The problem: NT AUTHORITY will shutdown your computer in one minute, because services.exe has crashed.
You can halt the shutdown, if you are an administrator, by clicking Start/Run, and typing ‘shutdown -a’, but the computer is basically hosed at this point and won’t let you do anything anyway.
If you check the event viewer, you’ll see events 1085 and 1202:
Source: Userenv Event ID: 1085 The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Source: SceCli Event ID: 1202 Security policies were propagated with warning. 0x428 : An exception occurred in the service when handling the control request. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's". For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The Cause: This started happening on about 60% of Windows XP Machines that I had completely removed from a Windows Server 2003 AD Domain. I believe the shutdown issue is occurring because the workstations are mistakenly trying to update their group policy from the domain, which they are no longer in contact with. This causes services.exe to crash, which instructs the computer to shutdown.
- Click Start/Run. Type 'regedit' and press enter.
- Browse to the following folder: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Group Policy\History.
- Delete the Key: DCName. It is probably pointing at one of the old domain controllers.
- Also delete any sub-folder under History. There will probably be one to four folders, and they will all be named a really long string of seemingly random letters.
- Close RegEdit.
- Click Start/Run. Type 'cmd' and press enter.
- Type: 'gpupdate /force' The computer not locking up right now is a good start.
- To verify that this worked correctly, go into the event viewer and clear the application logs, then restart. View the application log, and the two errors which I've forwarded to you will not appear.