Issues that occur when the crashonauditfail registry value is set to 1 on an Exchange computer or that occur when the Security event log reaches the maximum size in Windows 2000 Server (888179)


The information in this article applies to:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

You may experience one or more of the following symptoms:
  • The logon process may be very slow when you log on to a Microsoft Windows 2000-based domain controller that is integrated with the Active Directory directory service.
  • After you start the DNS snap-in, the domain name may not be displayed under Forward Lookup Zone.
  • After you restart a Windows 2000-based computer, only users who are members of the Domain Admins local group can log on to the computer.
  • When a Microsoft Outlook Web Access (OWA) user tries to access a Microsoft Exchange 2000 Server mailbox, the user receives the following error message:
    HTTP 503
    Note Administrators can still access their Exchange mailboxes.
  • When Microsoft Office Outlook users try to access an Exchange 2000 Server mailbox by using Microsoft Outlook, they receive the following error message:
    The set of folders could be opened. The attempt to log on to the Microsoft Exchange Server has failed.

Event messages on the Windows 2000-based computer

Additionally, the following event is logged in the Application log on the Windows 2000-based computer: Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by this policy engine.

Event messages on the Exchange 2000 computer

Event 1000 may also be logged on the Exchange 2000 computer. Additionally, the following events may be logged in the Application log on the Exchange 2000 computer.

Event 9175

Event Type: Error
Event Source: MSExchangeSA
Event Category: MAPI Session
Event ID: 9175
Description: The MAPI call 'OpenMsgStore' failed with the following error: The attempt to log on to the Microsoft Exchange Server computer has failed. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0512-00000000

Event 9542

Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 9542
Description: Initialization of external interface OLEDB failed; Error ecAccessDenied-MAPI_E_NO_ACCESS.

Event 326

Event Type: Error
Event Source: MSExchangeTransport
Event Category: Exchange Store Driver
Event ID: 326
Description: Service Account failed to logon to the store as /o=OrganizationName/ou=Administrative Group Name/cn=Configuration/cn=Connections/cn=SMTP (ServerName)/cn={412C0189-E08F-46B9-86BB-E2C71D78DC36}. Error code : 0x80004005.

Event 324

Event Type: Error
Event Source: MSExchangeTransport
Event Category: Exchange Store Driver
Event ID: 324
Description: Instance 1 failed to initialize. Error code : 0x80004005.

Event 1005

Event Type: Error
Event Source: MSExchangeSA
Event Category: Monitoring
Event ID: 1005
Description: Unexpected error <<0xc1050000 - The attempt to log on to the Microsoft Exchange Server computer has failed. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0512-00000000>> occurred.

CAUSE

These issues may occur if one of the following conditions is true:
  • The crashonauditfail registry value is set to 1 on the Exchange computer.
  • The Security event log in Windows 2000 Server reaches the maximum size that is specified in the Shut down system immediately if unable to log security audits Group Policy policy setting, and new event messages are no longer logged.

RESOLUTION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To resolve these issues, change the value for the crashonauditfail registry value. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  3. In the right-pane, double-click crashonauditfail, type 0 in the Value Data box, and then click OK.

    Note If the registry data type for the crashonauditfail registry value is set to REG_NONE, and the data value is set to 2, change the data type to REG_DWORD, and then set the data value to 0. This step provides a temporary solution until you disable the Group Policy setting.

    The following are the data options for the crashonauditfail registy value:
    • 0 = Any user can log on. This is the default value.
    • 1 = Any user can log on if the computer can audit the events and write the events to the Security event log. If the Security event log is full, the value for the crashonauditfail key is changed to 2, and the computer crashes.
    • 2 = Only administrators can log on.
  4. Quit Registry Editor.
  5. Disable the Shut down system immediately if unable to log security audits Group Policy policy setting on the default domain or on the domain controller organizational unit.

    This policy setting exists on the default domain policy, on the default domain controller policy, and on the local security policy. Even if you disable this policy setting, you must make the registry change that is described in step 3. Before you follow this step, we recommend that you install the latest updates for Exchange 2000 Server.

    To disable the policy setting, follow these steps:
    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
    3. In the right-pane, double-click Shut down system immediately if unable to log security audits, click Disabled, and then click OK.
  6. Disable security auditing. To do this, follow these steps:
    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
    3. In the right-pane, double-click Audit logon events, click to clear the Success check box, click to clear the Failure check box, and then click OK.
  7. If you successfully disabled security auditing, go to step 8. If you could not disable security auditing in step 6, archive and clear the Security log. To do this, follow these steps:
    1. Click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.
    2. Right-click Security Log, and then click Clear all Events.
    3. Click Yes when you are prompted to save the Security log before you clear it.
    4. Click to select the location where you want to save the Security log file, type a name for the Security log in the File name box, and then click Save.
    5. Close Event Viewer.
  8. Restart the Exchange computer.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

301378 How to obtain the latest Exchange 2000 Server service pack

870540 Availability of the August 2004 Exchange 2000 Server post-Service Pack 3 Update Rollup

MORE INFORMATION

If you enable the Shut down system immediately if unable to log security audits Group Policy policy setting, the crashonauditfail registry value is automatically set to 1. However, if you shut down the computer and then restart it, the crashonauditfail registry data type is set to REG_NONE. The data value is set to 2. If you change the crashonauditfail data type to REG_DWORD, and you set the data value to 0, the DNS snap-in can access the Windows 2000-based domain controller that is integrated with Active Directory. If you disable the crashonauditfail data value by setting this value to 0, the data value is set to 1 again after you reapply the Group Policy policy setting.

Even if you set the Security log size to 4 gigabytes (GB), the symptoms that are described in this article may occur if the Security log reaches 200 to 300 megabytes (MB). For additional information about the problem that is described in this article, click the following article numbers to view the articles in the Microsoft Knowledge Base:

316685 Active Directory-integrated domain name is not displayed in DNS snap-in with Event ID 4000 and 4013 messages

312571 The Event log stops logging events before reaching the maximum log size

232564 STOP 0xC0000244 when Security log full

178208 CrashOnAuditFail with logon/logoff auditing causes blue screen

160783 Error message: Users cannot log on to a workstation

149393 CrashOnAuditFail activates on shutdown with ProcessTracking

140058 How to prevent auditable activities when Security log is full

Modification Type:MajorLast Reviewed:1/25/2005
Keywords:kbGRPPOLICYprob kbGRPPOLICYinfo kbRegistry kbtshoot kbprb KB888179 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.