Thursday, August 6, 2009

Secedit.sdb Locking out local changes.

Can't open the Secedit.sdb?

Run esentutl /g to check the integrity of the security database at
%windir%\Security\Database\Secedit.sdb.

Next try:

esentutl /redb in the c:\winnt\security directory.

Next try:

Run esentutl /p to check the integrity of the security database at
%windir%\Security\Database\Secedit.sdb.\

Remember to kill all the edb files and the log files and move the ones in the Logs directory out of it.

Now the really crazy crap:

If your getting and error to the tune of:

Denied access to database in the local policy make sure that you have the "everyone" group permissions on c:\%systemroot% -- or c:\winnt or c:\windows which ever the case may be.

Check our your setting in the registry:

HKLM\CCS\Control\LSA

Set lmcompatibilitylevel to a dword value of 2
set restricanonymous to a dword value of 1

Then kick down a key to the

HKLM\CCS\Control\LSA\MSV1_0

Make sure the following keys are set to:

ntlmminclientsec to dword, hex 0x20080030
ntlmminserversex to dword, hex 0x20080030

---------and for the love of everything that is whole watch out for Virus scanners and IDS killing your changes in the registry and on the file permissions.

Helps if you rip it out of the domain then stick it back in after you make the changes.


Scott.
.

No comments:

Post a Comment