You cannot determine Group Policy security settings on a Windows Server 2003, Enterprise Edition-based computer

You experience the following symptoms on a Microsoft Windows Server 2003, Enterprise Edition-based computer:

• The Group Policy security settings that apply to this computer cannot be determined. When you try to retrieve these settings from the local security policy database, you receive the following error message:
  The parameter is incorrect.
• When you import a new Secedit.sdb database, the import process fails. Additionally, you receive the following error message:
  An extended error has occurred. Import failed.
• If you delete the Secedit.sdb database, it is not rebuilt.

This problem occurs if specific Group Policy security settings are changed from their default settings. These security settings specify the minimum required security setting of server-side and client-side network connections for programs that use the NTLM security support provider (SSP).

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
To resolve this issue, change the specific Group Policy settings to their default values. To do this, follow these steps:

1. Click Start, click Run, type Regedit, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
3. Right-click NtlmMinServerSec, and then click Modify.
4. In the Value data box, type 0, and then click OK.
5. Right-click NtlmMinClientSec, and then click Modify.
6. In the Value data box, type 0, and then click OK.
7. Exit Registry Editor.

NTLMv2 authentication

Session security determines the minimum security standards for client sessions and for server sessions. The following policies determine the minimum security standards for a program-to-program communications session on a server for a client:

• Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
• Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients

Note These policies are located under Computer Settings\Windows Settings\Security Settings\Local Policies\Security Options in the Microsoft Management Console (MMC) Group Policy Object Editor snap-in.

The options for these security settings are as follows:

• Require message integrity
• Require message confidentiality
• Require NTLM version 2 session security
• Require 128-bit encryption

By default, there are no requirements for these settings.

Historically, Windows NT has supported the following two variants of challenge/response authentication for network logons:

• LM challenge/response
• NTLM version 1 challenge/response

LM allows for interoperability with the installed base of clients and servers. NTLM provides improved security for connections between clients and servers.

The following registry subkeys correspond to the challenge/response authentication variants:Note If you select the Require NTLMv2 session security option, and then you set the LAN Manager authentication level to Send LM & NTLM responses (level 0), the two settings may conflict. In this case, the following error message may be logged in the Secpol.msc file or in the GPEdit.msc file: