You cannot determine Group Policy security settings on a Windows Server 2003, Enterprise Edition-based computer

Article ID: 932461 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

You experience the following symptoms on a Microsoft Windows Server 2003, Enterprise Edition-based computer:
  • The Group Policy security settings that apply to this computer cannot be determined. When you try to retrieve these settings from the local security policy database, you receive the following error message:
    The parameter is incorrect.
  • When you import a new Secedit.sdb database, the import process fails. Additionally, you receive the following error message:
    An extended error has occurred. Import failed.
  • If you delete the Secedit.sdb database, it is not rebuilt.
Back to the top | Give Feedback

CAUSE

This problem occurs if specific Group Policy security settings are changed from their default settings. These security settings specify the minimum required security setting of server-side and client-side network connections for programs that use the NTLM security support provider (SSP).
Back to the top | Give Feedback

RESOLUTION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/ )
How to back up and restore the registry in Windows

To resolve this issue, change the specific Group Policy settings to their default values. To do this, follow these steps:
  1. Click Start, click Run, type Regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  3. Right-click NtlmMinServerSec, and then click Modify.
  4. In the Value data box, type 0, and then click OK.
  5. Right-click NtlmMinClientSec, and then click Modify.
  6. In the Value data box, type 0, and then click OK.
  7. Exit Registry Editor.
Back to the top | Give Feedback

MORE INFORMATION

NTLMv2 authentication

Session security determines the minimum security standards for client sessions and for server sessions. The following policies determine the minimum security standards for a program-to-program communications session on a server for a client:
  • Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
  • Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
Note These policies are located under Computer Settings\Windows Settings\Security Settings\Local Policies\Security Options in the Microsoft Management Console (MMC) Group Policy Object Editor snap-in.

The options for these security settings are as follows:
  • Require message integrity
  • Require message confidentiality
  • Require NTLM version 2 session security
  • Require 128-bit encryption
By default, there are no requirements for these settings.

Historically, Windows NT has supported the following two variants of challenge/response authentication for network logons:
  • LM challenge/response
  • NTLM version 1 challenge/response
LM allows for interoperability with the installed base of clients and servers. NTLM provides improved security for connections between clients and servers.

The following registry subkeys correspond to the challenge/response authentication variants:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\NtlmMinServerSec

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\NtlmMinClientSec
Note If you select the Require NTLMv2 session security option, and then you set the LAN Manager authentication level to Send LM & NTLM responses (level 0), the two settings may conflict. In this case, the following error message may be logged in the Secpol.msc file or in the GPEdit.msc file:
Windows cannot open the local policy database. An unknown error occurred when attempting to open the database.
Back to the top | Give Feedback

Properties

Article ID: 932461 - Last Review: May 16, 2007 - Revision: 1.2
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Keywords: 
kberrmsg kbtshoot kbexpertiseadvanced kbprb KB932461
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top