Security policies are propagated with warning. 0xd : The d..

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Continuing to get the following error in both of my
Domain Controllers:
"Security policies are propagated with warning. 0xd : The
data is invalid."

Have followed the guidelines in KB articles 256000 and
250454. Verified correct NTFS permissions, rebooted..etc.

Userenv.log is giving the following error:
"LoadUserProfile: Failed to impersonate user with 5."

Winlogon.log is giving the following error:
"Error 13: The data is invalid.
Error convert %DSLOG%.
Error 13: The data is invalid.
Error convertting section File Security.
----Configuration engine is initialized with error.----"

Basicdc.log gives the following error:
"Error 13: The data is invalid.
Error convert %DSDIT%.
Error 13: The data is invalid.
Error convertting section File Security.
----Configuration engine is initialized with error.----"

On both DC's. Probably going to be calling MS directly
soon, but thought I'd try here first, just in case....and
of course, cannot search the newsgroup thanks to the
upgrade in progress.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

DK1088 wrote:

> Continuing to get the following error in both of my
> Domain Controllers:
> "Security policies are propagated with warning. 0xd : The
> data is invalid."
>

>
> Have followed the guidelines in KB articles 256000 and
> 250454. Verified correct NTFS permissions, rebooted..etc.
>
> Userenv.log is giving the following error:
> "LoadUserProfile: Failed to impersonate user with 5."
>

Sounds like a user/group is configured to do something but does not have
appropriate privileges. Are you specifying a certain group to handle
security logs and you aren't giving them the privilege for "managing
auditing and security logs" (I think that's the setting, under User
Rights Assignments in the policy).

>
> Winlogon.log is giving the following error:
> "Error 13: The data is invalid.
> Error convert %DSLOG%.
> Error 13: The data is invalid.
> Error convertting section File Security.
> ----Configuration engine is initialized with error.----"
>
> Basicdc.log gives the following error:
> "Error 13: The data is invalid.
> Error convert %DSDIT%.
> Error 13: The data is invalid.
> Error convertting section File Security.
> ----Configuration engine is initialized with error.----"
>

Did you import the basicdc.inf file into the policy? If so, try creating
a policy without doing that.

>
> On both DC's. Probably going to be calling MS directly
> soon, but thought I'd try here first, just in case....and
> of course, cannot search the newsgroup thanks to the
> upgrade in progress.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Check the permissions on SYSVOL. Error 5 is Access Denied, which usually
means lack of permissions although could be authentication issues which
means DNS ;-)


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Your error messages indicate that you're using environment variables to
define file security settings. I suspect that %DSLOG% and %DSDIT% aren't
defined as environment variables on that server.

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm


"DK1088" <anonymous@discussions.microsoft.com> wrote in message
news:085201c535a0$ed064de0$a401280a@phx.gbl...
> Continuing to get the following error in both of my
> Domain Controllers:
> "Security policies are propagated with warning. 0xd : The
> data is invalid."
>
> Have followed the guidelines in KB articles 256000 and
> 250454. Verified correct NTFS permissions, rebooted..etc.
>
> Userenv.log is giving the following error:
> "LoadUserProfile: Failed to impersonate user with 5."
>
> Winlogon.log is giving the following error:
> "Error 13: The data is invalid.
> Error convert %DSLOG%.
> Error 13: The data is invalid.
> Error convertting section File Security.
> ----Configuration engine is initialized with error.----"
>
> Basicdc.log gives the following error:
> "Error 13: The data is invalid.
> Error convert %DSDIT%.
> Error 13: The data is invalid.
> Error convertting section File Security.
> ----Configuration engine is initialized with error.----"
>
> On both DC's. Probably going to be calling MS directly
> soon, but thought I'd try here first, just in case....and
> of course, cannot search the newsgroup thanks to the
> upgrade in progress.
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

To follow up the responses:

Nick - The environment variables are set, as per the KB
article that covered that previously mentioned.

Ptwilliams - Permissions on the Sysvol are correct (I've
even compared them to other installed DC's that are not
here to make sure).

Brandon - I suspect a Bascidc.inf was imported into the
policy, from what little information I have been given,
but am unsure how to correct that. AD and GPO settings
are replicating and applying normally (I've created new
GPO's just to test this), so nothing 'appears' to be
impacted, but this 5-minute warning is very annoying, and
I would like to resolve to have piece of mind for myself
and others. (And no, no groups with special permissions
for security logs).

Thanks all!

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I'm looking at this purely from the security policy perspective. The
Userenv.log error is also troublesome but I'm unsure why it would be
surfacing. More context from userenv might be required.

If the env vars are set, the next thing I would to is to start looking
through the GPO security templates and find the one configuring those
settings. It's possible that the line where they are defined is malformed
causing you to get this error. The lines for the file security section are
formed like this:
"<FileName>",<InheritancePropagationType>,"<SDDL>"
The propagation type can be 0, 1, or 2. Also, if the SDDL is longer than
512 chars, it will be broken up into additional fields. You could probably
script the search by using "secedit /validate" to find the problematic
template in the DC's %windir%\security\templates\policies. Once found,
there's a GUID in the template that identifies which GPO it came from. The
template has to be located locally for secedit to work.

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm


"DK1088" <anonymous@discussions.microsoft.com> wrote in message
news:0fd501c536bf$919cc130$a401280a@phx.gbl...
>
> To follow up the responses:
>
> Nick - The environment variables are set, as per the KB
> article that covered that previously mentioned.
>
> Ptwilliams - Permissions on the Sysvol are correct (I've
> even compared them to other installed DC's that are not
> here to make sure).
>
> Brandon - I suspect a Bascidc.inf was imported into the
> policy, from what little information I have been given,
> but am unsure how to correct that. AD and GPO settings
> are replicating and applying normally (I've created new
> GPO's just to test this), so nothing 'appears' to be
> impacted, but this 5-minute warning is very annoying, and
> I would like to resolve to have piece of mind for myself
> and others. (And no, no groups with special permissions
> for security logs).
>
> Thanks all!
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Nick - All policy templates validate. Still the same 1202
error every five minutes.

This is not a fun situation.




>-----Original Message-----
>I'm looking at this purely from the security policy
perspective. The
>Userenv.log error is also troublesome but I'm unsure why
it would be
>surfacing. More context from userenv might be required.
>
>If the env vars are set, the next thing I would to is to
start looking
>through the GPO security templates and find the one
configuring those
>settings. It's possible that the line where they are
defined is malformed
>causing you to get this error. The lines for the file
security section are
>formed like this:
> "<FileName>",<InheritancePropagationType>,"<SDDL>"
>The propagation type can be 0, 1, or 2. Also, if the
SDDL is longer than
>512 chars, it will be broken up into additional fields.
You could probably
>script the search by using "secedit /validate" to find
the problematic
>template in the DC's %windir%
\security\templates\policies. Once found,
>there's a GUID in the template that identifies which GPO
it came from. The
>template has to be located locally for secedit to work.
>
>N
>
>--
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>Any opinions or policies stated within are my own and do
not necessarily
>constitute those of my employer. Use of included script
samples are subject
>to the terms specified at
http://www.microsoft.com/info/cpyright.htm
>
>
>"DK1088" <anonymous@discussions.microsoft.com> wrote in
message
>news:0fd501c536bf$919cc130$a401280a@phx.gbl...
>>
>> To follow up the responses:
>>
>> Nick - The environment variables are set, as per the KB
>> article that covered that previously mentioned.
>>
>> Ptwilliams - Permissions on the Sysvol are correct (I've
>> even compared them to other installed DC's that are not
>> here to make sure).
>>
>> Brandon - I suspect a Bascidc.inf was imported into the
>> policy, from what little information I have been given,
>> but am unsure how to correct that. AD and GPO settings
>> are replicating and applying normally (I've created new
>> GPO's just to test this), so nothing 'appears' to be
>> impacted, but this 5-minute warning is very annoying,
and
>> I would like to resolve to have piece of mind for myself
>> and others. (And no, no groups with special permissions
>> for security logs).
>>
>> Thanks all!
>>
>
>
>.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I bet not.

So you can resolve those system env vars as a local user. Did you reboot so
services.exe has restarted and received the updated variables? Also, I'll
just reiterate that those need to be set as System environment variables or
else they won't be placed into services.exe's PEB. I bet you've got that
part right though.

Ultimately, you could just remove the two file system permission entries
that are giving you problems. Then recreate them using the group policy
editor if you really need them. I bet the NTDS directories are in the same
location on both DCs so you don't require use of those two env vars. Or
after removing the entries, you could just manually ACL that directory on
your DCs to have System full control, builtin administrators (aka. domain
admins on DCs) full control, uncheck allow inherited permissions to
propagate. This is what the basicdc.inf sets. Of course, the default ACLs
are probably fine.

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm


"DK1088" <anonymous@discussions.microsoft.com> wrote in message
news:0bc701c53a18$82c4aa40$a501280a@phx.gbl...
> Nick - All policy templates validate. Still the same 1202
> error every five minutes.
>
> This is not a fun situation.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Sorry, Nick, I am just not following you...bad day, but
that is no excuse. I am just not understanding what you
think I can do to resolve this.

The envrionment variables are there, the systems (both
DC's have been rebooted numerous times). The NTDS
directory does have System with full, non-propogated
rights.

What is getting me is the Winlogon.log file, contained
below. I cannot find an answer to the problem it is
presenting.


Winlogon.log:

Error 0 to send control flag 1 over to server.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

[Mapping] gpt00000.dom = Default Domain Policy
-------------------------------------------
04/06/2005 12:55:40
Invoke Registry Value Delay Filter.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel.
Analyze machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning.
Analyze machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption.
Analyze
machine\software\microsoft\windows\currentversion\policies
\system\disablecad.
Analyze
machine\software\microsoft\windows\currentversion\policies
\system\dontdisplaylastusername.
Analyze
machine\software\microsoft\windows\currentversion\policies
\system\legalnoticecaption.
Analyze
machine\software\microsoft\windows\currentversion\policies
\system\legalnoticetext.
Analyze
machine\software\microsoft\windows\currentversion\policies
\system\shutdownwithoutlogon.
Analyze
machine\system\currentcontrolset\control\lsa\auditbaseobje
cts.
Analyze
machine\system\currentcontrolset\control\lsa\crashonauditf
ail.
Analyze
machine\system\currentcontrolset\control\lsa\fullprivilege
auditing.
Analyze
machine\system\currentcontrolset\control\lsa\lmcompatibili
tylevel.
Analyze
machine\system\currentcontrolset\control\lsa\restrictanony
mous.
Analyze
machine\system\currentcontrolset\control\print\providers\l
anman print services\servers\addprinterdrivers.
Analyze
machine\system\currentcontrolset\control\session
manager\memory management\clearpagefileatshutdown.
Analyze
machine\system\currentcontrolset\control\session
manager\protectionmode.
Analyze
machine\system\currentcontrolset\services\lanmanserver\par
ameters\autodisconnect.
Analyze
machine\system\currentcontrolset\services\lanmanserver\par
ameters\enableforcedlogoff.
Analyze
machine\system\currentcontrolset\services\lanmanserver\par
ameters\enablesecuritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanserver\par
ameters\requiresecuritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstatio
n\parameters\enableplaintextpassword.
Analyze
machine\system\currentcontrolset\services\lanmanworkstatio
n\parameters\enablesecuritysignature.
Analyze
machine\system\currentcontrolset\services\lanmanworkstatio
n\parameters\requiresecuritysignature.
Analyze
machine\system\currentcontrolset\services\netlogon\paramet
ers\disablepasswordchange.
Analyze
machine\system\currentcontrolset\services\netlogon\paramet
ers\requiresignorseal.
Analyze
machine\system\currentcontrolset\services\netlogon\paramet
ers\requirestrongkey.
Analyze
machine\system\currentcontrolset\services\netlogon\paramet
ers\sealsecurechannel.
Analyze
machine\system\currentcontrolset\services\netlogon\paramet
ers\signsecurechannel.
Analyze
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl
..
Analyze MACHINE\Software\Microsoft\Non-Driver
Signing\Policy.
Analyze MACHINE\Software\Microsoft\Driver
Signing\Policy.
Copy local policy.
Error 13: The data is invalid.
Error convert %DSLOG%.
Error 13: The data is invalid.
Error convertting section File Security.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Or I might not be explaining it well enough.

Basically, what I'm saying is:
1. Make sure it's a system environment variable (as opposed to a user env
var). You can set both types in the environment variables UI.
2. Make sure you've rebooted so services.exe is restarted after the env vars
are set (which it sounds like you've done)
3. If the errors don't go away after that, edit the GPO where you imported
basicdc.inf and remove the two entries using the %DSLOG% and %DSDIT% env
vars from the file security section. That way the problematic setting won't
be configured anymore.
4. If you do want security enforced on that directory, recreate the entries
but don't use those env vars.

The rights on the NTDS directory aren't a problem. The issue is that the
env var isn't being seen properly by services.exe.

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm


"DK1088" <anonymous@discussions.microsoft.com> wrote in message
news:0d9101c53b04$9861a050$a601280a@phx.gbl...
> Sorry, Nick, I am just not following you...bad day, but
> that is no excuse. I am just not understanding what you
> think I can do to resolve this.
>
> The envrionment variables are there, the systems (both
> DC's have been rebooted numerous times). The NTDS
> directory does have System with full, non-propogated
> rights.
>
> What is getting me is the Winlogon.log file, contained
> below. I cannot find an answer to the problem it is
> presenting.
>
>
> Winlogon.log:
>
> Copy local policy.
> Error 13: The data is invalid.
> Error convert %DSLOG%.
> Error 13: The data is invalid.
> Error convertting section File Security.