Event ID: 1202

[Guest]

Hi MVP Sir,

I got the event id 1202 in my event viewer in Windows 2000 AD Server. then I
followed the 1202 event code instruction to solve the problem. the step:

open %windir%\Security\Logs\Winlogon.log, then show this follow error message.
Error 0 to send control flag 1 over to server.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

[Mapping] gpt00000.dom = Default Domain Policy
-------------------------------------------
----Un-initialize configuration engine...

[Mapping] gpt00001.inf = Default Domain Controllers Policy
-------------------------------------------
09/14/2007 06:04:21

----Un-initialize configuration engine...
-------------------------------------------
09/14/2007 06:04:21
----Configuration engine is initialized successfully.----

----Reading Configuration template info...

----Configure User Rights...
Configure S-1-5-32-544.
Configure S-1-5-32-551.
Configure S-1-5-21-531969533-277817386-569397357-500.
Configure S-1-5-21-531969533-277817386-569397357-6435.
Configure S-1-5-21-531969533-277817386-569397357-3205.
Configure S-1-5-21-531969533-277817386-569397357-6434.
Configure S-1-5-21-531969533-277817386-569397357-3206.
Configure Power Users.
Error 1332: No mapping between account names and security IDs was done.
Cannot find Power Users.
Configure S-1-5-32-545.
Configure S-1-1-0.
Configure S-1-5-6.
Configure S-1-5-21-531969533-277817386-569397357-3204.
Configure S-1-5-11.

User Rights configuration completed with error.



2. I go to group policy>computer configuation>security settings>Local
Polices>User Rights Assignment, then deleted these unmatch account.

3. But the Event ID also shows in the event viewer.

4. Then I check the gpt00001.inf file. I found out some unmatch SID in the
file.

SeBackupPrivilege = Backup Operators,Administrators
SeBatchLogonRight =
*S-1-5-21-531969533-277817386-569397357-500,*S-1-5-21-531969533-277817386-569397357-6435,*S-1-5-21-531969533-277817386-569397357-3205,*S-1-5-21-531969533-277817386-569397357-6434,*S-1-5-21-531969533-277817386-569397357-3206,Backup
Operators
SeCreatePagefilePrivilege = Administrators
SeIncreaseBasePriorityPrivilege = Administrators
SeIncreaseQuotaPrivilege = Administrators
SeInteractiveLogonRight = Backup
Operators,*S-1-5-21-531969533-277817386-569397357-3204,*S-1-5-21-531969533-277817386-569397357-3205,*S-1-5-21-531969533-277817386-569397357-6435,Administrators
SeLoadDriverPrivilege = Administrators
SeNetworkLogonRight =
Administrators,*S-1-5-21-531969533-277817386-569397357-6435,*S-1-5-21-531969533-277817386-569397357-3205,*S-1-5-21-531969533-277817386-569397357-6434,*S-1-5-21-531969533-277817386-569397357-3206,*S-1-5-11,Backup Operators
SeProfileSingleProcessPrivilege = Administrators
SeRemoteShutdownPrivilege = Administrators
SeRestorePrivilege = Backup Operators,Administrators
SeSecurityPrivilege = Administrators
SeServiceLogonRight = Backup Operators
SeShutdownPrivilege = Backup Operators,Administrators
SeSystemEnvironmentPrivilege = Administrators
SeSystemProfilePrivilege = Administrators
SeSystemTimePrivilege = Administrators
SeTakeOwnershipPrivilege = Administrators
SeTcbPrivilege = Backup Operators
SeEnableDelegationPrivilege = Administrators
SeMachineAccountPrivilege =
*S-1-5-21-531969533-277817386-569397357-500,*S-1-5-11
SeUndockPrivilege = Administrators


I want to try to delete these unmatch SID. But I worried affect the AD
performance or can not run AD in my office. That I do not delete these.

Question:

How can I solve this problem.

Why the winlogon file will show the "Cannot find Power Users"? . Because I
never config security permission to Power Users.

I had two DC in my office. If I delete unmatch SID, Does two DC Server need
to be deleted simultaneity?



Thank for your help appreciatively.

 

[Meinolf Weber]

Hello Penny,

Did you reconfigure some of your GPO's? Check out this one:
http://support.microsoft.com/kb/279432

Also would be nice, if you could post the complete eventlog entry. Easier
to follow if we can see the complete story.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Guest]

I checked our GPO setting, The Domain Controller OU already link with the
Default Domain Controller Policy. How can I solve the problem. Besides, I
copied my event ID to you for checking. I hope they can solve the problem.
Because this event ID showed every five minute in the Event Viewer. I need to
delete this event everyday.
Thanks for their help
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/20/2007
Time: 9:48:17 AM
User: N/A
Computer: AONHKDC01
Description:
Security policies are propagated with warning. 0x534 : No mapping between
account names and security IDs was done.

For best results in resolving this event, log on with a non-administrative
account and search http://support.microsoft.com for "troubleshooting 1202
events".
A user account in one or more Group policy objects (GPOs) could not be
resolved to a SID. This error is possibly caused by a mistyped nor deleted
user account referenced in either the User Rights or Restricted Groups branch
of a GPO. To resolve this event, contact an administrator in the domain to
perform the following actions:

1.Identify accounts that could not be resolved to a SID: From the command
prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output identifies the problem
account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be determined. This
most likely occurs because the account was deleted, renamed, or is spelled
differently (e.g. "JohnDoe").

2.Identify the GPOs that contain the unresolvable account name:
From the command prompt type FIND /I "JohnDough"
%SYSTEMROOT%\Security\templates\policies\gpt*.*
The output of the FIND command will resemble the following:
---------- GPT00000.DOM
---------- GPT00001.DOM
SeRemoteShutdownPrivilege=JohnDough
This indicates that of all the GPO’s being applied to this machine, the
unresolvable account exists only in one GPO. Specifically, the cached GPO
named GPT00001.DOM.
Now we need to determine the friendly name of this GPO in the next step.

3. Locate the friendly names of each of the GPOs that contain an
unresolvable account name. These GPOs were identified in the previous step.
From the command prompt, type: FIND /I "[Mapping]"
%SYSTEMROOT%\Security\Logs\winlogon.log
The string following "[Mapping] gpt0000?.dom =" in the FIND output
identifies the friendly names for all GPO’s being applied to this machine.
Example: [Mapping] gpt00001.dom = User Rights Policy
In this case, the GPO that contains the unresolvable account (gpt00001.dom)
has a friendly name of "User Rights Policy".

4. Remove unresolved accounts from each GPO that contains an unresolvable
account.
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in…"
c. From the "Add/Remove Snap-in" dialog box select "Add…"
d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and
click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse" button.
f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g. Right click on the first policy identified in step 3 and choose edit
h. Review each setting under Computer Configuration/ Windows Settings/
Security Settings/ Local Policies/ User Rights
Assignment or Computer Configuration/ Windows Settings/ SecuritySettings/
Restricted Groups for accounts identified in step 1.
i. Repeat steps 3g and 3h for all subsequent GPOs identified in step 3.

 

[Meinolf Weber]

Hello Penny,

Did you follow all the steps provided with the event lig entry?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

I checked our GPO setting, The Domain Controller OU already link with
the
Default Domain Controller Policy. How can I solve the problem.
Besides, I
copied my event ID to you for checking. I hope they can solve the
problem.
Because this event ID showed every five minute in the Event Viewer. I
need to
delete this event everyday.
Thanks for their help
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/20/2007
Time: 9:48:17 AM
User: N/A
Computer: AONHKDC01
Description:
Security policies are propagated with warning. 0x534 : No mapping
between
account names and security IDs was done.
For best results in resolving this event, log on with a
non-administrative
account and search http://support.microsoft.com for "troubleshooting
1202
events".
A user account in one or more Group policy objects (GPOs) could not be
resolved to a SID. This error is possibly caused by a mistyped nor
deleted
user account referenced in either the User Rights or Restricted Groups
branch
of a GPO. To resolve this event, contact an administrator in the
domain to
perform the following actions:
1.Identify accounts that could not be resolved to a SID: From the
command
prompt, type: FIND /I "Cannot find"
%SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output identifies the
problem
account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be
determined. This
most likely occurs because the account was deleted, renamed, or is
spelled
differently (e.g. "JohnDoe").
2.Identify the GPOs that contain the unresolvable account name:
From the command prompt type FIND /I "JohnDough"
%SYSTEMROOT%\Security\templates\policies\gpt*.*
The output of the FIND command will resemble the following:
---------- GPT00000.DOM
---------- GPT00001.DOM
SeRemoteShutdownPrivilege=JohnDough
This indicates that of all the GPO's being applied to this machine,
the
unresolvable account exists only in one GPO. Specifically, the cached
GPO
named GPT00001.DOM.
Now we need to determine the friendly name of this GPO in the next
step.
3. Locate the friendly names of each of the GPOs that contain an
unresolvable account name. These GPOs were identified in the previous
step.
From the command prompt, type: FIND /I "[Mapping]"
%SYSTEMROOT%\Security\Logs\winlogon.log
The string following "[Mapping] gpt0000?.dom =" in the FIND output
identifies the friendly names for all GPO's being applied to this
machine.
Example: [Mapping] gpt00001.dom = User Rights Policy
In this case, the GPO that contains the unresolvable account
(gpt00001.dom)
has a friendly name of "User Rights Policy".
4. Remove unresolved accounts from each GPO that contains an
unresolvable
account.
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in."
c. From the "Add/Remove Snap-in" dialog box select "Add."
d. In the "Add Standalone Snap-in" dialog box select "Group Policy"
and
click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse"
button.
f. On the "Browse for a Group Policy Object" dialog box choose the
"All" tab
g. Right click on the first policy identified in step 3 and choose
edit
h. Review each setting under Computer Configuration/ Windows
Settings/
Security Settings/ Local Policies/ User Rights
Assignment or Computer Configuration/ Windows Settings/
SecuritySettings/
Restricted Groups for accounts identified in step 1.
i. Repeat steps 3g and 3h for all subsequent GPOs identified in step
3.

Hello Penny,

Did you reconfigure some of your GPO's? Check out this one:
http://support.microsoft.com/kb/279432

Also would be nice, if you could post the complete eventlog entry.
Easier to follow if we can see the complete story.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.

 

[Guest]

Hello Meinolf,
Yes, I followed the event ID instruction. But I found out few problems in
the file. first of all, I read the instrction and found out these problem
from the %SYSTEMROOT%\Security\Logs\winlogon.log. then it showed these
message in the file belowing.
[Mapping] gpt00001.inf = Default Domain Controllers Policy
-------------------------------------------
09/14/2007 06:04:21

----Un-initialize configuration engine...
-------------------------------------------
09/14/2007 06:04:21
----Configuration engine is initialized successfully.----

----Reading Configuration template info...

----Configure User Rights...
Configure S-1-5-32-544.
Configure S-1-5-32-551.
Configure S-1-5-21-531969533-277817386-569397357-500.
Configure S-1-5-21-531969533-277817386-569397357-6435.
Configure S-1-5-21-531969533-277817386-569397357-3205.
Configure S-1-5-21-531969533-277817386-569397357-6434.
Configure S-1-5-21-531969533-277817386-569397357-3206.
Configure Power Users.
Error 1332: No mapping between account names and security IDs was done.
Cannot find Power Users.
Configure S-1-5-32-545.
Configure S-1-1-0.
Configure S-1-5-6.
Configure S-1-5-21-531969533-277817386-569397357-3204.
Configure S-1-5-11.
User Rights configuration completed with error.

Then
2. I go to group policy>computer configuation>security settings>Local
Polices>User Rights Assignment, then deleted these unmatch account.

3. But the Event ID also shows in the event viewer.

4. Then I check the gpt00001.inf file. I found out some unmatch SID in the
file.

SeBackupPrivilege = Backup Operators,Administrators
SeBatchLogonRight =
*S-1-5-21-531969533-277817386-569397357-500,*S-1-5-21-531969533-277817386-569397357-6435,*S-1-5-21-531969533-277817386-569397357-3205,*S-1-5-21-531969533-277817386-569397357-6434,*S-1-5-21-531969533-277817386-569397357-3206,Backup
Operators
SeCreatePagefilePrivilege = Administrators
SeIncreaseBasePriorityPrivilege = Administrators
SeIncreaseQuotaPrivilege = Administrators
SeInteractiveLogonRight = Backup
Operators,*S-1-5-21-531969533-277817386-569397357-3204,*S-1-5-21-531969533-277817386-569397357-3205,*S-1-5-21-531969533-277817386-569397357-6435,Administrators
SeLoadDriverPrivilege = Administrators
SeNetworkLogonRight =
Administrators,*S-1-5-21-531969533-277817386-569397357-6435,*S-1-5-21-531969533-277817386-569397357-3205,*S-1-5-21-531969533-277817386-569397357-6434,*S-1-5-21-531969533-277817386-569397357-3206,*S-1-5-11,Backup Operators
SeProfileSingleProcessPrivilege = Administrators
SeRemoteShutdownPrivilege = Administrators
SeRestorePrivilege = Backup Operators,Administrators
SeSecurityPrivilege = Administrators
SeServiceLogonRight = Backup Operators
SeShutdownPrivilege = Backup Operators,Administrators
SeSystemEnvironmentPrivilege = Administrators
SeSystemProfilePrivilege = Administrators
SeSystemTimePrivilege = Administrators
SeTakeOwnershipPrivilege = Administrators
SeTcbPrivilege = Backup Operators
SeEnableDelegationPrivilege = Administrators
SeMachineAccountPrivilege =
*S-1-5-21-531969533-277817386-569397357-500,*S-1-5-11
SeUndockPrivilege = Administrators

Hello Penny,

Did you follow all the steps provided with the event lig entry?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

I checked our GPO setting, The Domain Controller OU already link with
the
Default Domain Controller Policy. How can I solve the problem.
Besides, I
copied my event ID to you for checking. I hope they can solve the
problem.
Because this event ID showed every five minute in the Event Viewer. I
need to
delete this event everyday.
Thanks for their help
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/20/2007
Time: 9:48:17 AM
User: N/A
Computer: AONHKDC01
Description:
Security policies are propagated with warning. 0x534 : No mapping
between
account names and security IDs was done.
For best results in resolving this event, log on with a
non-administrative
account and search http://support.microsoft.com for "troubleshooting
1202
events".
A user account in one or more Group policy objects (GPOs) could not be
resolved to a SID. This error is possibly caused by a mistyped nor
deleted
user account referenced in either the User Rights or Restricted Groups
branch
of a GPO. To resolve this event, contact an administrator in the
domain to
perform the following actions:
1.Identify accounts that could not be resolved to a SID: From the
command
prompt, type: FIND /I "Cannot find"
%SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output identifies the
problem
account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be
determined. This
most likely occurs because the account was deleted, renamed, or is
spelled
differently (e.g. "JohnDoe").
2.Identify the GPOs that contain the unresolvable account name:
From the command prompt type FIND /I "JohnDough"
%SYSTEMROOT%\Security\templates\policies\gpt*.*
The output of the FIND command will resemble the following:
---------- GPT00000.DOM
---------- GPT00001.DOM
SeRemoteShutdownPrivilege=JohnDough
This indicates that of all the GPO's being applied to this machine,
the
unresolvable account exists only in one GPO. Specifically, the cached
GPO
named GPT00001.DOM.
Now we need to determine the friendly name of this GPO in the next
step.
3. Locate the friendly names of each of the GPOs that contain an
unresolvable account name. These GPOs were identified in the previous
step.
From the command prompt, type: FIND /I "[Mapping]"
%SYSTEMROOT%\Security\Logs\winlogon.log
The string following "[Mapping] gpt0000?.dom =" in the FIND output
identifies the friendly names for all GPO's being applied to this
machine.
Example: [Mapping] gpt00001.dom = User Rights Policy
In this case, the GPO that contains the unresolvable account
(gpt00001.dom)
has a friendly name of "User Rights Policy".
4. Remove unresolved accounts from each GPO that contains an
unresolvable
account.
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in."
c. From the "Add/Remove Snap-in" dialog box select "Add."
d. In the "Add Standalone Snap-in" dialog box select "Group Policy"
and
click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse"
button.
f. On the "Browse for a Group Policy Object" dialog box choose the
"All" tab
g. Right click on the first policy identified in step 3 and choose
edit
h. Review each setting under Computer Configuration/ Windows
Settings/
Security Settings/ Local Policies/ User Rights
Assignment or Computer Configuration/ Windows Settings/
SecuritySettings/
Restricted Groups for accounts identified in step 1.
i. Repeat steps 3g and 3h for all subsequent GPOs identified in step
3.

Hello Penny,

Did you reconfigure some of your GPO's? Check out this one:
http://support.microsoft.com/kb/279432

Also would be nice, if you could post the complete eventlog entry.
Easier to follow if we can see the complete story.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
Why the winlogon file will show the "Cannot find Power Users"? .
Because I never config security permission to Power Users.

I had two DC in my office. If I delete unmatch SID, Does two DC
Server need to be deleted simultaneity?

 

[Meinolf Weber]

Hello Penny,

Check out also this one, theire are a lot of tipps:
http://www.eventid.net/display.asp?eventid=1202&eventno=348&source=SceCli&phase=1

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

Hello Meinolf,
Yes, I followed the event ID instruction. But I found out few problems
in
the file. first of all, I read the instrction and found out these
problem
from the %SYSTEMROOT%\Security\Logs\winlogon.log. then it showed these
message in the file belowing.
[Mapping] gpt00001.inf = Default Domain Controllers Policy
-------------------------------------------
09/14/2007 06:04:21
----Un-initialize configuration engine...
-------------------------------------------
09/14/2007 06:04:21
----Configuration engine is initialized successfully.----
----Reading Configuration template info...

----Configure User Rights...
Configure S-1-5-32-544.
Configure S-1-5-32-551.
Configure S-1-5-21-531969533-277817386-569397357-500.
Configure S-1-5-21-531969533-277817386-569397357-6435.
Configure S-1-5-21-531969533-277817386-569397357-3205.
Configure S-1-5-21-531969533-277817386-569397357-6434.
Configure S-1-5-21-531969533-277817386-569397357-3206.
Configure Power Users.
Error 1332: No mapping between account names and security IDs was
done.
Cannot find Power Users.
Configure S-1-5-32-545.
Configure S-1-1-0.
Configure S-1-5-6.
Configure S-1-5-21-531969533-277817386-569397357-3204.
Configure S-1-5-11.
User Rights configuration completed with error.
Then 2. I go to group policy>computer configuation>security
settings>Local

Polices>> User Rights Assignment, then deleted these unmatch account.
Polices>>

3. But the Event ID also shows in the event viewer.

4. Then I check the gpt00001.inf file. I found out some unmatch SID in
the file.

SeBackupPrivilege = Backup Operators,Administrators

SeBatchLogonRight =

*S-1-5-21-531969533-277817386-569397357-500,*S-1-5-21-531969533-277817
386-569397357-6435,*S-1-5-21-531969533-277817386-569397357-3205,*S-1-5
-21-531969533-277817386-569397357-6434,*S-1-5-21-531969533-277817386-5
69397357-3206,Backup

Operators

SeCreatePagefilePrivilege = Administrators

SeIncreaseBasePriorityPrivilege = Administrators

SeIncreaseQuotaPrivilege = Administrators

SeInteractiveLogonRight = Backup

Operators,*S-1-5-21-531969533-277817386-569397357-3204,*S-1-5-21-53196
9533-277817386-569397357-3205,*S-1-5-21-531969533-277817386-569397357-
6435,Administrators

SeLoadDriverPrivilege = Administrators

SeNetworkLogonRight =

Administrators,*S-1-5-21-531969533-277817386-569397357-6435,*S-1-5-21-
531969533-277817386-569397357-3205,*S-1-5-21-531969533-277817386-56939
7357-6434,*S-1-5-21-531969533-277817386-569397357-3206,*S-1-5-11,Backu
p Operators

SeProfileSingleProcessPrivilege = Administrators

SeRemoteShutdownPrivilege = Administrators

SeRestorePrivilege = Backup Operators,Administrators

SeSecurityPrivilege = Administrators

SeServiceLogonRight = Backup Operators

SeShutdownPrivilege = Backup Operators,Administrators

SeSystemEnvironmentPrivilege = Administrators

SeSystemProfilePrivilege = Administrators

SeSystemTimePrivilege = Administrators

SeTakeOwnershipPrivilege = Administrators

SeTcbPrivilege = Backup Operators

SeEnableDelegationPrivilege = Administrators

SeMachineAccountPrivilege =

*S-1-5-21-531969533-277817386-569397357-500,*S-1-5-11

SeUndockPrivilege = Administrators

Hello Penny,

Did you follow all the steps provided with the event lig entry?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.

I checked our GPO setting, The Domain Controller OU already link
with
the
Default Domain Controller Policy. How can I solve the problem.
Besides, I
copied my event ID to you for checking. I hope they can solve the
problem.
Because this event ID showed every five minute in the Event Viewer.
I
need to
delete this event everyday.
Thanks for their help
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/20/2007
Time: 9:48:17 AM
User: N/A
Computer: AONHKDC01
Description:
Security policies are propagated with warning. 0x534 : No mapping
between
account names and security IDs was done.
For best results in resolving this event, log on with a
non-administrative
account and search http://support.microsoft.com for "troubleshooting
1202
events".
A user account in one or more Group policy objects (GPOs) could not
be
resolved to a SID. This error is possibly caused by a mistyped nor
deleted
user account referenced in either the User Rights or Restricted
Groups
branch
of a GPO. To resolve this event, contact an administrator in the
domain to
perform the following actions:
1.Identify accounts that could not be resolved to a SID: From the
command
prompt, type: FIND /I "Cannot find"
%SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output identifies the
problem
account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be
determined. This
most likely occurs because the account was deleted, renamed, or is
spelled
differently (e.g. "JohnDoe").
2.Identify the GPOs that contain the unresolvable account name:
From the command prompt type FIND /I "JohnDough"
%SYSTEMROOT%\Security\templates\policies\gpt*.*
The output of the FIND command will resemble the following:
---------- GPT00000.DOM
---------- GPT00001.DOM
SeRemoteShutdownPrivilege=JohnDough
This indicates that of all the GPO's being applied to this machine,
the
unresolvable account exists only in one GPO. Specifically, the
cached
GPO
named GPT00001.DOM.
Now we need to determine the friendly name of this GPO in the next
step.
3. Locate the friendly names of each of the GPOs that contain an
unresolvable account name. These GPOs were identified in the
previous
step.
From the command prompt, type: FIND /I "[Mapping]"
%SYSTEMROOT%\Security\Logs\winlogon.log
The string following "[Mapping] gpt0000?.dom =" in the FIND output
identifies the friendly names for all GPO's being applied to this
machine.
Example: [Mapping] gpt00001.dom = User Rights Policy
In this case, the GPO that contains the unresolvable account
(gpt00001.dom)
has a friendly name of "User Rights Policy".
4. Remove unresolved accounts from each GPO that contains an
unresolvable
account.
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in."
c. From the "Add/Remove Snap-in" dialog box select "Add."
d. In the "Add Standalone Snap-in" dialog box select "Group Policy"
and
click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse"
button.
f. On the "Browse for a Group Policy Object" dialog box choose the
"All" tab
g. Right click on the first policy identified in step 3 and choose
edit
h. Review each setting under Computer Configuration/ Windows
Settings/
Security Settings/ Local Policies/ User Rights
Assignment or Computer Configuration/ Windows Settings/
SecuritySettings/
Restricted Groups for accounts identified in step 1.
i. Repeat steps 3g and 3h for all subsequent GPOs identified in step
3.
:
Hello Penny,

Did you reconfigure some of your GPO's? Check out this one:
http://support.microsoft.com/kb/279432

Also would be nice, if you could post the complete eventlog entry.
Easier to follow if we can see the complete story.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
Why the winlogon file will show the "Cannot find Power Users"? .
Because I never config security permission to Power Users.

I had two DC in my office. If I delete unmatch SID, Does two DC
Server need to be deleted simultaneity?

 

[Ace Fekay [MVP]]

In

Hello Meinolf,
Yes, I followed the event ID instruction. But I found out few
problems in
the file. first of all, I read the instrction and found out these
problem
from the %SYSTEMROOT%\Security\Logs\winlogon.log. then it showed these
message in the file belowing.

<snipped>

Penny, Meinwolf posted a very valuable link to eventid.net that should help.
I was reading some of the suggestions at that link and it brings up some
questions regarding the configuration of your infrastructure. It appears
based on the error that you had a trust to another domain (whether in the
forest or external) and there was an account from taht domain in use, but is
no longer available. But to determine that, unless you've already followed
the steps provided in your event log error and found the actual account
name, we would actually need additional info to better assist. Can you post
the following information please to better help out?

An unedited ipconfig /all of your DC.
How many domains do you have in your AD forest?
Do any external trusts exist?
Did a domain at one time exist but was removed at any point?

Thanks

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Life isn't like a box of chocolates or a bowl of cherries or
peaches... Life is more like a jar of jalapenos. What you do today
may burn your butt tomorrow." - Garfield

 

[Ace Fekay [MVP]]

In penny <[email protected]> typed:


Also, you may want to follow this article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;324383

Follow the steps in the section called:
"0x534: No mapping between account names and security IDs was done."

Ace

 

[Guest]

First of all, Thank for their help. Then I will show them my result as I
followed their instruction.

C:\>secedit /refreshpolicy machine_policy /enforce
Group policy propagation from the domain has been initiated for this computer.
t may take a few minutes for the propagation to complete and the new policy to
ake effect. Please check Application Log for errors, if any.
C:\>find /i "cannot find" %systemroot%\security\logs\winlogon.log

---------- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.

C:\>find /i "power Users" %systemroot%\security\templates\policies\gpt*.*

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF

C:\>find /i "administrator" %systemroot%\security\templates\policies\gpt*.*

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM
SeMachineAccountPrivilege = *S-1-5-21-531969533-277817386-569397357-500,Admini
rators
SeBackupPrivilege = Backup Operators,*S-1-5-21-531969533-277817386-569397357-1
2,Administrators
SeCreatePagefilePrivilege = Administrators
SeEnableDelegationPrivilege = Administrators
SeRemoteShutdownPrivilege = Administrators
SeAuditPrivilege = Administrators
SeIncreaseBasePriorityPrivilege = Administrators
SeLoadDriverPrivilege = Administrators
SeSecurityPrivilege = Administrators
SeSystemEnvironmentPrivilege = Administrators
SeProfileSingleProcessPrivilege = Administrators
SeSystemProfilePrivilege = Administrators
SeRestorePrivilege = Backup Operators,*S-1-5-21-531969533-277817386-569397357-
92,Administrators
SeTakeOwnershipPrivilege = Administrators

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF
SeBackupPrivilege = Backup Operators,Administrators
SeCreatePagefilePrivilege = Administrators
SeIncreaseBasePriorityPrivilege = Administrators
SeIncreaseQuotaPrivilege = Administrators
SeInteractiveLogonRight = Backup Operators,*S-1-5-21-531969533-277817386-56939
57-3204,*S-1-5-21-531969533-277817386-569397357-3205,*S-1-5-21-531969533-27781
86-569397357-6435,Administrators
SeLoadDriverPrivilege = Administrators
SeNetworkLogonRight = Administrators,*S-1-5-21-531969533-277817386-569397357-6
5,*S-1-5-21-531969533-277817386-569397357-3205,*S-1-5-21-531969533-277817386-5
397357-6434,*S-1-5-21-531969533-277817386-569397357-3206,*S-1-5-11,Backup Oper
ors
SeProfileSingleProcessPrivilege = Administrators
SeRemoteShutdownPrivilege = Administrators
SeRestorePrivilege = Backup Operators,Administrators
SeSecurityPrivilege = Administrators
SeShutdownPrivilege = Backup Operators,Administrators
SeSystemEnvironmentPrivilege = Administrators
SeSystemProfilePrivilege = Administrators
SeSystemTimePrivilege = Administrators
SeTakeOwnershipPrivilege = Administrators
SeEnableDelegationPrivilege = Administrators
SeUndockPrivilege = Administrators

 

[Guest]

Reply Ace Questions.
I have two DC in Forest.
I don't have external trust in my Forest

 

[Ace Fekay [MVP]]

In

First of all, Thank for their help. Then I will show them my result
as I followed their instruction.

C:\>secedit /refreshpolicy machine_policy /enforce
Group policy propagation from the domain has been initiated for this
computer. t may take a few minutes for the propagation to complete
and the new policy to ake effect. Please check Application Log for
errors, if any.
C:\>find /i "cannot find" %systemroot%\security\logs\winlogon.log

---------- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.
Cannot find Power Users.

C:\>find /i "power Users"
%systemroot%\security\templates\policies\gpt*.*

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF

C:\>find /i "administrator"
%systemroot%\security\templates\policies\gpt*.*

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM
SeMachineAccountPrivilege =
*S-1-5-21-531969533-277817386-569397357-500,Admini rators
SeBackupPrivilege = Backup
Operators,*S-1-5-21-531969533-277817386-569397357-1 2,Administrators
SeCreatePagefilePrivilege = Administrators
SeEnableDelegationPrivilege = Administrators
SeRemoteShutdownPrivilege = Administrators
SeAuditPrivilege = Administrators
SeIncreaseBasePriorityPrivilege = Administrators
SeLoadDriverPrivilege = Administrators
SeSecurityPrivilege = Administrators
SeSystemEnvironmentPrivilege = Administrators
SeProfileSingleProcessPrivilege = Administrators
SeSystemProfilePrivilege = Administrators
SeRestorePrivilege = Backup
Operators,*S-1-5-21-531969533-277817386-569397357- 92,Administrators
SeTakeOwnershipPrivilege = Administrators

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF
SeBackupPrivilege = Backup Operators,Administrators
SeCreatePagefilePrivilege = Administrators
SeIncreaseBasePriorityPrivilege = Administrators
SeIncreaseQuotaPrivilege = Administrators
SeInteractiveLogonRight = Backup
Operators,*S-1-5-21-531969533-277817386-56939
57-3204,*S-1-5-21-531969533-277817386-569397357-3205,*S-1-5-21-531969533-27781
86-569397357-6435,Administrators
SeLoadDriverPrivilege = Administrators
SeNetworkLogonRight =
Administrators,*S-1-5-21-531969533-277817386-569397357-6
5,*S-1-5-21-531969533-277817386-569397357-3205,*S-1-5-21-531969533-277817386-5
397357-6434,*S-1-5-21-531969533-277817386-569397357-3206,*S-1-5-11,Backup
Oper ors
SeProfileSingleProcessPrivilege = Administrators
SeRemoteShutdownPrivilege = Administrators
SeRestorePrivilege = Backup Operators,Administrators
SeSecurityPrivilege = Administrators
SeShutdownPrivilege = Backup Operators,Administrators
SeSystemEnvironmentPrivilege = Administrators
SeSystemProfilePrivilege = Administrators
SeSystemTimePrivilege = Administrators
SeTakeOwnershipPrivilege = Administrators
SeEnableDelegationPrivilege = Administrators
SeUndockPrivilege = Administrators

Power users is missing. Did you or someone else delete it at any time?

It seems that this command's result, (C:\>find /i "power Users"
%systemroot%\security\templates\policies\gpt*.*) showed that these two
policies are referencing Power Users:

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF

But from the above results, it doesn;t say where the Power Users group is
referenced. In the article, it shows this as an example output that
indicates the problems is int he SeInteracticeLogonRight:

============================
c:\>find /i "MichaelAlexander"
%SYSTEMROOT%\security\templates\policies\gpt*.*
---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF

---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00002.INF
SeInteractiveLogonRight =
TsInternetUser,*S-1-5-32-549,*S-1-5-32-550,MichaelAlexander,*S-1-5-32-551,*S-1-5-32-544,*S-1-5-32-548

---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00003.DOM
=============================


Your output doesn't show where Power Users being refernces. I noticed you
also ran it for Administrators. That was not necessary because power Users
is the problem group.

Can you re-run this only for Power Users please and see what additional
output it provides to show us where Power Users is being referenced.
Normally, once we find out which setting is referencing Power Users, we can
remove the Power Users group from the setting to clean this up. Otherwise we
will not be able to fix the problem until we find that out.

C:\>find /i "power Users" %systemroot%\security\templates\policies\gpt*.*







Ace

 

[Guest]

I typed the command C:\>find /i "power Users"
%systemroot%\security\templates\policies\gpt*.*, then it showed this message.
I looked around the domain controller security ploicy and domain security
policy. I could not find Power Users in these policy files. how can I remove
power users ?

C:\>find /i "everyone" %systemroot%\security\templates\policies\gpt*.*

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF

C:\>find /i "power users" %systemroot%\security\templates\policies\gpt*.*

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF

C:\>find /i "Power Users" %systemroot%\security\templates\policies\gpt*.*

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF

 

[Ace Fekay [MVP]]

In

I typed the command C:\>find /i "power Users"
%systemroot%\security\templates\policies\gpt*.*, then it showed this
message. I looked around the domain controller security ploicy and
domain security policy. I could not find Power Users in these policy
files. how can I remove power users ?

C:\>find /i "everyone" %systemroot%\security\templates\policies\gpt*.*

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF

If you open and look in this file: GPT00001.INF, can you see it in there?



Ace

 

[Guest]

Hi All,

I've got the same problem, same EVENT ID:1202, each 5 min. I recive an
application event with SECLI source.
I follow several steps on this issue and I found that a default User is
missing in the active directory, so in my case TsInternetUser is missing or
has been deleted. That users is needed for Terminal Service and is created
when the Terminal Services are installed.

My question is: How can I restore that user in my Active Directory again?

 

[Ace Fekay [MVP]]

Hi All,

I've got the same problem, same EVENT ID:1202, each 5 min. I recive an
application event with SECLI source.
I follow several steps on this issue and I found that a default User is
missing in the active directory, so in my case TsInternetUser is missing
or
has been deleted. That users is needed for Terminal Service and is created
when the Terminal Services are installed.

My question is: How can I restore that user in my Active Directory again?

Hi Andy,

Hve you confirmed the object was deleted? Maybe the object is disabled? If
not, assuming you have a backup, you can perform an authoratative restore to
restore that specific object.

How to perform an authoritative restore:
http://support.microsoft.com/kb/241594

Performing an Authoritative Restore of Active Directory Objects
http://technet2.microsoft.com/windo...83ce-4475-b9b4-46f76c9c7c901033.mspx?mfr=true

Ace