Have you ever seen this error in your event logs on a Windows XP machine? Have you ever had any issues getting a Group Policy to apply?
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Computer: COMPUTERNAME
Description:
Security policies were propagated with warning. 0x4b8 : An extended error has occurred.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".
This usually means that the local security database, secedit.sdb, is corrupted and there is a chance that some Group Policies may not work. To check the integrity of the database, run the esentutl utility from a command line:
esentutl /g %windir%\security\database\secedit.sdb
To repair the database, you need to run this from a command line:
esentutl /p %windir%\security\database\secedit.sdb
Check the integrity again, and it should be clear.
Now if the problem occurs on multiple machines, you may want to set up a Group Policy Logon Script. The only problem is, when you run this as a batch file, you will get a pop up warning message. This is not something you want to the users to see. Run the esentutl /o command to prevent the warning window. I indicated this in the example below.
esentutl /p %windir%\security\database\secedit.sdb /o
This will prevent the warning message from coming up for the user. Also, according the Microsoft, it is recommended to run the ESENTUTL /p command only as a last resort, as shown in this article. In my case, our master XP image had this problem and we already deployed it to over 50 workstations. A visit to each machine would be too monotonous, so I did the following steps:
- I created a new GPO called SceCli_Fix
- I created a batch file that runs the following command - esentutl /p %windir%\security\database\secedit.sdb /o
- I attached it to the SceCli_Fix User GPO as a Logon Script.
- I linked the GPO to the users who were having the issue.
- Gave the users notice to reboot their machines over night.
- The next morning, I confirmed that the users had rebooted and I unlinked the GPO.
- Done. If you had any previous Group Policies that were not applying, they should apply now.
Keep in mind that Microsoft doesn’t recommend running this command over and over again, especially if the database is already fixed. This is why I am putting extra care in coordinating with the users to ensure it only runs once. Although I ran it multiple times on a test workstation, I’ll take the recommendation on our production machines.
