Q: What could prevent security policy settings that have been defined in a domain-wide Group Policy Object (GPO) from being applied to Windows 7 clients?

A corrupt security database on Windows 7 clients can prevent GPO security settings from being applied, but you can use esentutl.exe to fix the problem.

Jan De Clercq

March 22, 2012

2 Min Read
ITPro Today logo in a gray background | ITPro Today

A:This problem can be caused by a corrupt security database on your Windows 7 client. For applying the security policy portions of a GPO on a Windowsmachine, Windows uses the secedit configuration engine and its local security database, secedit.sdb. The secedit database can be found on every Windowsbox in the %windir%securitydatabase file system folder. If the secedit database gets corrupted, it can prevent the security policy settings that aredefined in a GPO from being correctly applied on a machine.

You can check the health of secedit.sdb by using the esentutl.exe command, as follows:

esentutl /g %windir%securitydatabasesecedit.sdb

If esentutl finds errors during the health check, the output of the above command will contain the message, "This operation may find that this databaseis corrupt." If the database is healthy, you should get an output similar to the one illustrated in Figure 1.

 
Figure 1: The esentutl.exe command showing a healthy database

Esentutl also provides an option to repair or recover the secedit database. Microsoft recommends you follow specific steps, depending on the locationof the edb.log and the edb.chk files. If the edb.log file and the edb.chk file are both in the %windir%security folder, you must run the followingesentutl command to recover the security database:

esentutl /r edb /l %windir%security /s %windir%security

The /r switch refers to recovery mode and makes esentutl attempt to bring the databases to a clean state. It rebuilds the database using log entries,which explains the use of the /l and /s switches-the /l switch points the command to the location of the log files (*.log), and /s points the commandto the location of the checkpoint files (*.chk).

If either the edb.log or the edb.chk file is missing from the %windir%security folder, or if neither file exists in this folder, you must run thefollowing esentutl command to repair the security database:

esentutl /p %windir%securityDatabasesecedit.sdb

The /p switch refers to repair mode and makes esentutl attempt to repair a corrupted or damaged database.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like