An Extended Error has occurred. Failed to save local policy database.
I am trying to modify the "Allow Login Locally" local security policy in Local Policy -> User Rights assignement. When I add in any domain global group, and click OK, I get the error An Extended Error has occurred. Failed to save local policy database. The same error happens on any security policy when I try to add a domain global group (I've tried 3 different ones).
The computer I am making this change on is Windows 7 professional. The domain ADS server is Windows 2000.
As per this link, I have tried the following 2 things:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scetroubletn.mspx?mfr=true
1) I have booted the computer in safe mode (with network) and verified the security database at %windir%\Security\Database
2) I have also searched the file at %systemroot%\security\logs
This problem happens on all 3 Windows 7 professional systems that I have joined to the domain. All three systems are brand new installs with very little customization, and no other applications yet installed.
I have also checked the security on the Secedit.sdb file. It looks as I expected with SYSTEM and administrators having full access.
I have tried making the modifications using the domain administrator account, and the local administrator account.
The computer I am making this change on is Windows 7 professional. The domain ADS server is Windows 2000.
As per this link, I have tried the following 2 things:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scetroubletn.mspx?mfr=true
1) I have booted the computer in safe mode (with network) and verified the security database at %windir%\Security\Database
2) I have also searched the file at %systemroot%\security\logs
This problem happens on all 3 Windows 7 professional systems that I have joined to the domain. All three systems are brand new installs with very little customization, and no other applications yet installed.
I have also checked the security on the Secedit.sdb file. It looks as I expected with SYSTEM and administrators having full access.
I have tried making the modifications using the domain administrator account, and the local administrator account.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I also tried setting : "Minimum session security for NTLM SSP based (including secure RPC) Clients and Servers to "No Minimium". The error still occurs.
ASKER
I have found that when "Minimum session security for NTLM SSP based (including secure RPC) Clients and Servers is set to "No Minimium", I cannot add any Domain Groups/Users to Local Groups. So I set it back to 128bit. I still have "LAN Manager authentication level" set to "Send LM & NTLM – use NTLMV2 session security if negotiated".
A work around I have found is to create a local group, Include the Domain the Group in the Local group, and then use the local group when modifying the local group policy "Allow Local Login".
Still looking for the right solution.
A work around I have found is to create a local group, Include the Domain the Group in the Local group, and then use the local group when modifying the local group policy "Allow Local Login".
Still looking for the right solution.
ASKER
Still Searching...
ASKER
No solution found... just the work around. Yet another question closed in frustration. Why do I even pay for this?
ASKER
I was sure your suggestion was going to work, but no such luck. I still get the same error.
I made the change to the "Network Security: LAN Manager authentication level" policy, and then rebooted the system (just to be sure) before re-trying to change the "Allow Login Locally" policy.
I tried "Send LM & NTLM – use NTLMV2 session security if negotiated" and "Send LM & NTLM". Before I changed the setting, it was just "Not Defined". For now, I have set it to: "Send LM & NTLM – use NTLMV2 session security if negotiated"
I sure think you are going down the right path though... as an interesting aside (maybe a clue?), I have noticed that the global groups I have put in local groups (like Remote DeskTop Users) are not resolving into their english names, but stay as a full ID (not sure what it is called - like S-1-5-21-0123456789-123456
I'm not sure if it's relevant, but I though I would also state that there are NT4.0 computers in the domain.
Thanks,