Win2K SP4 Might Overwrite Local Security Policy Settings; A Terminal Services Shared File Bug Fix; and Citrix Logon Delays

Keeping Up with Win2K and NT

If you use either a Group Policy Object (GPO) or the Microsoft Management Console (MMC) Local Security Policy snap-in to modify system security settings, the Windows 2000 Service Pack 4 (SP4) Setup utility can, in some cases, overwrite the active values with those that are stored in the most recent secedit.sdb template. For compatibility with Windows Server 2003 platforms, SP4 adds two new security-related privileges: "impersonate a client" and "create global objects." The security policy bug occurs when Setup adds these new privileges to the local user rights list. The documentation provides no details about why the security template might not contain current security settings but does state that after an SP4 upgrade, security options might revert to previous settings. While Microsoft continues to debug this problem, you can avoid this problem by forcing a refresh of the secedit.sdb security template---to do so, open the system's Local Security Policy before you start an SP4 upgrade. Read the Microsoft article "Local Security Policy Values Revert to the Values That Are Stored in SecEdit.sdb After You Install Windows 2000 Service Pack 4" ( for more details.

Terminal Services Shared File Bug Fix
The network redirector mrxsmb.sys creates one data structure per computer for every user that accesses a shared file on a Win2K system. The redirector per-computer data structure causes problems when a Win2K system is configured as a Win2K Server Terminal Services server and multiple Terminal Services clients access the same file. To properly maintain connection information, the redirector needs one data structure for each client session. In the current implementation, when two or more Terminal Services clients open the same file and one of the clients closes the file, the redirector incorrectly closes the connection for all Terminal Services clients. You can find documentation about the unexpected behavior in two Microsoft articles: "Programs Run from Network Share on TS Close or Generate Errors" ( and "PRB: 'Error reading file' Error Message on Windows 2000 Terminal Services" ( Microsoft now has a permanent solution for this problem, which exists in all versions of Win2K through SP4. Call Microsoft Product Support Services (PSS) and ask for the June 4 version of the redirector components mrxsmb.sys and rdbss.sys. These new components have an option you can enable to create data structures on a per-user, rather than a per-computer, basis. On Terminal Services servers, after you install the new redirector, you need to activate the per-user data structure feature by modifying the registry. Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxSmb\Parameters registry subkey, and add the value entry MultiUserEnabled:REG_DWORD: 1 in the right pane. Note that this modification is unnecessary on Win2K systems that aren't configured as Terminal Servers. For more information about this problem and solution, read the Microsoft article "Problems When More Than One User Accesses the Same File Through Terminal Services" (

Major Citrix Logon Delays on SP4 Systems
When you use a Citrix client to connect to a Win2K SP4 system running Citrix MetaFrame or Citrix 1.8 installation, plus Terminal Services, clients might wait for 5 to 30 minutes for the desktop to appear. This problem occurs only for clients running the ICA protocol and connecting to a Win2K system on which you have redirected printing to a local printer on the client system. PSS has a bug fix that solves this problem--updates to 12 files, most of which have a file release date of July 17. When you call PSS, cite the Microsoft article "Very Long Logon Time When You Try to Connect to Citrix MetaFrame or Citrix 1.8" ( as a reference.

Old Intel Network Drivers Leak Memory
If you haven't updated your Intel network adapter drivers recently, the drivers might exhibit a slow memory leak that causes system performance to degrade over time, resulting in a hang when the leak exhausts the nonpaged memory pool. One sign of this problem is a message in the System event log with event ID 2019 and the message the server was unable allocate from the system non-paged pool because the Pool was empty. You can recover a system hang caused by a memory leak by simply rebooting, but you need current Intel drivers to permanently solve the problem. For more details about the problem, read the Microsoft article "Server Runs Slowly or Stops Responding, and Event ID 2019 Is Logged in the System Event Log" (

ARCserve 2000 Uninstallation Blue Screen
Apparently a problem exists with Computer Associate's (CA's) BrightStor ARCserve 2000 uninstallation utility that causes a Win2K system to crash with a stop code of 0x00000069 and the message IO1_INITIALIZATION_FAILED after the uninstall finishes and the system reboots. According to the Microsoft article "Computer Stops Responding, and You Receive a 'Stop 0x00000069' Error Message" (, the only way you can recover a system damaged this way is by making a backup copy of the system's registry files and repairing the system root. When a system won't start, you can make a backup copy of the registry by booting the Recovery Console (RC) locally or by selecting the RC after you boot from a Win2K CD-ROM or DVD. At the RC prompt, copy all files in %systemroot%\system32\config to an alternate location. Next, boot the system by using a Win2K disk and select the R (repair) option. The reference article doesn't indicate when you restore the registry, so I recommend you get a few more details from CA or Microsoft before you attempt to recover a system by using this procedure.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.