SCE Cannot Alter a Service's SACL Entry in the Service's Registry Key (295444)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Professional SP1
This article was previously published under Q295444

SYMPTOMS

When you implement a group policy to disable a service (such as the Routing and Remote Access service) on computers that join the domain, Security Configuration Editor (SCE) cannot alter the service's Security Access Control List (SACL) entry in the service's registry key.

CAUSE

SCE cannot interpret the SACL in the Security Descriptor Definition Language (SDDL) template, which causes SCE not to remove the SACL in the registry key and alter the registry entry.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later: 
   Date         Time   Version        Size     File name
   --------------------------------------------------------------
   28-Jun-2001  10:53  5.0.2195.3787  355,088  Advapi32.dll
   28-Jun-2001  10:49  5.0.2195.3787  519,440  Instlsa5.dll
   28-Jun-2001  10:53  5.0.2195.3787  143,120  Kdcsvc.dll  
   26-Jun-2001  20:15  5.0.2195.3781  197,392  Kerberos.dll
   26-Jun-2001  20:16  5.0.2195.3781   69,456  Ksecdd.sys  
   27-Jun-2001  12:20  5.0.2195.3787  501,520  Lsasrv.dll  
   26-Jun-2001  20:16  5.0.2195.3781   33,552  Lsass.exe   
   28-Jun-2001  10:53  5.0.2195.3781  909,072  Ntdsa.dll   
   28-Jun-2001  10:53  5.0.2195.3781  382,224  Samsrv.dll  
   28-Jun-2001  10:53  5.0.2195.3781  128,784  Scecli.dll  
   28-Jun-2001  10:53  5.0.2195.3649  299,792  Scesrv.dll  
   27-Jun-2001  12:19  5.0.2195.3787  501,520  Lsasrv.dll (56-bit)

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.

MORE INFORMATION

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

284461 Event ID1000 and Event ID 1202 Messages Are Reported When You Set Security on the File Replication Service by Using Group Policy

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Modification Type:MinorLast Reviewed:9/26/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB295444
©2004 Microsoft Corporation. All rights reserved.