Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1001 Source: SceCli

Security policy cannot be propagated. <error>. Error code = <error code>. <path>.
This error occurs when I try to resolve Kerberos error. I tried to modify the GPtTmpl.inf in
C:\ WINDOWS\SYSVOL\domain\policies/{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\WindowsNT\ SecEdit on Domain controller but something about 5 minutes later the users reports that it cannot be login to Windows in domain. I tried to open the domain default policy snap-in but it's getting this message: "windows cannot access template file".

I discovered that domain default policy is corrupted and I don't have any backup of that. I wanted to solve the problem with following instructions.

To reset the Domain Controller Default Group Policy, do the following:
1. On all Domain Controllers, issue: net stop ntfrs at a commend prompt.
2. On one of the Domain Controllers, at a command prompt issue: dcgpofix and answer Y to all prompts.
3. If you have an Exchange Server, add Exchange Enterprise Servers to permissions by going to the group policy, (gpmc.msc), computer configuration ->Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments, check to ensure policy is defaulted with all permissions. To work with Exchange, in the same location, locate the "Manage Audit and security log"¯ and add "Domain Name\Exchange Enterprise Servers"¯ to the permissions. (You could re-run the exchange setup with the "/Domainprep"¯ switch to do the same thing.)
4. To ensure the files are not overwritten, on the same machine that you ran dcgpofix , edit the following registry key to make the authoritative file server when replicating: At a command prompt, type regedit, navigate to "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\BackUp\Restore\Process at Startup" and modify the "burFlags"¯ setting the value to D4¯. (D4 sets the authoritative machine, setting the other machine or machines to D2 will force them to replicate from the machine with the D4 setting.) On the other Domain Controllers, edit the same key and set the value to D2.
5. On all machines, issue: net start ntfrs  This should start replication and all Domain Controllers should have an entry in the "Application Log"¯ indicating success. You can manually test the replication by creating a new text file under "C:\window\SYSVOL\sysvol\Domain Name\Policies" which will be replicated to the other machines. (Replace Domain Name with the name of the domain)
6. Check the replication by going to "AD Sites And Services"¯, -> Sites -> Servers, under each server -> NTDS Settings, in the right pane, right-click and choose "Replicate Now"¯. This should be indicate that it is successful. I had very few problems after running this process.
- Error code: 3 (Error code 3) - This behaviour can occur if the %SystemRoot%\SYSVOL\Domain\Policies Group Policy directory structure is missing or is incorrect and the replication service is trying to replicate the directory but can't find it. See WITP74445 to solve the problem.

If you specify a non-default folder for the Sysvol share during the Dcpromo process, the Sysvol\Sysvol\DNS Domain Name junction point and the Sysvol staging area may have Full Control permissions for the Everyone group. These permissions permit any local or remote authenticated user to delete one of the junction points, which effectively disables all of the group policies. See ME324308 for a hotfix applicable to Microsoft Windows 2000.
- Error code: 536870909 - We changed the providers order on the NICs (Network Connections -> Advanced -> Advanced Settings -> Provider Order tab). There are three listings here: Microsoft Network, Microsoft Terminal Services and Web Client Network. Terminal Services was first in the order, so just moved it down one to make Microsoft Network first, and the errors stopped.
As per Microsoft: "The system cannot access the Security Template, so the security policy cannot be applied. Often, this is due to network issues that are not related to the Security Configuration Manager". See MSW2KDB for more details on this event.

From a newsgroup post: "In our environment, we applied a default security template file locally to most member servers (not through domain group policy). We started seeing this error on all servers we applied this security template to, after applying the Blaster patch (ME823980)".

- Error code: 32 - See ME310741.
- Error code: 3 - See ME258296, ME258960, ME276516, ME285923, ME290647, and ME888824.

- Error: "Cannot delete GP cache" - From a newsgroup post: "Turns out that the "Cannot delete GP cache" is referring to the files in the “\windows\security\templates\policies” folder on the client that had the read-only attribute set and the client-side security extension could not delete or update them. The root of the problem turns out to be how I originally created the group policies. I had copied all the security templates from the Win 2003 Security Guide that I had on a CD and put them into the “\Windows\security\templates” directory on the server and this took along the read-only attribute with the files. So when I created group policies by importing the security templates this copies the templates along with the read-only attribute to the SYSVOL.
Well this left a bunch of the templates in the SYSVOL as read-only. Consequently when the template is brought down to the client so is the read-only attribute. Now you have the security policies on the client with read-only set and they cannot be deleted or updated by the client-side security extension.
So the complete fix was to remove the read-only from the templates in the SYSVOL, delete the all the files from the security policy cache on the client and then run the “GPUPDATE /FORCE”.
By the way, taking the read-only attribute off files in the SYSVOL was very tricky and cumbersome, so the word of warning is to make sure not to start with security templates that are read-only when importing them into group policies".

See ME314494 for additional information on this event.
From a newsgroup post: "My Windows 2003 domain controller kept logging this error every 5 minutes. Using the group policy manager, I determined that the GUID in the message was associated with the Default Domain Controllers Policy. Running Dcgpofix with the target set to the DC eliminated this problem".

I had this problem when event id 1000 and 1001 kept popping up every 5 minutes. Enabling the TCPIP Netbios Helper service on my domain controller fixed the problem.
As per ME259398, this can occur if the DFS client is disabled. Some websites have purported performance enhancements by disabling DFS, but it will result in group policies not being applied properly, hence this error. To specifically fix this, edit HKLM\SYSTEM\CCS\Service\MUP
Create a REG_DWORD value:
I found that we got this message after promoting a server to Domain Controller. For some reason the SYSVOL folder structure hadn't been properly created during promotion and thus there was nowhere to store the group policy. All i did was to copy over the structure from another DC and the error stopped.
Group Policy was not being propagated to clients and logons were slow. I found that the permissions on the domain controllers Sysvol folder and subfolders were incorrect but after 20 minutes of changing them as per Microsofts instructions, the system automatically changed them back. The sysvol permissions and some GP entries contained the security identifier for the Power Users group which doesn't exist on a DC. All efforts to remove this security identifier failed.
I deleted all Registry.pol and System.adm on the DC and edited all GPT.ini files, on the DC, so Version=1. I then rebooted the DC and changed the Sysvol permissions. Make a new Default Domain Policy and a new Default Domain Controllers Policy. Make sure that Everyone, Authenticated users and Administrators have "Bypass Traverse Cecking" enabled in the Default Domain Policy.
This event can occur if the %SystemRoot%\SYSVOL\Domain\Policies Group Policy directory structure is missing or is incorrect. The Replication service is trying to replicate the directory but cannot locate it. We also observed this error message when File and Print Services are not enabled. Error code 3 means "The system cannot find the path specified.". On systems with multiple network cards you may want to check the order of network card bindings.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.