How to collect Local Security Authority API logging for troubleshooting

Article translations Article translations
Article ID: 277675 - View products that this article applies to.
This article was previously published under Q277675
This article has been archived. It is offered "as is" and will no longer be updated.
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
Expand all | Collapse all


If you have problems after you use the Local Security Authority (LSA) API to apply changes to the Default Domain group policy or Default Domain Controller group policy setting, or the local security policy on non-domain controller computers, you can enable debug logging to help determine what problems the API is having. Logging will start after the system is restarted.

More information

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Use Registry Editor (Regedt32.exe) to view the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit
Add the following registry value to the preceding registry key:
Value Name: PolicyDebugLevel
Data Type: REG_DWORD
Radix: Decimal
Value: 2 (0 - no logging, 1 - errors only, 2 - verbose)
Note: The log file is generated in the %SystemRoot%\Security\Logs\Scepol.log file when LSA APIs are called. Scepol.log defaults to 1MB in size. To increase the maximum size, add the following registry value to the preceding registry key:
Value Name: PolicyLogSize
Data Type: REG_DWORD
Radix: Decimal
Value: 1024 (in Kb, the minimum value is 1024 (1MB); if it is less than this, the value is ignored)


Article ID: 277675 - Last Review: November 2, 2013 - Revision: 8.0
Applies to
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows Server 2003 Service Pack 2
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2012 Standard
  • Windows Server 2012 Datacenter
kbnosurvey kbarchive kbenv kbhowto KB277675

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from