Event ID 1202 Source SceCli
| Event ID | 1202 |
| Source | SceCli |
| Type | Warning |
| Description | Security policies are propagated with warning. <error code>: <error description>. Please look for more details in TroubleShooting section in Security Help. |
| English, please! | This information is only available to subscribers. An example of English, please! |
| Concepts to understand | What is the Group Policy? |
| Comments |
Adrian Grigorof
(Last update 6/10/2003): The error codes in the event description are given in hex format but the decimal value is given in order to facilitate the search for the error code. Error code 0x5 (decimal 5) - Access is denied. This issue occurs because of the locked-down security that was originally set on the FRS through Group Policy. When you attempt to configure the FRS through Group Policy, the policy engine no longer has the permission to set security on the FRS and does not attempt to take ownership of the FRS. See M284461 for resolution. Error code 0xd (decimal 13) = "The data is invalid". This behavior occurs because three system environment variables (%SYSVOL%, %DSDIT%, and %DSLOG%) are referenced in the Basicdc.inf file, but exist only during the Dcpromo process. These error messages are generated each time the Default Domain Controllers policy is applied. See M256000 for details. Error code 0x3e5 (decimal 997) - "Overlapped I/O operation is in progress.". See M295712 for a condition when this error code can occur (a 3rd party backup software may interfere with Active Directory operations). Error code 0x534 (decimal 1332)- "No mapping between account names and security IDs was done.": A program was installed, which creates user accounts and assigns rights to those user accounts. Later, the program was removed, the user accounts deleted, but the rights from policy before the accounts were still there. A user account is added and rights assigned to the account. The account is deleted, but not from security policies. The "0x534" code is the hex for "1332". Following the suggestions in M324383 (see the link below) helps. Make sure you check the domain, domain controllers and local group policies. Error code 0x4b8 (decimal 1208) - "An extended error occurred". See M260715 - A conflict in Group Policy can cause these events to occur. These error messages can occur if the "Rename Administrator Account" security policy is enabled and then set to an account name that is already in use. Also, as per M285903, to resolve this behavior, remove all references to the Power Users group in the Local Security settings. For information about various error codes see the links below. This error codes are common to many Windows events. Anonymous (Last update 4/6/2008): - Error code: 0x57 (Error code 87) = "The parameter is incorrect" - We had changed our domain policies to require 15 character passwords via modifying the adm file and the domain properties in adsiedit. When the computers processed this policy they failed out and stopped processing the rest of the policy. I changed the password requirement to 14 characters (max natively supported by windows) and the policies were able to be processed. Ionut Marin (Last update 1/19/2008): - Error code: 0x4b8 = "An extended error has occurred" - See M296854, M827012, M835744, M835901, and M837166. - Error code: 0x534 - See M281454, M329816, M839115, M890737, M918451, and the link to "Windows XP Troubleshooting". - Error code: 0x2 - See the link to Error code 0x2 for details. - Error code: 0x5 = "Access is denied" - See M310741 and M319352. - Error description: "No mapping between account names and security IDs was done" - See M834519. See the links to "Active Directory Operations Overview", "JSI Tip 3252", and MSW2KDB for additional troubleshooting information. Nathan Russell (Last update 10/28/2007): - Error code: 0xb - I also began experiencing this issue after replacing a failing hard drive using Norton Ghost. I followed the instructions to delete\rename the C:\WINDOWS\security\Database\secedit.sdb file. After running "gpupdate /force" the error went away. Anonymous (Last update 8/29/2007): It is possible that the ASP.NET account is defined in the Domain Policy but does not exist on the Local Computer. I installed the ASP.NET component and the warning ceased to occur. Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! James (Last update 7/9/2007): As stated by Christian Jones’s post, I also went to the “C:\WINDOWS\security\Database” folder and renamed all the files in this folder to *.bak. Then, I manually ran "gpupdate /force" and the secedit.sdb file was recreated for me as well. However, I had to also had to give Domain Users FULL rights to the folder, as our users are only in Domain Users and Local Users on the PCs. After this, the policies updated normally. Srinivas Ramaswamy (Last update 3/5/2007): - Error code: 0x4b8 = "An extended error has occurred" - This error appeared on the GPO that renamed administrator ID or disabled "Guest" account. This issue appeared because %Windir%\security\Database\Secedit.sdb was corrupt. Check "esentutl /g %Windir%\security\Database\Secedit.sdb". It will say the database is either corrupt or out-of-date. Run "esentutl /p %Windir%\security\Database\Secedit.sdb" to repair or simply delete the %Windir%\security\Database\Secedit.sdb file. The database will be recreated on the reboot. Either choice will need a reboot. Andrei Ungureanu (Last update 1/24/2007): See "Troubleshooting Active Directory Replication Problems" for information on this problem. In addition, here are a couple of links on how to enable and work with Winlogon.log: M245422, "Interpreting Security Settings log files", and "Enable Logging for Security Settings". Mihai Andrei (Last update 11/28/2006): - Error code: 0x4b8 (Error code 1208) - See "JSI Tip 2434", "JSI Tip 3861" and "JSI Tip 3561". - Error code: 0x534 (Error code 1532) - See M279432, M927061 and "JSI Tip 2059". - Error code: 0x8 - See the link to Error code 8. The presence of SceCli event ID 1202 in the application event log indicates that there might be problems with Active Directory replication, especially if the error text for this message contains a Win32 error code of either Error 1332 (0x534) or Error 1332 (0x6fc). The procedure for troubleshooting this event with either hexadecimal code is the same. See the link to "Troubleshooting Active Directory Replication Problems" for details on this procedure. Christian Jones (Last update 8/22/2006): - Error code: 0x4b8 (Error code 1208) - In my case, this event was accompanied by event 1085 from source Userenv. To fix this, I simply went to the "C:\WINDOWS\security\Database" folder and renamed the files *.bak. I manually ran "gpupdate /force" and the secedit.sdb file was recreated. I rebooted and all was well. For some reason the old secedit.sdb file had a very old date. My guess is it was not updating. Daniel Vasilciu (Last update 5/31/2006): - Error code: 0x4b8 (Error code 1208) - In our case, we received this event at every 5 min GPO refresh cycle. To fix the problem, we just deleted the following files: %SystemRoot%\Security\Edb.* %SystemRoot%\Security\Res*.* The files will recreate themselves the next time you go into the Local Security Policies. Dave Murphy (Last update 5/11/2006): On a RIS image of a Windows XP SP2 system in a Windows 2003 SP1 environment, I started receiving this warning, along with error 1000. A search came up with article M296854, which suggested a bogus group was being referenced somewhere in the policies or on my system. This led me to article M285903 to remove power users from the local policies. Additionally, I had found following the recommended logging steps in article M324383, that the local security database might have been corrupted. I attempted a repair using the “esentutl /r” command, and an event log was recorded when attempting to repair the file. As it turned out, the system was trying to use a security profile in the user's home directory, rather than the local security directory. The result was that I followed the steps in article M278316 to resolve the problem. This resolved the local security database corruption, where the security database was pointing to, and the errors and warning showing up in the event log during bootup or during a policy refresh with gpupdate. Peter Hayden (Last update 3/16/2006): - Error code: 0x3e5 (Error code 0x3e5) = "Overlapped I/O operation is in progress" - In one case, this occurred on a domain that was created by restoring an image of a domain controller and then promoting two other domain controllers with DCPROMO. It was found that AD replication was not working. It is believed that the original image may have contained Active Directory objects that were older than the tombstone lifetime interval or some other corruption. This was fixed by using DCPROMO to demote/promote one domain controller at a time and seizing the FSMO roles. - Error code: 0x57 (Error code 87) = "The parameter is incorrect" - In one case, this Event ID appeared on a computer running Windows 2003 SP1. It appeared after the D: drive became faulty and an attempt was made to reformat it from Computer management -> Disk Management. This attepmpt proceeded extremely slow taking several days to reach "5% formatted". Windows became unresponsive even though Windows Task Manager showed that there was CPU available. This was resolved by removing the D: drive until a replacement became available. Jeffrey Walton (Last update 2/2/2006): We were observing the event on a Windows XP workstation. In addition, the workstation would not honor all group policies (application of policies would fail at an unknown point). We followed M324383 to no avail. Opening the Local Security Policy snap-in produced an error. We renamed the local security database (secedit.sdb to secedit.sdb.old), rebooted, and the problem seems to be resolved. The database in question is located in %WINNT%\Security\Database\. Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! Andrew Stuckey (Last update 12/16/2005): Error code: 1208 = “An extended error has occurred. Error creating database” – Even after disabling all GPO's for this server, the error was still occurring. I renamed "C:\WINDOWS\Security\Database\secedit.sdb", rebooted, and the error was gone. Anonymous (Last update 11/29/2005): - Error code: 0x5 (Error code 0x5) = "Access is denied" - I received this error on a Windows XP client machine. I examined the C:\windows\security\logs\winlogon.log file and it showed this: Configure machine\software\microsoft\driver signing\policy. Warning 5: Access is denied. Looking at the registry key HKLM\Software\Microsoft\Driver Signing on the client machine, I found that there was an explicit Deny permission set. You can find the permissions set by right-clicking “Driver Signing” -> Properties -> Advanced -> tab Permissions. This permission was not set on any other XP or 2000 client PCs. Removing the Deny permission, allowed the GPO to process the registry key successfully. Florian S. (Last update 11/18/2005): The problem in our network was that there was no DomainMasterBrowser in our Domains and the computer browser service on our domain controller was disabled. Check the registry entry HKLM\System\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster and see if one of your DCs has the value "Yes". Only one server should have this value. Also start the computer browser service if it has been disabled. Rob Willman (Last update 8/14/2005): - Error Code: 0x4b8 - I was receiving this error every 5 minutes on our two W2k domain controllers. I tried all the listed fixes with no success. Winlogon.log was giving me "Error 1208: An extended error has occurred. Error creating database". It looks like my security policy database was corrupt. Renaming and copying secedit.sdb in the C:\winnt\security\database from a working domain controller, in a separate domain, fixed the problem. Keith Lukes (Last update 7/6/2005): - Error code: 0x2 - This problem can occur on Citrix MetaFrame servers following the remapping of drive letters. This error will be accompanied by ESENT error events 454 and 439. This is for member servers only. In order to correct the problem, the files edb.chk, edb.log, res1.log, and res2.log located in the “%systemroot%\security” folder need to be renamed. You will also need to rename “%systemroot%\security\database\secedit.sdb”. Once this is completed, reboot the server, and the error should be gone. Mads Rehhoff-Nør (Last update 4/26/2005): Error code: 0x4b8 (Decimal 1208) = "An extended error has occurred." - I had problems with a service that started "too early" with respect to the Group Policies, which "were not in place". This reselected in some kind of conflict and Windows XP was "Applying computer settings" for a long time. I set the service to depend on NLA (Network Location Awareness) and the problem was solved. Nicholas (Last update 2/3/2005): - Error code: 0x4b8 - In our case, we had the error occurring at every 5 min GPO refresh cycle. We set up logging per M324383. The problem turned out to be with Restricted Groups; it was attempting to remove a user ID whose Primary Group was set to that of the Restricted Group and so it failed and did not process the rest of that GPO. Changing the Primary Group back to the default of Domain Users immediately fixed the problem. Tom Clark (Last update 11/15/2004): I fixed this problem by following the instruction posted on the www.tech-geeks.org website. See the link to "www.tech-geeks.org - W2K Server SceCli error 1202" for the instructions. Gary Busby (Last update 10/26/2004): - Error code: 0xd error - This can occur with any variable that is specified incorrectly in a “File System” policy. I found a customer that had specified “%system32%\system32\file.dll”. Obviously, “%system32%” is not a valid variable. Once I corrected the variable, the error ceased. Additionally, if the variable is incorrect, the policy will not complete processing and halt all of it from applying. Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! Josh Campbell (Last update 9/13/2004): My problem was caused by invalid permissions on a registry key. I found out which key was causing the error by looking in the “winlogon.log” file, found in “c:\windows\security\logs”. I just changed the permissions to same as the parent key and the error went away. Anonymous (Last update 6/25/2004): - Error code: 0x2 - I have found this to be due to a disk space issue on the system partition. There was not enough free space on the system partition for ESENT, which needed about 200MB to write a “tmp.edb” file. Arjan Kal (Last update 1/2/2004): - Error code 0x5 = Access is denied - If you remove permissions for the SYSTEM account from the root of the system drive (typically C:\), you will receive this error. Make sure that the SYSTEM account has Full Control permissions. Kevin Miller (Last update 10/14/2003): Error code: 0x57 = "The parameter is incorrect." The invalid perameter in my case turned out to be a lack of security settings on services in the default domian policy. I had shut off messanger service and never defined security for it. Added everyone and all was better. Woodrow Wayne Collins (Last update 8/11/2003): See M324383 "Troubleshooting SCECLI 1202 Events" on how to approach this event. CHooper (Last update 7/23/2003): Error code: 0x5 (Decimal 5) = "Access is denied." - This error can occur if the file permissions on the C:\Winnt\sysvol\sysvol\<domainname>\policies tree do not include the Group Policy Creator Owners group. This group should have RWEM access to all files and folders within the tree. Sergiy Martyshko (Last update 6/11/2003): Error code 0x57 (87 Decimal)- "The parameter is incorrect." This was caused in my case by resetting security on one service in "Computer configuration\Windows Settings\Security Settings\System Services" of one group policy. I looked through winlogon.log and found the error : ----Configure General Service Settings... Configure Dhcp. Error 87: The parameter is incorrect. Error configuring Dhcp. So I looked for dhcp service security settings in my GPOs and reset them. Scotty (Last update 4/25/2003): M256345 helped me to fix it. The scenario was that we were tightening down security and removing the everyone group from the root of the logical drives. When Group policy was originally setup some machine security settings (Specifically Sytem services) had been configured. By default the everyone group is used. By going back to that group policy, finding the system service that was configured, opening it up and changing the security setting to match our new root drive security settings, fixed the error. Arnaud Bacchella Error code 0xd (13 Decimal) = "The data is invalid." - See M250454 and M259395. Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! Trent Nevius Error code 0x534 (1332 Decimal)- "No mapping between account names and security IDs was done.": This was caused in my case by a security template applied locally (local security policy) that had the Power Users group used in the User Rights Assignment section on a Domain Controller. I just removed the 'Power Users' group (and any other group or user not in AD) from any policies that affect any DC and the errors go away after a secedit /refreshpolicy machine_policy /enforce command is issued. Tha_sun Error code: 0x5 (Decimal 5) - "Access denied". GPOs could not be distributed because in the security settings of several GPOs the user account "SYSTEM" did not have the right to take over the GPO. In addition, the service "distributed link tracking client" had to be configured to start automatically with full permissions for administrator group and user account "SYSTEM". Mark Nyquist Error code 0x428 (Decimal 1064) = "An exception occurred in the service when handling the control request." I had this same situation (1000 and 1202 every 5 minutes). This was cleared up via MS article M320099. There was one group that was causing the security policies to not apply. Enabling logging for Security Configuration Client Processing (M245422) enabled me to find out which group was causing the problem. Cath Error code 0x6fc (1788 Decimal) = "The trust relationship between the primary domain and the trusted domain failed." - See M279432. Ron Wilkins Error code 0x534 (1332 Decimal)- "No mapping between account names and security IDs was done.": A removal of IIS 5 from the server creates this error and EVent ID 1000 every 5 minutes as well. An install adds the iusr accounts to the security policy, but an uninstall does not remove them. Anja Ahrens Error code: 0x4b8 (1208 Decimal) = "An extended error has occurred.". See M278316. Carl Frank M257247 explains how to remove the security settings on a system service when a GPO is not processed. A group policy had been deployed that locked out the domain administrators group from modify a system service. GPO's would not be updated after this first one was applied. To allow for updating of the security of the system service all security had to be deleted and the system rebooted. On the reboot the new/updated GPO is applied with the correct security configuration. Bob Bostwick This event can also happen if you rename the Administrator account. To resolve the issue create an account named Administrator and disable it. Paul Rinear Error code: 0xd (decimal 13) - "The data is invalid.": There are two situations where I've experienced this problem: 1) Domain Controllers - 1202 and 1000 every 5 minutes - the problem is due to missing SYSVOL, DSDIT, and DSLOG environment variables and the fix is described in the Microsoft Knowledge Base (M250454) 2) Workstations and member servers - 1202 and 1000 errors about every 2 hours. If you turn on the ExtensionDebugLevel (as described in Knowledge Base article M245422) and look in winlogon.log, you see near the end that it fails on %DSDIT%. [..] Situation 2 can occur by unknowingly applying the basicdc.inf security template to the entire domain instead of to just the domain controllers. When this happens, there will be references in the applied domain security template to DSDIT, DSLOG, and SYSVOL, even thoough these and their directories only exist on domain controllers. To get rid of the error in Situation 2, these references must be removed. I find the easiest way to do this is the following: Open up Domain Security Policy tool (or whatever topmost container holds the computers giving you the errors), right click on Security Settings, choose Import Policy, make sure you check the box that says "Clear this Database before importing" (otherwise the changes are just additions to the settings that are already there), then choose "setup security.inf". This will get you back pretty close to default, losing any customizations you made (that weren't being applied anyway). In about 5 minutes, all your domain controllers should pick up the change. Your workstations and member servers will pick them up much later, unless you do a "secedit /refreshpolicy machine_policy /enforce" at a command prompt on each of these machines. Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! Eric Peeters Error code: 0x5 (5 Decimal) - "Access is denied." - This problem was due to security mistakenly too tight on IIS Admin Service (access denied to everyone) in GP which in turn prevented FTP service security from being updated (FTP service applet couldn't even be launched from the services window). Restoring admin access to IIS Admin Service allowed for update of FTP service security settings and solved the issue. Liz If you are getting event ID 1000 & 1202 every 5 minutes, then it also may be to do with IIS. If you have removed IIS & SMTP server then check that the DC has removed the IWAM & IUSR users from the security policy. Go into Domain Controller Security Policy, Security Settings, Local Policies, User rights Assignment & make sure that these users are taken out of any policies they are still in. Then run "secedit /refreshpolicy machine_policy /enforce" from the command prompt & your errors should disappear. Bill Helfrich I have found that if there are any errors in the imported inf file to the GPO, you will recieve these errors (oxd). Administrator used a local policy template that worked on other standalone servers and when imported to the Domain Controller, there we no error observed. But every 5-7 minutes we recieved the 1202 warning and 1000 error. To resolve, either create a new template from scratch or review every line in the template for errors. We rebuilt the template from scratch in about 20 minutes. Now we recieve no errors. Arcanoid Erorr code 0xd (Decimal 13) = "The data is invalid" - It can also happen if you apply security policy rule to file system resource and then delete it without deleting policy rule first. It happens both on domain controllers (witnin 5 minutes) and members (within 2 hours). To resolve this issue delete appropriate security policy rule and refresh domain (machine) policy. If event 1202 and 1000 messages persist, load default domain security template. Peter Mrack Error code: 0x4b8 (Decimal 1208) = "An extended error has occurred." - This problem is caused by applying policies with defined restricted groups, i.e. the specified restricted group contains a local administrator account which doesn't exist on your local machine. Depending on your needs choose either to delete the entry of that account from the specified group in restricted groups or establish that account on the local machine. The important issue is a match of the accounts mentioned in restricted groups with those on the machine(s). Mark Nyquist Error code 0x428 (Decimal 1064) = "An exception occurred in the service when handling the control request." I had this same situation (1000 and 1202 every 5 minutes). This was cleared up via MS article M320099. There was one group that was causing the security policies to not apply. Enabling logging for Security Configuration Client Processing (M245422) enabled me to find out which group was causing the problem. Gaël Hachez This event can also be generated (in conjunction with event 1000) if you configure security settings on services in GPO. If you remove the full rights to the SYSTEM, the system is unable to apply the security settings. See tip 3567 at JSIInc.com for full details. Brandon Smith I was experiencing Events 1000 & 1202 every 90 minutes in a native-mode Win2k domain (turned out the only DC was upgraded from NT4.0) on all newly added Win2k Pro clients. Group policy was not being applied to any new machine. To resolve the problem, after auditing the group policy processing, I added the Group "Pre-Windows 2000 compatible Access" to each machine's local SAM. Following the group addition, running secedit /refreshpolicy user_policy /enforce (or machine_policy) showed that group policy had now been applied successfully. Richard R. Kaufman Error code: 0x5 (Decimal 5) = "Access is denied." - This specific error means that when the policy was being applied to the system, the account in which the policy is being run as did not have permission to make a required change. You can review C:\Winnt\Security\Logs for exact details in Windows 2000, or C:\Windows\Security\Logs\winlogon.log in Windows XP. Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! |
| Links | M245422, M250454, M256000, M256345, M257247, M259395, M260715, M278316, M279432, M281454, M284461, M285903, M295712, M296854, M310741, M319352, M320099, M324383, M329816, M827012, M834519, M835744, M835901, M837166, M839115, M890737, M918451, M927061, JSI Tip 3567, Error code 0x2, Error code 5, Error code 8, Error code 13, Error code 87, Error code 997, Error code 1208, Error code 1332, Error code 1788, JSI Tip 3252, JSI Tip 2434, JSI Tip 2059, JSI Tip 3561, JSI Tip 3861, Windows XP Troubleshooting, Active Directory Operations Overview, www.tech-geeks.org - W2K Server SceCli error 1202, Troubleshooting Active Directory Replication Problems, Interpreting Security Settings log files, Enable Logging for Security Settings, MSW2KDB, M975566 |
| Search | Google Web - Microsoft Support - Bing - EventID.Net Queue - More links... |
| Custom search | The custom search information is available to subscribers only. |
| Feedback | Send comments - Notify me when updated |
| Print version |