Microsoft Knowledge Base Article - 285665

[Guest]

In our security policy we institute the following policy, "Shut down your system immediately if unable to log security audits" on the local system. Systems include Windows 2000 Pro and XP Pro, some are experiencing the error noted in the KB285665 article. If the tech allows the user a local account with administrative rights the error stops. This KB285665 is directed at the server platform, my question is could this also affect the desktop if this setting were enabled on the desktop side? It seems that when the user tries to log on using their Domain account and there is no account on the desktop is when this error occurs. We have tried to recreate the problem but cannot. The tech found a system with the error, using NetMeeting logged onto the system and changed that policy and rebooted, the user was then able to log on successfully. Any suggestions are greatly appreciated.

 

[David Pharr [MSFT]]

This setting is used by administrators to prevent users from accessing the
machine if the system cannot record security events - it causes the machine
to "crash" or reboot when you are unable to record another security
setting. When this occurs, the only users who will be able to communicate
with that server are administrators. The setting for CrashOnAuditFail is
changed from REG_DWORD to REG_NONE and the value from 0 to 2. The only way
to correct this is to delete the registry key and recreate it with a value
of zero.

The effects depend upon the policy where you made this setting. If you
have this in place you need to periodically monitor the security logs and
clear them out or the machines will fill up and cause this problem. If
you set this on the Default Domain Controller Security policy and the logs
fill up you will encounter all sorts of problems (broken replication,
inability to logon, etc.) since no one will be able to connect except
administrators.

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.