KnowledgeBase: Group Policy Preferences for Local Users and Groups fails with Event ID 4098 on Windows 8 and Windows Server 2012

Last week, Microsoft released KnowledgeBase article 2890259. It describes an issue in Windows 8 and Windows Server 2012 with Group Policy Preferences for Local Users and Groups.

In some circumstances, these Group Policy Preferences would not apply, resulting in events with EventId 4098 in the Windows Event Viewer (eventvwr.exe) on your domain-joined Windows 8-based device(s) and/or Windows Server 2012-based member server(s). 

 

The situation

In many organizations, Group Policy Preferences (GPPs) are used to manage local users and groups. However, when you apply a Group Policy Preference for Local Users and Groups to rename the built-in Administrator account on a domain-joined Windows 8-based device and/or Windows Server 2012-based member server the group policy preference for Local Users and Groups fails to apply and an event similar to the below is logged on domain-joined Windows 8-based devices and/or Windows Server 2012-based member servers:

Log Name: Application Source: Group Policy Local Users and Groups Event ID: 4098 Task Category: (2) Level: Warning Keywords: Classic User: SYSTEM Description: The computer 'Administrator (built-in)' preference item in the 'Policy_Name {GUID}' Group Policy Object did not apply because it failed with error code '0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.' This error was suppressed.

 

The issue

This issue can occur if the User cannot change password checkbox is checked when you configured the Group Policy Preference. Do not configure this option for the built-in administrator account. This may lead to the inability of the administrator account being able to logon to the Windows 8-based device(s) and/or Windows Server 2012-based member server(s).

 

The solution

To resolve this issue, follow the steps mentioned below to edit the Group Policy Preference, Local Users and Groups and uncheck the option of “User cannot change password”

  1. Log on to a domani-joined Windows 8-based device(s) and/or Windows Server 2012-based member server(s) with Group Policy Management installed, with an account which has permissions to modify the Group Policy Object.
  2. Start Group Policy Mangement (gpmc.msc)
  3. Locate the Group Policy Object (GPO), responsible for the Group Policy Preference settings for Local Users and Groups on the Windows 8-based device(s) and/or Windows Server 2012-based member server(s) where you receive the events.Tip!
         Use Resultant Set of Policies (rsop.msc) on the Windows 8-based device(s)
    and/or Windows Server 2012-based member server(s) to locate the Group Policy
    Object (GPO) responsible for the settings, if needed.
  4. Right-click the Group Policy Object (GPO), right-click it and select Edit… from the context menu.
  5. In the Group Poliy Object (GPO) in the left pane, navigate to Computer Configuration, then Preferences, Control Panel Settings and finally Local Users and Groups.
  6. Right-click the Local Users and Groups policy for the built-in account and click Properties from the context menu.
  7. Uncheck User cannot change password option.Group Policy Preferences to change the password for the built-in administrator
  8. Click Apply and then OK.If you have multiple Domain Controllers, wait for Active Directory Replication to finish.
  9. Run gpupdate /force on the Windows 8-based device(s) and/or Windows Server 2012-based member server(s) or force a remote Group Policy update on the Organizational Unit(s) containing the affected Windows 8-based device(s) and/or Windows Server 2012-based member server(s) from within Group Policy Management.

  

Related KnowledgeBase articles

2890259 GPP Local Users and Groups fails with Event ID 4098 on Windows 8 and Windows Server 2012
2616766 Group Policy Preferences Local Users & Groups do not accept long names

Further reading

Local Users and Groups Extension
Configure a Local User Item
How to use Group Policy Preferences to Secure Local Administrator Groups
Local admin with Group Policy Preferences

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.