none
Security policies were propagated with warning. 0x4b8 : An extended error has occurred.

    Question

  • Hi,

    I have a server that keeps reporting this error every 5 mins. I am unable to remote into this server via RDP due to this error.

    Security policies were propagated with warning. 0x4b8 : An extended error has occurred.

    In the winlogon log file, there is an error Error 1450: Insufficient system resources exist to complete the requested service.

    ----Un-initialize configuration engine...
    **************************

    Error 0 to send control flag 1 over to server.

    Make a local copy of \\xxx.xx.xx\sysvol\xxx.xx.xx\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
    GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

    Make a local copy of \\xxx.xx.xx\sysvol\xxx.xx.xx\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
    GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

    Process GP template gpt00000.dom.

    This is not the last GPO.
    -------------------------------------------
    Thursday, 1 September 2016 11:33:10 AM
    Administrative privileged user logged on.
    Parsing template C:\Windows\security\templates\policies\gpt00000.dom.
    Copy undo values to the merged policy.


    ----Un-initialize configuration engine...

    Process GP template gpt00001.inf.

    This is the last GPO : domain policy is ignored on DC.
    -------------------------------------------
    Thursday, 1 September 2016 11:33:11 AM
    Administrative privileged user logged on.
    Parsing template C:\Windows\security\templates\policies\gpt00001.inf.


    ----Un-initialize configuration engine...
    -------------------------------------------
    Thursday, 1 September 2016 11:33:11 AM
    Administrative privileged user logged on.
    ----Configuration engine was initialized successfully.----

    ----Reading Configuration Template info...


    ----Configure User Rights...
    Configure S-1-5-80-1144924461-1383973570-550994615-1093434689-3433800466.
    Configure S-1-5-80-1291205660-3397711462-822707101-4202570228-2382680589.
    Configure S-1-5-80-3665006928-4114119256-3005178647-3227244413-1113146715.
    Configure S-1-5-80-1721512588-3715141403-2073348187-3582517497-3257782863.
    Configure S-1-5-20.
    Configure S-1-5-19.
    Configure S-1-5-80-1060977806-2686040272-3836906367-1555899539-1087266639.
    Configure S-1-5-80-2530729058-1562416944-2024781946-3039897883-675777791.
    Configure S-1-5-80-129384432-176096346-2028259936-4280157434-2113836960.
    Configure S-1-5-80-4003569689-492506040-2645153450-1162762568-2405087996.
    Configure S-1-5-82-1036420768-1044797643-1061213386-2937092688-4282445334.
    Configure S-1-5-21-1741966062-3111163319-3367365890-1133.
    Configure S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415.
    Configure S-1-5-32-549.
    Configure S-1-5-32-551.
    Configure S-1-5-32-544.
    Configure S-1-5-21-1741966062-3111163319-3367365890-1115.
    Configure S-1-5-21-1741966062-3111163319-3367365890-1122.
    Configure S-1-5-21-1741966062-3111163319-3367365890-1126.
    Configure S-1-5-32-559.
    Configure S-1-5-32-568.
    Configure S-1-5-32-554.
    Configure S-1-5-11.
    Configure S-1-1-0.
    Configure S-1-5-32-550.
    Configure S-1-5-32-548.
    Configure S-1-5-9.
    Configure S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420.

    User Rights configuration was completed successfully.


    ----Configure Security Policy...
    LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17).
    Error 1450: Insufficient system resources exist to complete the requested service.
      Error in Authz APIs while configuring LSA anonymous lookup setting.
    Error 1450: Insufficient system resources exist to complete the requested service.
      Configure LSA anonymous lookup setting.
    Configure machine\software\microsoft\windows\currentversion\policies\system\disablecad.
    There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion\policies\system\disablecad>.
    Configure machine\system\currentcontrolset\control\lsa\nolmhash.
    There is already an undo value for group policy setting <machine\system\currentcontrolset\control\lsa\nolmhash>.
    Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
    There is already an undo value for group policy setting <machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature>.
    Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
    There is already an undo value for group policy setting <machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature>.
    Configure machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal.
    There is already an undo value for group policy setting <machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal>.
    Configure machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.
    There is already an undo value for group policy setting <machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity>.

    Configuration of Registry Values was completed successfully.

    Audit/Log configuration was completed successfully.

    Kerberos Policy configuration was completed successfully.


    ----Configure available attachment engines...

    Configuration of attachment engines was completed successfully.


    ----Un-initialize configuration engine...[/indent]

    Does anyone know how to fix this issue?

    • Edited by paddy28 Thursday, September 1, 2016 5:19 AM
    Thursday, September 1, 2016 5:17 AM

Answers

  • Hi,

    Thanks for your post.

    The 0x4b8 error is generic and can be caused by a number of different problems. To troubleshoot these errors, follow these steps:

    1. Enable debug logging for the Security Configuration client-side extension. To do this:

      a. Start Registry Editor.

             b. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}

              c. On       the Edit menu, click Add Value, and then add the following       registry value:

                   Value name: ExtensionDebugLevel
                   Data type: DWORD
                   Value data: 2

              d. Quit       Registry Editor.

    2. Refresh the policy settings to reproduce the failure. To refresh the policy settings, type the following at the command prompt, and then press ENTER:

    secedit /refreshpolicy machine_policy /enforce

    This creates a file that is named Winlogon.log in the %SYSTEMROOT%\Security\Logs folder

    In addition, here are articles below describle known issues that cause the 0x4b8 error.

    Event ID 1000 and 1202 After Configuring Policies

    https://support.microsoft.com/en-us/kb/260715

    ESENT Event IDs 1000, 1202, 412, and 454 Are Logged Repeatedly in the Application Event Log

    https://support.microsoft.com/en-us/kb/278316

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, September 7, 2016 2:58 AM
    Moderator

All replies

  • Hi,
     
    Am 01.09.2016 um 07:17 schrieb paddy28:
    > LSA anonymous lookup names setting : existing SD =
    > D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17).
    > *Error 1450: Insufficient system resources exist to complete the
    > requested service.*
    >  Error in Authz APIs while configuring LSA anonymous lookup setting.
    > *Error 1450: Insufficient system resources exist to complete the
    > requested service.*
    >  Configure LSA anonymous lookup setting
     
    What will happen, if you configure this two settings differently in the GPO?
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Thursday, September 1, 2016 7:37 AM
  • Mark, I am not sure what you mean by configuring two settings differently in the GPO?

    Could you please elaborate on that for me? 

    Thursday, September 1, 2016 11:54 PM
  • Am 02.09.2016 um 01:54 schrieb paddy28:
    > Mark, I am not sure what you mean by configuring two settings
    > differently in the GPO?
     
    Sorry, I count wrong. Its only one.
    The security setting "LSA anonymous lookup names setting : existing"
    causes an error in your configuration. Change it.
     
    Probably it´s because, it´s the first entry.
     
    Then I would delete the local "C:\Windows\security\database\secedit.sdb"
    and see what will happen.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, September 2, 2016 7:32 AM
  • Am 02.09.2016 um 09:32 schrieb Mark Heitbrink [MVP]:
    > Then I would delete the local
    > "C:\Windows\security\database\secedit.sdb" and see what will happen.
     
    found this one:
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, September 2, 2016 7:43 AM
  • Hi,

    Thanks for your post.

    The 0x4b8 error is generic and can be caused by a number of different problems. To troubleshoot these errors, follow these steps:

    1. Enable debug logging for the Security Configuration client-side extension. To do this:

      a. Start Registry Editor.

             b. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}

              c. On       the Edit menu, click Add Value, and then add the following       registry value:

                   Value name: ExtensionDebugLevel
                   Data type: DWORD
                   Value data: 2

              d. Quit       Registry Editor.

    2. Refresh the policy settings to reproduce the failure. To refresh the policy settings, type the following at the command prompt, and then press ENTER:

    secedit /refreshpolicy machine_policy /enforce

    This creates a file that is named Winlogon.log in the %SYSTEMROOT%\Security\Logs folder

    In addition, here are articles below describle known issues that cause the 0x4b8 error.

    Event ID 1000 and 1202 After Configuring Policies

    https://support.microsoft.com/en-us/kb/260715

    ESENT Event IDs 1000, 1202, 412, and 454 Are Logged Repeatedly in the Application Event Log

    https://support.microsoft.com/en-us/kb/278316

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, September 7, 2016 2:58 AM
    Moderator
  • "secedit" don't you mean gpupdate nowadays?
    Tuesday, March 6, 2018 3:49 PM