Article ID: 306100
Article Last Modified on 2/22/2007
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
This article was previously published under Q306100
SYMPTOMS
After you establish a Group Policy object (GPO) that defines restricted groups, and then apply the group policy, the resulting group membership on the destination computer may be incomplete.
The first indication of this problem may be error messages in the Application log from the "SCECLI" source. These messages mention that the security policy was not applied.
One way to check if an error occurred during the processing of any given group is to check the log file to determine if an error occurred. For additional information about how to enable debug logging, click the article number below to view the article in the Microsoft Knowledge Base:
245422 Enabling Logging for Security Configuration Client Processing
An example of this error might look like the following excerpt from the log that is listed in the preceding article:
CAUSE
This problem can occur during the processing of the group policy. If one of the user accounts that is defined in the Restricted Groups policy cannot be validated (not found on the local computer or on the domain), that user and subsequent users in the group policy are not made members of the target group.
RESOLUTION
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this hotfix.
To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name ----------------------------------------------------------- 05-Oct-2001 10:42:22 5.0.2195.4472 123,664 Adsldp.dll 05-Oct-2001 10:42:22 5.0.2195.4308 130,832 Adsldpc.dll 05-Oct-2001 10:42:24 5.0.2195.4016 62,736 Adsmsext.dll 05-Oct-2001 10:42:22 5.0.2195.4384 364,816 Advapi32.dll 05-Oct-2001 10:42:22 5.0.2195.4141 133,904 Dnsapi.dll 05-Oct-2001 10:42:22 5.0.2195.4379 91,408 Dnsrslvr.dll 05-Oct-2001 10:43:12 5.0.2195.4411 529,168 Instlsa5.dll 05-Oct-2001 10:42:24 5.0.2195.4437 145,680 Kdcsvc.dll 04-Oct-2001 21:00:18 5.0.2195.4471 199,440 Kerberos.dll 04-Sep-2001 21:32:54 5.0.2195.4276 71,024 Ksecdd.sys 27-Sep-2001 15:58:44 5.0.2195.4411 511,248 Lsasrv.dll 06-Sep-2001 18:31:38 5.0.2195.4301 33,552 Lsass.exe 27-Sep-2001 15:59:06 5.0.2195.4285 114,448 Msv1_0.dll 05-Oct-2001 10:42:24 5.0.2195.4153 312,080 Netapi32.dll 05-Oct-2001 10:42:24 5.0.2195.4357 370,448 Netlogon.dll 05-Oct-2001 10:42:24 5.0.2195.4464 912,656 Ntdsa.dll 05-Oct-2001 10:42:24 5.0.2195.4433 387,856 Samsrv.dll 05-Oct-2001 10:42:24 5.0.2195.4117 111,376 Scecli.dll 05-Oct-2001 10:42:24 5.0.2195.4476 299,792 Scesrv.dll 05-Oct-2001 10:42:24 5.0.2195.4025 50,960 W32time.dll 01-Aug-2001 21:44:16 5.0.2195.4025 56,592 W32tm.exe 05-Oct-2001 10:42:22 5.0.2195.4433 125,712 Wldap32.dll
WORKAROUND
Use the logging that is previously described, isolate the user account that cannot be validated, and then remove the user from the restricted group in the GPO where it is defined.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:
296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbenv kbhotfixserver KB306100