Link to home
Start Free TrialLog in
Avatar of mixdcunphution
mixdcunphution

asked on

Local Administrator has no rights in local policy

As a precaution we have completed multiple vulnerability scans on our Windows 2003 Enterprise Server SP2. After the mitigation was completed the local policy was now unavailable, the local administrator has no privileges to the local policy, the mitigation set the policy to the domain group policy i am thinking and there is none, and on top of that it disabled the local admin to change them.

Error when trying to access local policy:

Security Templates
The Group Policy security settings that apply to this machine could not be determined.
The error returned when trying to retreive these settings from the local security policy database (%windir%\security\database\secedit.sdb) was: The parameter is incorrect.

All local security settings will be displayed, but no indication will be given as to whether or not a given security setting is defined by Group Policy.
Any local security settings modified through this User Interface may subsequently be overriden by domain-level policies.

Please help, We are unable to rebuild and reinstall the operating system as we did on the other boxes to fix them. I hope all we need to do is find a way to give the administrator the rights to the local policy settings.

Thank you for your time and assistance.

-MixDCunphution
Avatar of mixdcunphution
mixdcunphution

ASKER

Oh by the way I had tested the Database for corruption and it is not corrupted.
If you log in as domain admin can you access the local policy?
No, it is not on a domain.  I can not add it to the domain because of local policies that need to be changed. I can only login as the Local Admin, but the local admin seems to not have rights
Well - You need to log into the box as a local admin.  When you go to
right click my computer>manage>local users and groups>administrators
What accounts are in there?  Try logging in as one of those accounts and then give rights back to the admin group.
If there are no other users in there then you have a big problem.  Try adding a user and give them admin rights.
If no go you can try and run a repair or do restore the system state from when it was working.
it already has admin rights, that's the problem...No admin users can access the local policy, there must have been something changed in the registry somewhere. Hoping you might know what part of the registry controls the local policy rights.

I know this is a big problem, the only way we could fix the other boxes were to rebuild. The only problem here is that at the moment that is not an option. Once we recieve new boxes that will be, but for now we are looking for the fix.
Run this
esentutl /p %windir%\security\database\secedit.sdb
Taken from http://www.mcse.ms/message1781617.html
About half way down
That command did not work. it said that the database integrity was successful, but like i said earlier in the comments, the database itself is not corrupt. although when i tried to re-open the it still gave me the same error, but when i tried to open the Security Configuration and Analysis, it says that the database C:\Windows\security\Database\secedit.sdb, Access to database has been denied.

When I tried to just create another database it tells me After the database was created that the Database was selected that: Unknwn error occured when attempting to open the database.

The database secedit.sdb has proven to be a known good on a different box, somewhere there is a restriction, checked the administrators group again, just in case and all is in order. I am wondering if there is somewhere in the registry that has any privilege/ rights settings for the local policy?
ASKER CERTIFIED SOLUTION
Avatar of ryansoto
ryansoto
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK,
Looking at the referenced fix, I noticed that there were two other items in the registry that i disabled and it didn't seem to work but after a few minutes I went back in and it seemed to have a delay but it worked, Awesome work, thank you so much!!

That worked perfectly.
Great quick response to an irritating issue. Thank you so much!  YOU ROCK!
Welcome.