I am not able to create any users in ADS
Hi,
I am not able to create any users in ADS
I get this error.
--------------------------
Active Directory
--------------------------
Windows cannot create the object Username because:
A required attribute is missing.
--------------------------
OK
--------------------------
Please help.
regards
Sharath
I am not able to create any users in ADS
I get this error.
--------------------------
Active Directory
--------------------------
Windows cannot create the object Username because:
A required attribute is missing.
--------------------------
OK
--------------------------
Please help.
regards
Sharath
QBRad
Is there anything else in the event log?
ASKER
This
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".
Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO. To resolve this event, contact an administrator in the domain to perform the following actions:
1. Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs
The string following "Cannot find" in the FIND output identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").
2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:
a. Start -> Run -> RSoP.msc
b. Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c. For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.
3. Remove unresolved accounts from Group Policy
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in..."
c. From the "Add/Remove Snap-in" dialog box select "Add..."
d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse" button.
f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g. For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".
Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO. To resolve this event, contact an administrator in the domain to perform the following actions:
1. Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs
The string following "Cannot find" in the FIND output identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").
2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:
a. Start -> Run -> RSoP.msc
b. Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c. For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.
3. Remove unresolved accounts from Group Policy
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in..."
c. From the "Add/Remove Snap-in" dialog box select "Add..."
d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse" button.
f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g. For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Hi
How are you creating the users? Can you copy an existing user (right click on a user and copy) then enter in the new data for he/she?
How are you creating the users? Can you copy an existing user (right click on a user and copy) then enter in the new data for he/she?
ASKER
I only have 100's of these warning that's it....Is this to do anything with the error.?
ASKER
elliotsegler
I tried it now also get the same error.
I tried it now also get the same error.
I would follow those steps as that is most likely the cause.
Which version of AD are you using? 2000 or 2003?
ASKER
elliotsegler
I am using 2003
QBRad
Are you sure that may be the problem because i dont want to create a new problem starting to solve this one...:)
I am using 2003
QBRad
Are you sure that may be the problem because i dont want to create a new problem starting to solve this one...:)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i agree with QBRad. The SID's for users are essential to the domain's functionality.
Have you tried the steps that you posted up earlier?
1. Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs
The string following "Cannot find" in the FIND output identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").
Have you tried the steps that you posted up earlier?
1. Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs
The string following "Cannot find" in the FIND output identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").
ASKER
I get this..As mentioned in the first step...
C:\>FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs
---------- C:\WINDOWS\SECURITY\LOGS\W
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
C:\>FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs
---------- C:\WINDOWS\SECURITY\LOGS\W
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
Cannot find TsInternetUser.
ASKER
I tried this...
C:\>FIND /I "JohnDough" %SYSTEMROOT%\Security\Logs
---------- C:\WINDOWS\SECURITY\LOGS\W
How can i find which user
JohnDough must be a example by Microsoft?
C:\>FIND /I "JohnDough" %SYSTEMROOT%\Security\Logs
---------- C:\WINDOWS\SECURITY\LOGS\W
How can i find which user
JohnDough must be a example by Microsoft?
JohnDough is just the example they use. Have you looked for a user or group "TsInternetUser" in your AD? I would suspect you cant find it?
ASKER
Yes there is no user like this...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If that doesnt help, see if you cant recreate/restore the TsInternetUser that seems to be creating the troubles.
have a read here: http://support.microsoft.com/kb/840001
have a read here: http://support.microsoft.com/kb/840001
ASKER
Hi,
Allow logon locally has a X mark....How can i solve this issue?
Allow logon locally has a X mark....How can i solve this issue?
Goto Start - Run and type GPEDIT.msc
goto the logon locally object that has a red X on it. Open it up and look for any reference to the TsInternetUsers account and delete it. It might be part of a group still, so you may have to find them in the group and delete the entry. Possibly remove the group from the Allow logon object and re-add it.
Hope that helps
goto the logon locally object that has a red X on it. Open it up and look for any reference to the TsInternetUsers account and delete it. It might be part of a group still, so you may have to find them in the group and delete the entry. Possibly remove the group from the Allow logon object and re-add it.
Hope that helps
ASKER
Inside Allow logon locally i have "TsInternetUser" shall i remove the user from there will this solve the issue
Yes. If you remove that user it should resolve the issue. Once you remove it can you tell me what happened? I havnt actually come accross this problem myself before.
ASKER
I am not able to remov I am not able to remove as the remove tab is disabled...
ASKER
In this GPEDIT.msc
I am not able to find the tsinternetusers...
When i search the domain i am not able to see it....
I am not able to find the tsinternetusers...
When i search the domain i am not able to see it....
Are there any other users listed under the allow logon locally object?
ASKER
Yes there all my Dc's machine names listed there.
Account operators
Backup operators
Administrator
Print operators
Reality operators
Account operators
Backup operators
Administrator
Print operators
Reality operators
you could try to for the Group Policy to update. That might wipe the TsInternetUser out of RSoP.
Start - Run - gpupdate /force /boot
This will force the policy to update and the reboot to make sure it has been applied. I would suggest that you have a backup though. Just incase things go sour.
Start - Run - gpupdate /force /boot
This will force the policy to update and the reboot to make sure it has been applied. I would suggest that you have a backup though. Just incase things go sour.
Also Domain Admins should be in the Logon Locally Box.
ASKER
This command
gpupdate /force /boot
What will the boot do just logoff or restart?
In log on locally how can i add the domain admin as they are disabled buttons...
gpupdate /force /boot
What will the boot do just logoff or restart?
In log on locally how can i add the domain admin as they are disabled buttons...
Um. are you trying to add the Domain Admin in the RSoP.msc console. If so you can just goto
GPEDIT.msc and add them there (they look identical)
RSoP is the resultant set of policy on that computer - derived from GP which is the ACTUAL policy.
the GPUPDATE /FORCE /BOOT command will update the policy, then log you off and then restart the computer/server. Restarting means that any policy that couldnt have been applied will be applied on the boot up.
GPEDIT.msc and add them there (they look identical)
RSoP is the resultant set of policy on that computer - derived from GP which is the ACTUAL policy.
the GPUPDATE /FORCE /BOOT command will update the policy, then log you off and then restart the computer/server. Restarting means that any policy that couldnt have been applied will be applied on the boot up.
ASKER
Even here GPEDIT.msc the buttons are disabled
I have logged in as a domain admin to the DC...
I have logged in as a domain admin to the DC...
can you check that the "Deny Logon Locally" object is enbaled. This could be overriding the allow rule.
ASKER
elliotsegler
"Deny logon locally" Has some number sid's and some Sophos names.
I forgot to tell you that i had moved all the computers from all Ou's to 1 particular OU in the morning and later moved the Dc's to the domain controller OU as before will this have caused some problem.?
"Deny logon locally" Has some number sid's and some Sophos names.
I forgot to tell you that i had moved all the computers from all Ou's to 1 particular OU in the morning and later moved the Dc's to the domain controller OU as before will this have caused some problem.?
Yeah. I would say that would have done it. Somewhere along the line, the SID's have gotten mixed up. I would remove all the numbered SID's (because you cant really tell what they are). After that, run the gpupdate.exe command and reboot. If it fails, you can log into safemode locally and try and change the settings then.
ASKER
Every here to remove the numeric sid's the Buttons are greay out...
hmm...
have you tried rebooting into safemode and logon using the local admin account
have you tried rebooting into safemode and logon using the local admin account
ASKER
I just tried logging into safe mode and checking there also it is disabled bot Log on locally and deny logon locally.
Hi
can you put some screenshots of the steps you are taking. I think something must be going wrong somewhere.
can you put some screenshots of the steps you are taking. I think something must be going wrong somewhere.