Q: What could prevent security policy settings that have been defined in a domain-wide Group Policy Object (GPO) from being applied to Windows 7 clients?

A: This problem can be caused by a corrupt security database on your Windows 7 client. For applying the security policy portions of a GPO on a Windows machine, Windows uses the secedit configuration engine and its local security database, secedit.sdb. The secedit database can be found on every Windows box in the \%windir%\security\database file system folder. If the secedit database gets corrupted, it can prevent the security policy settings that are defined in a GPO from being correctly applied on a machine.

You can check the health of secedit.sdb by using the esentutl.exe command, as follows:

esentutl /g %windir%\security\database\secedit.sdb

If esentutl finds errors during the health check, the output of the above command will contain the message, "This operation may find that this database is corrupt." If the database is healthy, you should get an output similar to the one illustrated in Figure 1.

Figure 1: The esentutl.exe command showing a healthy database

Esentutl also provides an option to repair or recover the secedit database. Microsoft recommends you follow specific steps, depending on the location of the edb.log and the edb.chk files. If the edb.log file and the edb.chk file are both in the %windir%\security folder, you must run the following esentutl command to recover the security database:

esentutl /r edb /l %windir%\security /s %windir%\security

The /r switch refers to recovery mode and makes esentutl attempt to bring the databases to a clean state. It rebuilds the database using log entries, which explains the use of the /l and /s switches-the /l switch points the command to the location of the log files (*.log), and /s points the command to the location of the checkpoint files (*.chk).

If either the edb.log or the edb.chk file is missing from the %windir%\security folder, or if neither file exists in this folder, you must run the following esentutl command to repair the security database:

esentutl /p %windir%\security\Database\secedit.sdb

The /p switch refers to repair mode and makes esentutl attempt to repair a corrupted or damaged database.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.