272560