If you experience either of the subject conditions, your event logs may contain:
Event ID: 1003
Description: Policy change from LSA/SAM can't be saved in the policy storage. Error 5 to save policy change for account S-1-1-0
in the default GPOs. For more debugging information, please look security\logs\scepol.log under Windows root.
Event ID: 1
Description: The FireDaemon service has started.
Event ID: 116
Description: Subprocess monitoring failed due to subprocess is no longer active. The subprocess is probably dead. Restarting the process.
Error detail: Overlapped I/O operation is in progress.
The %SystemRoot%\Security\Logs\WinLogon.log file may contain:
----Un-initialize configuration engine... ------------------------------------------- MM/DD/YYYY HH:MM:SS Administrative privileged user logged on. ----Configuration engine is initialized successfully.---- ----Reading Configuration template info... ----Configure User Rights... Ignore *S-1-5-32-551. Ignore *S-1-5-32-544. Ignore *S-1-5-32-551. .... There are pending user right changes from downlevel APIs. Some of the account rights are not removed by policy engine. Configure S-1-5-32-544. Ignore S-1-5-32-544 because there are pending user right changes for this account from downlevel APIs. Configure S-1-5-32-551. Ignore S-1-5-32-551 because there are pending user right changes for this account from downlevel APIs.The above items will occur when a virus runs the FireDaemon program as a service on your computer, which changes the default domain controller security policy to deny users the Access this computer from the network right.
To fix this problem:
1. Start / Run / Services.msc / OK.
2. Right-click any offending FireDaemon service and press Properties.
Look for: FireDaemon Service: scvhost FireDaemon Service: scvhostlog FireDaemon Service: secure3. On the General tab, set Startup type to Disabled.
4. Press Apply.
5. Press Stop.
6 Press OK.
7. Verify / reset the Access this computer from the network User Rights Assignment.
NOTE: If you cannot Stop the service, restart your computer.
NOTE: See FireDaemon for WinNT/2K/XP/2K3/Longhorn.