Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Annoying event log errors and warnings....... 1

Status
Not open for further replies.
lefty78

lefty78

IS-IT--Management
May 29, 2002
111
US
Anyone have a clue on this, I get four recurring entries to my event log every five minutes. They are all in the application log and read as follows;

Source: Usernev
Event ID: 1000
Description: The group policy client-side extension Security was passed flags (17) and returned a failure status code of (1208).

Source: SceCli
Event ID: 1202
Description: Security Policies are propogated with warning 0x4b8: An extended error has occured. Please look for more details in troubleshooting section in security help.

Source: ESENT
Event ID: 454
Description: services (276) Database recovery/restore failed with unexpected error - 530.

Source: ESENT
Event ID: 412
Description: services (276) Unable to read the log header. Error - 530.



I found a forum that boasted a fix for this problem and the fix was to restore the local group policy on the server from the 'security setup' template. When I try do do this I am left with a good 'ol M$ error;

'Security Templates'
An extended error has occured. Import Failed.

and when I get this error the two entries from source 'ESENT' that are listed above are logged in the event log
 
Sort by date Sort by votes
I guess that this boggles everyone as much as I.....still open for suggestions, thanks.
 
Upvote 0 Downvote
Hey leafty78 I am getting the same errors too, wher did you see that fix I would like to try it out for myself email to mlewis1034@netzero.com
 
Upvote 0 Downvote
I was getting errors trying to open up my local security policy. I fixed the problem by following this.....



When you navigate in Local Computer Policy and try to open Account Policies or Local Policies
(Local Computer Policy / Computer Configuration / Windows Settings / Security Settings), you receive
Windows cannot open the local policy database. An unknown error occurred when attempting to open the database..

Your Local Group Policy log files may be corrupt.

To fix the problem, delete or rename the following:

%SystemRoot%\Security\Edb.*
%SystemRoot%\Security\Res*.*



After I did this, I restored the original security policy through the mmc Security and Configuration Analysis. That got rid of two of the event log every-five-minute-entries; (Source: ESENT
Event ID: 454
Description: services (276) Database recovery/restore failed with unexpected error - 530.

Source: ESENT
Event ID: 412
Description: services (276) Unable to read the log header. Error - 530.)




So I am now stuck with half the issue I had before, I now only need to get rid of two event log entries, and they still occur every five minutes, they are listed above, and I will now list them again here;


Source: Usernev
Event ID: 1000
Description: The group policy client-side extension Security was passed flags (17) and returned a failure status code of (1208).

Source: SceCli
Event ID: 1202
Description: Security Policies are propogated with warning 0x4b8: An extended error has occured. Please look for more details in troubleshooting section in security help.
 
Upvote 0 Downvote
typically, those errors are due to group policy attempting to apply itself to an account/object that does not exist. most often, this will occur if the Power Users group is somehow included in a Domain or Domain Controller security policy, as DC's don't know what Power Users are. that's just an example though, it could be any non-existent object. you'll need to check your domain security group policies for unknown accounts.
 
Upvote 0 Downvote
I'm getting the same thing. I've all but given up. If someone finds the cause, I'd love to know it. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Since we cannot know all that there is to be known about anything,
we ought to know a little about everything."
Blaise Pascal
 
Upvote 0 Downvote
Well I have gotten rid of the final two errors....I scanned active directory and there were these security groups;

<my_server> admins
<my_server> authors
<my_server> browsers

and these;

<my_server>2278 admins
<my_server>2278 authors
<my_server>2278 browsers

I feel like an @$$ not noticing the two sets of the same security group. I ran a check to see which one was currently logging on, I was guessing one was created by accident during a test run on some internal management sites I host. I found that the instances with 2278 added in them were the culprits. I deleted them, refreshed the machines policy and wala, after months of tension, hair ripping, and utter confusion....it flashed right in front of me, guess I was looking to hard.

So, a suggestion would be to look no further than active directory listings for double entries, unused entries, entries that were made on an install and then not removed on an uninstall (as in my case I bet), or just simply unknown user id's. And then ensure that none of those users or groups hold permissions on a local or a domain level. Hope this helps someone.....
 
Upvote 0 Downvote
I came across this when I was looking for another error:

As brontosaurus mentioned, looks like you need to check for invalid objects and/or GPs that are referring to nonexistent objects.


SYMPTOMS
After you modify group policies on a Windows 2000-based server, the following error messages may be recorded in the Application event log every five minutes:

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 21/09/1999
Time: 18:15:14
User: N/A
Computer: MachineName
Description:
Security policies are propagated with warning. 0x4b8 : An extended error occurred. Please look for more details in TroubleShooting section in Security Help.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 21/09/1999
Time: 18:15:14
User: NT AUTHORITY\SYSTEM
Computer: SLDN220IN
Description:
The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1208).
CAUSE
A conflict in Group Policy can cause these events to occur. These error messages can occur if the &quot;Rename Administrator Account&quot; security policy is enabled and then set to an account name that is already in use.

RESOLUTION
To resolve this issue, either disable the &quot;Rename Administrator Account&quot; policy or configure the policy to use an account name that does not exist. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

259576 Group Policy Application Rules for Domain Controllers

258595 Gpresult Does Not Enumerate Resultant Computer Security Policy
 
Upvote 0 Downvote
sorry for miss handling the credit brontosaurus, it does go to you. I have read all of these articles countless times and just somehow missed the entries I found to day. I guess I had blinders on looking for power users and unknown users. you did motivate me to try once again and I finally saw what was staring at me for the last couple months. Thanks
 
Upvote 0 Downvote
Hi Lefty


In regards to this article
1.Open the %SystemRoot%\Security folder, create a new folder, and then name it &quot;OldSecurity&quot;.
2.Move all of the files ending in .log from the %SystemRoot%\Security folder to the OldSecurity folder.

there is a scepol.log file in the folder that i cannot move or rename. I get a sharing violation error
&quot;the source or destination file may be in use&quot;

how do i move this file into the old security folder
 
Upvote 0 Downvote
no, no, i didn't mean it that way at all. i was lamenting the fact that it seemed like you went through a lot of trouble because you may have honestly missed my post (as it is kind of small...). In any case, glad you got it fixed.
 
Upvote 0 Downvote
I know what its like to have those blinders on... just went thru that publishing OWA... sometimes the problem is so obvious you want to hide in a corner... :)

brontosaurus, no problem... sometimes replies are overlooked... did that myself... :)

Daniel.
 
Upvote 0 Downvote
I tried to add a .REG file to the logon script. But when users try to logon the get an error saying “cannot import\\UNC path\name of file.REG: not all data was successfully written to the registry. Some keys are open by the system or other processes.”

How I can get this .REG file to run?
 
Upvote 0 Downvote
Scruby
I reckon you need to start a new thread for this. Anyway, sounds like a permissions problem - the users who are running the login script do not have permission to make the registry modification.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
108
RRankin355
RRankin355
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
138
ADB100
ADB100
bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
105
DrB0b
DrB0b
blpcrs
  • Locked
  • Question
Disk Space warning in real time in Event Viewer?
Replies
0
Views
163
blpcrs
blpcrs
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
84
geneg28
geneg28

Part and Inventory Search

Sponsor

Back
Top