Fix: The error returned when trying to retrieve these settings from the local security policy database (%windir%\security\database\secedit.sdb) was: The parameter is incorrect

Howto fix error when opening Windows Server 2003 Local Security Policy:

The Group Policy security settings that apply to this machine could not be determined. The error returned when trying to retrieve these settings from the local security policy database (%windir%\security\database\secedit.sdb) was: The parameter is incorrect.

All local security settings will be displayed, but no indication will be given as to whether or not a given security setting is defined by Group Policy.

Any local security setting modified through this User Interface may subsequently be overriden by domain-level policies.

Windows cannot read template information.

Many documents suggest that renaming the %windir%\security\database\secedit.sdb file and rebooting the server will resolve this issue by recreating the security database. Unfortunately, this procedure never resulted in the secedit.sdb database file being re-created, even after a server reboot.

I also tried importing a new secedit.sdb database, but that failed with the following error:

An extended error has occurred. Import failed.

After much Googling I came across MS KB932461 You cannot determine Group Policy security settings on a Windows Server 2003, Enterprise Edition-based computer. Even though the OS of the offending servers is Windows Server 2003 R2 Standard (not Enterprise) the fix described in the KB document fixed this issue.

The cause of the problem is explained by the KB as

“This problem occurs if specific Group Policy security settings are changed from their default settings. These security settings specify the minimum required security setting of server-side and client-side network connections for programs that use the NTLM security support provider (SSP).”

The solution was to edit the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Set the values of NtlmMinServerSec and NtlmMinClientSec to 0 (zero)

Wait about 15-30 minutes for the change to take effect and you should be able to view the Local Security Policy once again!

If you’re curious what these keys do, NtlmMinServerSec specifies the minimum required security setting of server-side network connections for applications using the NTLM security support provider (SSP).

NtlmMinClientSec specifies the minimum required security setting of client-side network connections for applications using the NTLM security support provider (SSP).

In my case both of these settings had previous values of 0x20080030 which enforces message integrity, confidentiality, use of NTLMv2 and 128-bit encryption.

Comments [1]

  1. I was tweaking some LAN Manager security settings in the AD and a member workstation, and I ended up running into exactly this problem (couldn’t access Local Policy on the workstation. I found your post above, and tried it, and it worked perfectly. Thanks!!

Leave a Reply

Your email address will not be published. Required fields are marked *