JSI Tip 7479. A tool to interpret the Group Policy client-side extension Security flags.

In tip 4511 » How do I interpret USERENV 1000 Events, I explained how to interpret the Group Policy client-side extension Security flags.

Using tip 5842 » How do I convert a decimal number to hexadecimal, I have scripted SceCliFlags.bat to interpret the Group Policy client-side extension Security flags for you.

The syntax for using SceCliFlags.bat is:

SceCliFlags DecimalFlagsValue

where DecimalFlagsValue is the nnnn value displayed as "flags (nnnn)" in the Description of the Event ID 1000 error.

Usage Examples:

1. If the Description is The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332):

SceCliFlags 17

which returns:

Apply machine policy rather than user policy.
Background refresh of policy (ok to do slow stuff).

2. If the Description contains flags (33):

SceCliFlags 33

which returns:

Apply machine policy rather than user policy.
Policy is being applied across a slow link.

3. If the Description contains flags (2048):

SceCliFlags 2048

which returns:

windows safe mode boot flag.

4. If the Description contains flags (4081):

SceCliFlags 4081

which returns:

Apply machine policy rather than user policy.
Background refresh of policy (ok to do slow stuff).
Policy is being applied across a slow link.
Verbose output to the eventlog.
No changes were detected to the Group Policy Objects.
A change in link speed was detected between previous policy application and current policy application.
A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only).
Forced Refresh is being applied. redo policies.
windows safe mode boot flag.


SceCliFlags.bat contains:

@echo off
setlocal
if \{%1\}==\{\} goto syntax
set /a decflag=10000%1%%10000
call Dec2Hex %decflag% Hex len
if %len% GTR 3 goto syntax
if %len% EQU 0 goto syntax
set mask=%hex%
if %len% EQU 1 set mask=00%hex%
if %len% EQU 2 set mask=0%hex%
set tab=00000100012001030011401005010160110701118100091001A1010B1011C1100D1101E1110F1111XXXXX
set byte=%mask:~0,1%
call :bits
set out=%bitmask%
set byte=%mask:~1,1%
call :bits
set out=%out%%bitmask%
set byte=%mask:~2,1%
call :bits
set out=%out%%bitmask%
set /a cnt=12
:intloop
set /a cnt=%cnt% - 1
if %cnt% LSS 0 endlocal&goto :EOF
call set byte=%%out:~%cnt%^,1%%
if "%byte%" EQU "1" goto disp%cnt%
goto intloop
:disp11
@echo Apply machine policy rather than user policy.
goto intloop
:disp10
@echo ???
goto intloop
:disp9
@echo ???
goto intloop
:disp8
@echo ???
goto intloop
:disp7
@echo Background refresh of policy (ok to do slow stuff).
goto intloop
:disp6
@echo Policy is being applied across a slow link.
goto intloop
:disp5
@echo Verbose output to the eventlog.
goto intloop
:disp4
@echo No changes were detected to the Group Policy Objects.
goto intloop
:disp3
@echo A change in link speed was detected between previous policy application and current policy application.
goto intloop
:disp2
@echo A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only).
goto intloop
:disp1
@echo Forced Refresh is being applied. redo policies.
goto intloop
:disp0
@echo windows safe mode boot flag.
goto intloop
:bits
set /a cnt=0
:loop
call set work=%%tab:~%cnt%^,1%%
if /i "%byte%" EQU "%work%" goto ok
set /a cnt=%cnt% + 5
goto loop
:ok
set /a cnt=%cnt% + 1
call set bitmask=%%tab:~%cnt%^,4%%
goto :EOF
:syntax
@echo Syntax: SceCliFlags nnnn
endlocal



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish