Journal Ayanami Rei's Journal: Windows XP and 2003 + auditing == issues 2
Has anyone else experienced this?
Pre-requisites:
1) A system with Windows XP or Server 2003
2) A bunch of local users without administrative privledges
3) Poorly written software that triggers the following issue:
MSKB 837115
4) You've enabled the option "Audit: Shut down system immediately if unable to log security audits" under Local Security Policy (i.e. HKLM\System \CurrentControlSet\Control\Lsa\CrashOnAuditFail = 1)
Symptom:
One day your users call you up and claim "I can't log in anymore! It says 'User is not permitted to login at this computer'". You scratch your head in confusion.
You think to yourself: Did auditing fail for some reason, thus preventing mortals from using the system? Check the security log... no, it's not even close to full. Check for low disk space
So then you check your System log and you see a bunch of event IDs of 1517 and 1524 leading up to the point where people couldn't log in anymore. Userenv is complaining about profiles not unloading probably.
You're thinking: shit... user profile corruption. So you try restoring the user profiles from backup... no dice. The only thing that works is adding the user to Administrator group temporarily.
Actual Cause:
Unknown... but the real problem seems to be that sometimes when userenv tries putting off unloading a profile, it can cause auditing to fail. I can't figure out why. The result of auditing failing is... the system immediately shuts down and reboots, and then no one but Administrator can log in.
That is until you disable the CrashOnAuditFail setting... reboot, then re-enable it, and reboot again. At this point users can log in. (Incidentally, you _still_ need to do this if auditing fails because of a disk space condition, deleting files to make space is only the first part, then you need to do the disable->reboot->re-enable->reboot dance)
Problem 'solved'.
I've had this happen twice so far, and that UPHclean tool that Microsoft has doesn't seem to really do anything that I can tell. Anyone have any experience with this or have any insight?
We'd like to get to the bottom of this and really fix the problem.
Thanks.
Zealot mode on. (Score:2)
Well... (Score:2)
But we need this one box to be a windows box...