Inconsistent Group Membership State after a Restricted Group Policy Is Enabled (306100)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
This article was previously published under Q306100

SYMPTOMS

After you establish a Group Policy object (GPO) that defines restricted groups, and then apply the group policy, the resulting group membership on the destination computer may be incomplete.

The first indication of this problem may be error messages in the Application log from the "SCECLI" source. These messages mention that the security policy was not applied.

One way to check if an error occurred during the processing of any given group is to check the log file to determine if an error occurred. For additional information about how to enable debug logging, click the article number below to view the article in the Microsoft Knowledge Base:

245422 Enabling Logging for Security Configuration Client Processing

An example of this error might look like the following excerpt from the log that is listed in the preceding article:
----Configure Group Membership...

Configure Power Users.
Match - administrator.
Match - newuser.
add User2.
Error 1387: A member could not be added to or removed from the local group because the member does not exist.
error adding User2.

Group Membership configuration completed with error

CAUSE

This problem can occur during the processing of the group policy. If one of the user accounts that is defined in the Restricted Groups policy cannot be validated (not found on the local computer or on the domain), that user and subsequent users in the group policy are not made members of the target group.

RESOLUTION

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:
   Date         Time      Version        Size     File name

   -----------------------------------------------------------
   05-Oct-2001  10:42:22  5.0.2195.4472  123,664  Adsldp.dll
   05-Oct-2001  10:42:22  5.0.2195.4308  130,832  Adsldpc.dll
   05-Oct-2001  10:42:24  5.0.2195.4016   62,736  Adsmsext.dll
   05-Oct-2001  10:42:22  5.0.2195.4384  364,816  Advapi32.dll
   05-Oct-2001  10:42:22  5.0.2195.4141  133,904  Dnsapi.dll
   05-Oct-2001  10:42:22  5.0.2195.4379   91,408  Dnsrslvr.dll
   05-Oct-2001  10:43:12  5.0.2195.4411  529,168  Instlsa5.dll
   05-Oct-2001  10:42:24  5.0.2195.4437  145,680  Kdcsvc.dll
   04-Oct-2001  21:00:18  5.0.2195.4471  199,440  Kerberos.dll
   04-Sep-2001  21:32:54  5.0.2195.4276   71,024  Ksecdd.sys
   27-Sep-2001  15:58:44  5.0.2195.4411  511,248  Lsasrv.dll
   06-Sep-2001  18:31:38  5.0.2195.4301   33,552  Lsass.exe
   27-Sep-2001  15:59:06  5.0.2195.4285  114,448  Msv1_0.dll
   05-Oct-2001  10:42:24  5.0.2195.4153  312,080  Netapi32.dll
   05-Oct-2001  10:42:24  5.0.2195.4357  370,448  Netlogon.dll
   05-Oct-2001  10:42:24  5.0.2195.4464  912,656  Ntdsa.dll
   05-Oct-2001  10:42:24  5.0.2195.4433  387,856  Samsrv.dll
   05-Oct-2001  10:42:24  5.0.2195.4117  111,376  Scecli.dll
   05-Oct-2001  10:42:24  5.0.2195.4476  299,792  Scesrv.dll
   05-Oct-2001  10:42:24  5.0.2195.4025   50,960  W32time.dll
   01-Aug-2001  21:44:16  5.0.2195.4025   56,592  W32tm.exe
   05-Oct-2001  10:42:22  5.0.2195.4433  125,712  Wldap32.dll

WORKAROUND

Use the logging that is previously described, isolate the user account that cannot be validated, and then remove the user from the restricted group in the GPO where it is defined.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Modification Type:MinorLast Reviewed:10/7/2005
Keywords:kbHotfixServer kbQFE kbbug kbenv kbfix kbQFE kbWin2000PreSP3Fix KB306100
©2004 Microsoft Corporation. All rights reserved.