JSI Tip 3354. Event log errors are generated each time the Default Domain Controllers policy is applied?

After you import the Basicdc.inf file in to the Default Domain Controllers Group Policy object (GPO), errors are generated each time the policy is applied.

Application log:        Event Type: Error        Event Source: Userenv        Event Category: None        Event ID: 1000        Date: 3/1/2000        Time: 6:16:43 PM        User: NT AUTHORITYSYSTEM        Computer: COMPUTERNAME        Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure        status code of (13).         Event Type: Warning        Event Source: SceCli        Event Category: None        Event ID: 1202        Date: 3/1/2000        Time: 6:16:43 PM        User: N/A        Computer: COMPUTERNAME        Description: Security policies are propagated with warning. 0xd : The data is invalid. Please look for        more details in TroubleShooting section in Security Help. Winlogon.log:        Error 13: The data is invalid. Error convert %SYSVOL%DOMAINPOLICIES.        Error 13: The data is invalid. Error converting section File Security. Userenv.log:        ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0xd.

Basicdc.inf references three environment variables (%SYSVOL%, %DSDIT%, and %DSLOG%), that are only defined during the Dcpromo process.

To fix the problem:

1. Open a CMD prompt on the domain controller and type net share sysvol. Record the path that is returned.

2. Right-click My Computer and press Properties.

3. Select the Advanced tab.

4. Press Environment Variables.

5. In the System variables section, press New.

6. Type SYSVOL in the Variable Name box.

7. In the Variable Value box, type the path from step 1, without the last sysvol.

8. Repeat this process to create the DSDIT and DSLOG variables, whose values can be obtained at:

   HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDSParameters       Database log files path    REG_SZ    C:WINNTNTDS (Set DSLOG to C:WINNTNTDS)        DSA Working Directory      REG_SZ    C:WINNTNTDS (Set DSDIT to C:WINNTNTDS)

9. At a CMD prompt, type secedit /refreshpolicy machine_policy /enforce