Fixing Security Settings Problems

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This section discusses how to troubleshoot problems related to Security Settings policy.

Security Settings CSE Background

The Security Settings CSE provides client side interfaces to the security configuration engine and performs Resultant Set of Policies (RsoP) logging during policy propagation.

The binary file that contains the Security CSE is Scecli.dll. This name will usually appear in Events, error messages, and log entries generated and logged during processing of Security GPOs. Scecli manages application of the Security policy settings that appear under the Security Settings node in the Group Policy Object Editor. Scecli is responsible for the following areas:

• Account Policies

• Local Policies

• Event Log

• Restricted Groups

• System Services

• Registry

• File System

When the Security CSE is notified by the Group Policy engine, it is provided a list of GPOs to apply. The Security CSE then copies the gpttmpl.inf file from the folder structure of each policy in the Sysvol. It copies that file locally to the hidden folder %SYSTEMROOT%\Security\Templates\Policies. The settings are read from the gpttmpl.inf in the Sysvol and written to an intermediary file named tmpgptfl.inf. Once the copy has completed successfully the file is copied off and is named incrementally starting from gpt00000.inf. If the GPO is linked to the domain then the cached template will be named with the .dom extension, otherwise it will be named with the .inf extension.

This is done because some settings are only applied if they are linked to the domain. For more information, see Group Policy Application Rules for Domain Controllers on the Microsoft Web site at (https://go.microsoft.com/fwlink/?LinkId=39978). The templates are then applied from the cached location in order from least to greatest. This means that the gpt00000.inf will be applied before gpt00001.inf and that gpt00001.inf will have a higher precedence in the case of a conflict.

Fixes for specific Security Settings issues

From the following list, choose the problem that best describes your situation, and then step through the suggested fix:

• Replication of Group Policy settings between domain controllers fails

• Password Policy settings changes do not take effect

• Account Policy templates are applied incorrectly

• Security Settings policies are propagated with warnings

• Scecli.dll errors occur when opening Account Policies or Local Policies

• Default Group Policy objects become corrupted: disaster recovery

• Windows Security Settings remain in effect after removal