alan2938
asked on
Event Log Recurring Error: Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
I just discovered the following warnings from the past 24 hours, over 100 of them, that all say the following:
"Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO. To resolve this event, contact an administrator in the domain to perform the following actions: "
I did a "FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs
Cannot find IWAM_DD5RSV21.
Cannot find IUSR_DD5RSV21.
... those two are the only two results, repeated about 40 times. If I search through Active Directory for either one of those names, nothing is returned.
I went to Start -> Run -> rsop.msc
It says the RSoP snap-in was unable to generate the RSoP data due to the error listed below: Access Denied. But I am logged in as the domain adminstrator!
Until the last hour, my primary DC was Win2003 Server R2 (server1) and my backup DC was Win2000 Server (server2). The domain was running in mixed mode. I just demoted server2 and raised the forest and domain functionality to be Windows 2003. I also just finished setting up a new machine with Win2003 (server3). Once I get this problem solved I will promote server 3 to be the primary DC and demote server1 to be my backup DC.
"Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO. To resolve this event, contact an administrator in the domain to perform the following actions: "
I did a "FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs
Cannot find IWAM_DD5RSV21.
Cannot find IUSR_DD5RSV21.
... those two are the only two results, repeated about 40 times. If I search through Active Directory for either one of those names, nothing is returned.
I went to Start -> Run -> rsop.msc
It says the RSoP snap-in was unable to generate the RSoP data due to the error listed below: Access Denied. But I am logged in as the domain adminstrator!
Until the last hour, my primary DC was Win2003 Server R2 (server1) and my backup DC was Win2000 Server (server2). The domain was running in mixed mode. I just demoted server2 and raised the forest and domain functionality to be Windows 2003. I also just finished setting up a new machine with Win2003 (server3). Once I get this problem solved I will promote server 3 to be the primary DC and demote server1 to be my backup DC.
ASKER
I am trying to have redundant domain controllers. Two machines that will maintain Active Directory, do DHCP, and DNS functions. So yes, I guess 'Primary' and 'Backup' are irrelevant, but I need two so if one goes down no one other than myself is the wiser.
ASKER
Also, I have tried to edit the restricted groups... see what I said earlier:
I went to Start -> Run -> rsop.msc
It says the RSoP snap-in was unable to generate the RSoP data due to the error listed below: Access Denied. But I am logged in as the domain adminstrator!
I went to Start -> Run -> rsop.msc
It says the RSoP snap-in was unable to generate the RSoP data due to the error listed below: Access Denied. But I am logged in as the domain adminstrator!
An access denied error when attempting to run RSOP can be caused by any number of things, including Windows Firewall settings, DLL corruption, WMI permissions, etc., links to multiple threads on the matter in the EE PAQ can be found here: http://www.google.com/search?q=site%3Awww.experts-exchange.com+rsop+access+denied.
That said, RSOP.MSC is not used to edit Group Policy Objects; this is done via the Group Policy Management Console.
That said, RSOP.MSC is not used to edit Group Policy Objects; this is done via the Group Policy Management Console.
ASKER
I'm sorry, I meant Resultant Set of Policy.
ASKER
Can you provide any more ideas? I have tried everything I found from that Google result and it has not helped. Short of doing dcgpofix.exe, I am not sure what else to do other than wiping out the machine, which would lose all AD information. Dcgpofix.exe would erase special user rights... do programs like SQL or Foxpro install their own user rights that would be erased by doing this? Nothing special has ever been configured in this domain other than a small logon script for a few people that could easily be replaced after this tool is run.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To resolve this problem I re-created the group "Power Users" in the "Builtin" folder in "Active Directory Users and Computers".
Which is why you are getting this error. You need to locate the GPO setting(s) in which these user accounts have been configured, most likely a Restricted Group or User Rights Assignment setting, and remove the references to them.
As for the rest of your post - there is no such thing as a primary or backup DC in Active Directory; these designations have been meaningless since Windows NT 4.0. What are you trying to accomplish?