I am trying to modify the "Allow Login Locally" local security policy in Local Policy -> User Rights assignement. When I add in any domain global group, and click OK, I get the error An Extended Error has occurred. Failed to save local policy database. The same error happens on any security policy when I try to add a domain global group (I've tried 3 different ones). The computer I am making this change on is Windows 7 professional. The domain ADS server is Windows 2000. As per this link, I have tried the following 3 things: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scetroubletn.mspx?mfr=true 1) I have booted the computer in safe mode (with network) and verified the security database at %windir%\Security\Database\Secedit.sdb via the esentutl /g command. It checks out OK. 2) I have also searched the file at %systemroot%\security\logs\winlogon.log for 1332. 3) I set "Network Security: LAN Manager authentication level" policy to "Send LM & NTLM – use NTLMV2 session security if negotiated" and "Send LM & NTLM" and then rebooted the system (just to be sure) before re-trying to change the "Allow Login Locally" policy. Before I changed the setting, it was just "Not Defined". This problem happens on all 3 Windows 7 professional systems that I have joined to the domain. All three systems are brand new installs with very little customization, and no other applications yet installed. I have also checked the security on the Secedit.sdb file. It looks as I expected with SYSTEM and administrators having full access. I have tried making the modifications using the domain administrator account, and the local administrator account. The domain has windows NT computers in it.

I also tried setting : "Minimum session security for NTLM SSP based (including secure RPC) Clients and Servers to "No Minimium". The error still occurs.

I have found that when "Minimum session security for NTLM SSP based (including secure RPC) Clients and Servers is set to "No Minimium", I cannot add any Domain Groups/Users to Local Groups. So I set it back to 128bit. I still have "LAN Manager authentication level" set to "Send LM & NTLM – use NTLMV2 session security if negotiated". A work around I have found is to create a local group, Include the Domain the Group in the Local group, and then use the local group when modifying the local group policy "Allow Local Login". Still looking for the right solution.