Group Policy security settings could not be determined
-
Wednesday, January 30, 2013 10:58 PM
We are running a Windows 2008R2 Enterprise Edition system. It is a member server in an Active Directory domain. A user, a member of the Local Administrators group was going to make a change in the Local Security Policy. When she selected "User Rights Assignment" she received this error message:
I have been able to duplicate it as well. These events are generated in the Application Log:
- Log Name: Application
Source: ESENT
Date: 1/30/2013 4:24:57 PM
Event ID: 488
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: NTSrv132.int.oru.edu
Description:
services (480) An attempt to create the file "C:\WINDOWS\Security\Database\tmp.edb" failed with system error 5 (0x00000005): "Access is denied. ". The create file operation will fail with error -1032 (0xfffffbf8).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ESENT" />
<EventID Qualifiers="0">488</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-01-30T22:24:57.000000000Z" />
<EventRecordID>2094149</EventRecordID>
<Channel>Application</Channel>
<Computer>NTSrv132.int.oru.edu</Computer>
<Security />
</System>
<EventData>
<Data>services</Data>
<Data>480</Data>
<Data>
</Data>
<Data>C:\WINDOWS\Security\Database\tmp.edb</Data>
<Data>-1032 (0xfffffbf8)</Data>
<Data>5 (0x00000005)</Data>
<Data>Access is denied. </Data>
</EventData>
</Event>
- Log Name: Application
Source: ESENT
Date: 1/30/2013 4:25:07 PM
Event ID: 488
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: NTSrv132.int.oru.edu
Description:
services (480) An attempt to create the file "C:\WINDOWS\Security\Database\tmp.edb" failed with system error 5 (0x00000005): "Access is denied. ". The create file operation will fail with error -1032 (0xfffffbf8).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ESENT" />
<EventID Qualifiers="0">488</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-01-30T22:25:07.000000000Z" />
<EventRecordID>2094150</EventRecordID>
<Channel>Application</Channel>
<Computer>NTSrv132.int.oru.edu</Computer>
<Security />
</System>
<EventData>
<Data>services</Data>
<Data>480</Data>
<Data>
</Data>
<Data>C:\WINDOWS\Security\Database\tmp.edb</Data>
<Data>-1032 (0xfffffbf8)</Data>
<Data>5 (0x00000005)</Data>
<Data>Access is denied. </Data>
</EventData>
</Event>
- Log Name: Application
Source: ESENT
Date: 1/30/2013 4:25:18 PM
Event ID: 488
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: NTSrv132.int.oru.edu
Description:
wuaueng.dll (828) SUS20ClientDataStore: An attempt to create the file "C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb" failed with system error 5 (0x00000005): "Access is denied. ". The create file operation will fail with error -1032 (0xfffffbf8).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ESENT" />
<EventID Qualifiers="0">488</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-01-30T22:25:18.000000000Z" />
<EventRecordID>2094151</EventRecordID>
<Channel>Application</Channel>
<Computer>NTSrv132.int.oru.edu</Computer>
<Security />
</System>
<EventData>
<Data>wuaueng.dll</Data>
<Data>828</Data>
<Data>SUS20ClientDataStore: </Data>
<Data>C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb</Data>
<Data>-1032 (0xfffffbf8)</Data>
<Data>5 (0x00000005)</Data>
<Data>Access is denied. </Data>
</EventData>
</Event>
I have given the Users security group all permissions except "Full control" and "Special Permissions" to C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb and C:\WINDOWS\Security\Database\tmp.edb but the result was the same. I have reviewed numerous articles on the internet. Most don't apply to Windows Server 2008 but the ones that do havent't provided a solution. For example, many articles describe using the Security Configuration and Analysis to open the secedit.sdb database. I receive an "Access to the database has been denied." error. Does anyone have any ideas how to trouble shoot this?
- Moved by Santosh BhandarkarMicrosoft Community Contributor, Moderator Thursday, January 31, 2013 6:20 AM group policy specific, moved from Server General
- Log Name: Application
All Replies
-
Thursday, January 31, 2013 8:48 PM> <Data>C:\WINDOWS\Security\Database\tmp.edb</Data>What ACLs are in place on the database directory? (icacls output is ok.)
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating! -
Thursday, January 31, 2013 11:26 PM
Here they are:
C:\WINDOWS\Security\Database BUILTIN\Users:(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 filesThank you for taking a look at this.
-
Friday, February 01, 2013 9:55 AM> Here they are:>Looks good, so it is not an ACL issue. Try to do a clean boot (safemode) and move all files within the database directory to a backuplocation. They should be recreated at next boot.
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating! -
Friday, February 01, 2013 2:31 PM
I am replying to this message because, for some reason, I am not seeing your last post in the thread.
I Booted into safe mode, renamed the database folder to Database_old, and created a new Database folder. I rebooted the system and when I logged in I had the same error when I attempted to modify User Rights Assignments. The Database folder contains two files that were created at reboot. The files areedbres00001.jrs and edbres00002.jrs
These events were recorded in the event log at the same time:
Log Name: Application
Source: ESENT
Date: 2/1/2013 7:57:22 AM
Event ID: 488
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: NTSrv132.int.oru.edu
Description:
services (476) An attempt to create the file "C:\WINDOWS\Security\Database\tmp.edb" failed with system error 5 (0x00000005): "Access is denied. ". The create file operation will fail with error -1032 (0xfffffbf8).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ESENT" />
<EventID Qualifiers="0">488</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-01T13:57:22.000000000Z" />
<EventRecordID>2094811</EventRecordID>
<Channel>Application</Channel>
<Computer>NTSrv132.int.oru.edu</Computer>
<Security />
</System>
<EventData>
<Data>services</Data>
<Data>476</Data>
<Data>
</Data>
<Data>C:\WINDOWS\Security\Database\tmp.edb</Data>
<Data>-1032 (0xfffffbf8)</Data>
<Data>5 (0x00000005)</Data>
<Data>Access is denied. </Data>
</EventData>
</Event>
Log Name: Application
Source: SceCli
Date: 2/1/2013 7:57:22 AM
Event ID: 1202
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: NTSrv132.int.oru.edu
Description:
Security policies were propagated with warning. 0x10d9 : Unable to read from or write to the database.
Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="SceCli" />
<EventID Qualifiers="32768">1202</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-01T13:57:22.000000000Z" />
<EventRecordID>2094812</EventRecordID>
<Channel>Application</Channel>
<Computer>NTSrv132.int.oru.edu</Computer>
<Security />
</System>
<EventData>
<Data>0x10d9 : Unable to read from or write to the database.
Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".</Data>
</EventData>
</Event>
Log Name: Application
Source: SceCli
Date: 2/1/2013 7:57:22 AM
Event ID: 1005
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: NTSrv132.int.oru.edu
Description:
Some JET database is corrupt. Run esentutl /g to check the integrity of the security database %%windir%%\security\Database\secedit.sdb. If it is corrupt, attempt a soft recovery first by running esentutl /r in the %%windir%%\security directory. If soft recovery fails, attempt a repair with esentutl /p on %%windir%%\security\Database\secedit.sdb. Then delete the log files in %%windir%%\security. Error opening some security database(s) such as %windir%\security\database\secedit.sdb.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="SceCli" />
<EventID Qualifiers="49152">1005</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-01T13:57:22.000000000Z" />
<EventRecordID>2094813</EventRecordID>
<Channel>Application</Channel>
<Computer>NTSrv132.int.oru.edu</Computer>
<Security />
</System>
<EventData>
<Data>Error opening some security database(s) such as %windir%\security\database\secedit.sdb.</Data>
</EventData>
</Event>Since secedit.sdb doesn't exist in the Database folder I couldn't perform any steps described in the 3rd error message.
Thank you
-
Saturday, February 02, 2013 4:26 PM> I am replying to this message because, for some reason, I am not> seeing your last post in the thread.>The forum soft seems to have some issues after the last update...> I Booted into safe mode, renamed the database folder to Database_old,> and created a new Database folder. I rebooted the system and when I> logged in I had the same error when I attempted to modify User Rights> Assignments. The Database folder contains two files that were created> at reboot. The files areedbres00001.jrs and edbres00002.jrs>Then unfortunately - I'm kinda out of ideas. Maybe somebody else comesup with a solution, but I would (if possible) recommission the server...
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating! -
Sunday, February 03, 2013 8:15 PMThank you for your assistance. We may recommission the server but I am going to dig a little more and see if I can find a solution first. I'll update the thread if I do find a solution. Thanks again.
-
Thursday, February 07, 2013 3:13 PMMartin
We have been able to make some progress so I wanted to pass it along. Microsoft Tech Support suggested using Msconfig to disable all non-MS services and boot the system. The User Rights Assignment interface in local policy worked as expected. After that it was a process of elimination to determine which service was causing the issue. I haven't determined the state of the server at this point but now we have a starting point to determine what has happened.
Thanks again. -
Thursday, February 07, 2013 3:17 PM>> We have been able to make some progress so I wanted to pass it along.> Microsoft Tech Support suggested using Msconfig to disable all non-MS> services and boot the system. The User Rights Assignment interface in> local policy worked as expected. After that it was a process of> elimination to determine which service was causing the issue. I> haven't determined the state of the server at this point but now we> have a starting point to determine what has happened.Thanks for the update - a possible culprit is virus protection ;-)
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating! -
Thursday, February 07, 2013 4:14 PM>> We have been able to make some progress so I wanted to pass it along.> Microsoft Tech Support suggested using Msconfig to disable all non-MS> services and boot the system. The User Rights Assignment interface in> local policy worked as expected. After that it was a process of> elimination to determine which service was causing the issue. I> haven't determined the state of the server at this point but now we> have a starting point to determine what has happened.Thanks for the update - a possible culprit is virus protection ;-)
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
That was our first thought as well but we didn't have any issues with just the AV products and services running. Appears to be a different product but it is running on other servers in a similar environment without error so we still have some research to do. -
Thursday, February 07, 2013 4:26 PM
Curious if you actually tried doing the esentutl repair on secedit.sdb? That's worked for me in the past.
Darren
Darren Mar-Elia MS-MVP, Group Policy
www.gpoguy.com
www.sdmsoftware.com - "The Group Policy Experts" -
Friday, February 08, 2013 9:12 PM
Darren
Yes, I tried esentutl repair, along with a few other procedures I found on the web, on secedit.sdb. I typically received this error:
Log Name: Application
Source: ESENT
Description:
services (480) An attempt to create the file "C:\WINDOWS\Security\Database\tmp.edb" failed with system error 5 (0x00000005): "Access is denied. ". The create file operation will fail with error -1032 (0xfffffbf8). -
Friday, February 08, 2013 9:18 PMWoops. I misspoke. The software that appears to be causing the issue is not installed on any other servers so that would explain why we are only having the issue on the one system. I have given my result to an app programmer; they will work on this issue with the vendor.
.png)
