Interpreting Security Settings log files

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This topic explains how to get started in interpreting Security Settings log files.

Using Winlogon.log

When you enable logging for the Security Settings client-side extension, a file named Winlogon.log is created in the %SYSTEMROOT%\Security\Logs folder. Winlogon.log provides debug logging information for security events and errors (Scecli.dll).

You can use Winlogon.log to look for security configuration-related errors such as the following:

  • Mapping problems between account names and security IDs.

  • Incorrect permissions for performing tasks (Access denied errors).

  • Problems with trust relationship between the primary domain and trusted domains.

  • Extended errors. These refer to generic errors that may be caused by a number of different problems.

For information about enabling Scecli logging, see the "Enabling Logging for Security Settings" section in Configuring Administrative Workstation Settings for Group Policy Troubleshooting.

To reproduce the policy failure, refresh the policy settings by typing the following at the command prompt: gpupdate /force.

Example

After you enable logging for Scecli, you can examine the Winlogon.log file to look for errors such as an account causing a Scecli failure or the wrong policy applying to a computer. For example, you can determine if an account was removed from policy or deleted, the account name contains typographical errors, or an account name cannot be resolved in Restricted Groups policy and as a result the security policy settings do not apply.

To identify the problem account, problem setting, and the problem GPO, perform the following tasks:

  1. To find the problem account, type the following at the command prompt, and then press ENTER:

    find /I "cannot find" %SYSTEMROOT%\security\logs\winlogon.log

    The Find output identifies the problem account names, for example, "Cannot find MichaelAlexander." In this example, the user account MichaelAlexander does not exist in the domain, or it has a different spelling, for example, MichelleAlexander.

    Determine why this account cannot be resolved. Look for issues such as typographical errors, a deleted account, the wrong policy applied to this computer, or a trust problem. You may decide that the account has to be removed from the policy.

  2. After you find the account problem, you can find the affected policy setting and GPO. To do this, type the following at the command prompt on the computer that is producing the Scecli error:

    "c:\>find /i ?<account name>? %SYSTEMROOT%\security\templates\policies\gpt*.*" (without the quotation marks)

    The following example shows the Find command syntax and the results:

    c:\>find /i "MichaelAlexander" %SYSTEMROOT%\security\templates\policies\gpt*.*

    D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

    D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF

    D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00002.INF SeInteractiveLogonRight = TsInternetUser,*S-1-5-32-549,*S-1-5-32-550,MichaelAlexander,*S-1-5-32-551,*S-1-5-32-544,*S-1-5-32-548

    D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00003.DOM

    In this case, GPT00002.INF is the cached security template from the problem GPO that contains the problem security setting. It also identifies the problem setting as SeInteractiveLogonRight. The display name for SeInteractiveLogonRight is Logon locally.

    For more information about the security settings constants (for example, SeInteractiveLogonRight) and their associated display names (for example, Logon locally), see the Microsoft Windows 2000 Server Resource Kit, "Distributed Systems Guide." The map of security settings constants is in the "User Rights" section of the Appendix.

  3. After you identify the cached security template, you can determine which GPO contains the problem setting by searching the cached security template for the text "GPOPath=".

    In this example, you would see the following: GPOPath={6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE. The GPO's GUID is {6AC1786C-016F-11D2-945F-00C04FB984F9}.

  4. You can use the Resource Kit utility Gpotool.exe to find the friendly name for the GPO GUID. Type the following at the command prompt, and then press ENTER: gpotool /verbose.

    Search the output for the GUID that you identified in step 3. The four lines that follow the GUID contain the friendly name of the policy. For example:

    Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}

    Policy OK

    Details:

    ------------------------------------------------------------

    DC: domcntlr1.wingtiptoys.com

    Friendly name: Default Domain Controllers Policy

GPOTool.exe ships with the Microsoft Windows® 2000 Server Resource Kit and is also available as a free download from Gpotool.exe: Group Policy Verification Tool on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=17911). For more information see the Windows 2000 Server Resource Kit.