Home
  •  

Security CSE Processed With Errors

Security_CSE_Processed_With_Errors_1_Rule (Rule)

Knowledge Base article:

Management Pack
Summary

SCE can not reach one of the security policy files on the DCs.

 
Causes

This type of failure typically occurs when:

  • the DFS client is disabled, the domain records are missing, or the DNS records are not being registered properly. The \\Active Directory Domain Name\Sysvol share is a special share that requires the distributed file system (DFS) client to make a connection, and a valid Domain name record in DNS.
  • the %SystemRoot%\SYSVOL\Domain\Policies Group Policy directory structure is missing or incorrect. The Replication service is trying to replicate the directory but cannot locate it.
  • The machine clock is not in sync with the DC. This causes the machine to fail to contact the DC to retrieve the policy.
 
Resolutions
  • DFS must be enabled, and DNS records must be properly registered.
  • If the directory structure is missing, the directory must be restored to allow replication between domain controllers. The directory can either be restored from a backup or it can be recreated.
  • To synchronize the computer clock with the DC, type the following command at the Command Prompt and press ENTER: net time \\(domain controller name) /set /y
 
© 1995-2001 Microsoft Corporation, all rights reserved.

Element properties:

TargetMicrosoft.Windows.Server.GroupPolicy.2003.Windows_2003_Servers_Installation
CategoryEventCollection
EnabledTrue
Event Sourcescecli
Alert GenerateTrue
Alert SeverityError
Alert PriorityLow
RemotableTrue
Alert Message
Security CSE Processed With Errors

$Data/EventDescription$
Event LogApplication
CommentMom2005ID='{62DF75D3-3E31-4691-A001-E8D8E06A5ED5}';MOM2005ComputerGroupID={5F37D1D6-F952-4B72-9CCA-6986A3B7B2E3}

Member Modules:

ID Module Type TypeId RunAs 
_F6DA1507_12AF_11D3_AB21_00A0C98620CE_ DataSource Microsoft.Windows.EventProvider Default
CollectEventData WriteAction Microsoft.SystemCenter.CollectEvent Default
CollectEventDataWarehouse WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Default
GenerateAlert WriteAction System.Mom.BackwardCompatibility.AlertResponse Default

Source Code:

<Rule ID="Security_CSE_Processed_With_Errors_1_Rule" Comment="Mom2005ID='{62DF75D3-3E31-4691-A001-E8D8E06A5ED5}';MOM2005ComputerGroupID={5F37D1D6-F952-4B72-9CCA-6986A3B7B2E3}" Enabled="true" Target="Microsoft.Windows.Server.GroupPolicy.2003.Windows_2003_Servers_Installation" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="_F6DA1507_12AF_11D3_AB21_00A0C98620CE_" TypeID="WindowsLibrary!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="WindowsLibrary!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <Expression>

        <And>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="Integer">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>MatchesMOM2005BooleanRegularExpression</Operator>

              <Pattern>1001|1005</Pattern>

            </RegExExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>scecli</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="MomBackwardCompatibility!System.Mom.BackwardCompatibility.AlertResponse">

      <AlertGeneration>

        <GenerateAlert>true</GenerateAlert>

        <Owner/>

        <Description>

            $Data/EventDescription$

          </Description>

        <AlertLevel>40</AlertLevel>

        <ResolutionState/>

        <Source>

            $Data/PublisherName$

          </Source>

        <Name>Security CSE Processed With Errors</Name>

      </AlertGeneration>

      <InvokerType>0</InvokerType>

    </WriteAction>

    <WriteAction ID="CollectEventData" TypeID="SystemCenterLibrary!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="CollectEventDataWarehouse" TypeID="DataWarehouseLibrary!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

  </WriteActions>

</Rule>