Fix:
Enable Logging
1. Enable debug logging for the Security Configuration client-side extension. To do this: a. Start Registry Editor.
b. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}
c. On the Edit menu, click Add Value, and then add the following registry value:
Value name: ExtensionDebugLevel
Data type: DWORD
Value data: 2
d. Quit Registry Editor.
2. Refresh the policy settings to reproduce the failure. To refresh the policy settings, type the following at the command prompt, and then press ENTER:
secedit /refreshpolicy machine_policy /enforce (Or gpupdate /force)
This creates a file that is named Winlogon.log in the %SYSTEMROOT%\Security\Logs folder.
Look at the log (Go to the bottom of the log and work upwards!)
Error from Log
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
----Configure Security Policy...
Configure password information.
Configure account force logoff information.
System Access configuration was completed successfully.
Audit/Log configuration was completed successfully.
Kerberos Policy configuration was completed successfully.
Configure machine\software\microsoft\driver signing\policy.
Undo value for the undefined group policy setting <machine\software\microsoft\driver signing\policy> wasn't reset successfully (1627). Undo value was not removed.
Error 1627: Function failed during execution.
Error configuring machine\software\microsoft\driver signing\policy.
Configure machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
There is already an undo value for group policy setting <machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel>.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
There is already an undo value for group policy setting <machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature>.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
There is already an undo value for group policy setting <machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature>.
Configure machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal.
There is already an undo value for group policy setting <machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal>.
Configure machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.
There is already an undo value for group policy setting <machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity>.
Configuration of Registry Values was completed with one or more errors.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Changed all policies
Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Unsigned driver installation behavior
to "Warn but allow"
Ran gpupdate /force on the domain controller
you should see Event ID 1707 "Security policy in the group policy objects has been applied successfully"
|
