Race Condition May Lead to Loss of Group Policy Changes (272560)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q272560

SYMPTOMS

If you are deploying a program on a large number of domain controllers, and that program changes the default domain controller Group Policy for each computer on which that program is installed by using Microsoft Windows NT 4.0-style local security authority (LSA) application programming interface (API), when you later try to start the service on all of the computers, the account may not have the required privilege, and therefore the service may not start or may experience errors while the service is running.

For example, if you deploy a program that creates a user account that is used to run a service, this account requires at least the SeServiceLogonRight privilege.

This problem can also occur on Domain members (Professional and Servers) when LSA API is called and Group Policy is about to be applied at the same time.

This problem also occurs if Group Policy is not applied right after the computer restarts. The following error messages are logged in the event log:
Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1003
Date: 20.04.2001
Time: 10:29:49
User: N/A
Computer: BUDS0001
Description:
Policy change from LSA/SAM can't be saved in the policy storage. Error 5 to save policy change in the local GPO database.

Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1003
Date: 20.04.2001
Time: 08:38:38
User: N/A
Computer: BUDS0001
Description:
Policy change from LSA/SAM can't be saved in the policy storage. Error 2 to save policy change in the local GPO database.
During subsequent attempts to restart, Group Policy is applied correctly.

One program in which this problem is known to occur is the Microsoft Systems Management Server (SMS) version 2.0 client Setup for domain controllers. This program creates a SMS&_computer_name user account for the service, and an interim SMS#_computer_name user account is also created when the automatic installation is used. Both accounts require a number of user privileges.

CAUSE

This problem can occur if a racing condition occurs, especially if the list of users that require a certain privilege is long. The engine that manages the translation of LSA API calls to writing the Group Policy Inf file on the files system (in the Sysvol tree) can get into a situation where a particular change is lost.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:
   Date     Time       Version           Size     File name
------------------------------------------------------------------
6/27/2001   12:19p    5.0.2195.3787     501,520   Lsasrv.dll (56-bit)
7/6/2001    10:55a    5.0.2195.3787     355,088   Advapi32.dll
7/6/2001    10:55a    5.0.2195.3649     135,440   Dnsapi.dll
7/6/2001    10:55a    5.0.2195.3649      94,992   Dnsrslvr.dll
7/6/2001    10:51a    5.0.2195.3787     519,440   Instlsa5.dll
7/6/2001    10:55a    5.0.2195.3817     142,608   Kdcsvc.dll

6/26/2001   08:15p    5.0.2195.3781     197,392   Kerberos.dll
6/26/2001   08:16p    5.0.2195.3781      69,456   Ksecdd.sys
6/27/2001   12:20p    5.0.2195.3787     501,520   Lsasrv.dll
6/26/2001   08:16p    5.0.2195.3781      33,552   Lsass.exe
7/6/2001    10:55a    5.0.2195.3776     306,448   Netapi32.dll
7/6/2001    10:55a    5.0.2195.3776     357,648   Netlogon.dll
7/6/2001    10:55a    5.0.2195.3826     909,072   Ntdsa.dll
7/6/2001    10:55a    5.0.2195.3781     382,224   Samsrv.dll
7/6/2001    10:55a    5.0.2195.3781     128,784   Scecli.dll
7/6/2001    10:55a    5.0.2195.3649     299,792   Scesrv.dll
7/6/2001    10:55a    5.0.2195.3649      48,400   W32time.dll
5/29/2001   09:26a    5.0.2195.3649      56,080   W32tm.exe
NOTE: When you deploy this hotfix in an SMS 2.0 environment, you should also install Service Pack 3 for SMS 2.0, and then install the Q278345.exe hot fix for SMS 2.0 Service Pack 3.

For additional information about the Q278345.exe hot fix for SMS 2.0 Service Pack 3, click the article number below to view the article in the Microsoft Knowledge Base:

278345 Competing Changes to SMSCliToknAcct& During Clisvc Startup


WORKAROUND

To work around this problem, use a group to grant the privilege, and make the user member of this group, instead of using many individual user accounts with a certain privilege. This is a good way to recover after this problem occurs, especially if it might take more time to find the user accounts that are missing from the list than it would to set up the group. Also, a short list of accounts in the policy helps the policy process faster.

STATUS

Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 3.

MORE INFORMATION

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Modification Type:MinorLast Reviewed:9/26/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix kbGPO kbnetwork kbSecurity kbWin2000PreSP2Fix kbWin2000sp3fix KB272560
©2004 Microsoft Corporation. All rights reserved.