Link to home
Start Free TrialLog in
Avatar of dcitdir
dcitdirFlag for United States of America

asked on

security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Since Friday I have been getting logs on all my servers related to the issue security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
I did a find /i "cannot find" %ystemroot%\security\logs\winlogin.log and found the problem is TsInternetUser.  My problem is what to do next.  Everything I found says to remove the user from Group policy but I can't find a group policy that uses this user.  I am at a loss of how to correct this error.  Thanks
Avatar of Henrik Johansson
Henrik Johansson
Flag of Sweden image
Run the following command to find what policy setting is trigging the error.
C:\>find /i "tsinternetuser" %systemroot%\security\templates\policies\gpt*.*

Run a find for "GPOPath=" on the gpt-file you found in the previous step.
This will return a line with "GPOPath=<GUID>\MACHINE". Run the following command to find the user-friendly name for the GPO.
C:\>gpotool/gpo:<GUID>
.
Avatar of dcitdir
dcitdir
Flag of United States of America image

ASKER

When I try to run the gpotool i get 'gpotool' is not recognized as an internal or external command, operable program or batch file.  Any suggestions?


---------- C:\WINDOWS\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM
SeInteractiveLogonRight = *S-1-5-32-548,*S-1-5-32-544,*S-1-5-32-551,*S-1-5-21-60
2162358-1659004503-839522115-6190,*S-1-5-21-602162358-1659004503-839522115-513,*
S-1-5-21-602162358-1659004503-839522115-5604,*S-1-5-21-602162358-1659004503-8395
22115-3105,*S-1-5-21-602162358-1659004503-839522115-6129,IUSR_NT4,*S-1-5-32-550,
*S-1-5-32-549,TsInternetUser,*S-1-5-21-602162358-1659004503-839522115-4124

---------- C:\WINDOWS\SECURITY\TEMPLATES\POLICIES\GPT00001.DOM

---------- C:\WINDOWS\SECURITY\TEMPLATES\POLICIES\GPT00002.INF
SeInteractiveLogonRight = *S-1-5-32-548,*S-1-5-32-544,*S-1-5-32-551,*S-1-5-21-60
2162358-1659004503-839522115-6190,*S-1-5-21-602162358-1659004503-839522115-513,*
S-1-5-21-602162358-1659004503-839522115-5604,*S-1-5-21-602162358-1659004503-8395
22115-3105,*S-1-5-21-602162358-1659004503-839522115-6129,IUSR_NT4,*S-1-5-32-550,
*S-1-5-32-549,TsInternetUser,*S-1-5-21-602162358-1659004503-839522115-4124


Avatar of Henrik Johansson
Henrik Johansson
Flag of Sweden image
Sorry, I forgot that you nead to install resource kit to get the gpotool.exe
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD

You can also click yourself through the GPOs in GPMC and on the Details-tab compare the "Unique ID" with the value of GPOPath-line in the gpt-file.
Avatar of dcitdir
dcitdir
Flag of United States of America image

ASKER

Ok once I have found the policy but I don't see any TSInternetUsers in the policy at all.  Here is the results of the gpotool.


Validating DCs...
Available DCs:
Server1
Server2
Server3
Server4
Server5
Searching for policies...
Found 17 policies
============================================================
Policy {0664B55C-31F2-4518-BE83-E31CEDDB2C89}
Friendly name: windows update
Policy OK
============================================================
Policy {0F6255D8-050A-49AA-A596-2E8C59C41952}
Friendly name: Webroot Registry Update
Policy OK
============================================================
Policy {14590DF9-2EAA-4202-8AEC-9607F52B7AF3}
Friendly name: Basic_Lockdown
Policy OK
============================================================
Policy {17B966DC-8059-496E-AC36-0D18BC4F76AD}
Friendly name: Users_Lockdown_07
Policy OK
============================================================
Policy {26FFC456-11B9-4D53-97CB-D23800819455}
Friendly name: INTERNET RESTRICT
Policy OK
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Policy
Policy OK
============================================================
Policy {3A52C8B4-F4FD-4326-8BA3-38FC0383AE04}
Friendly name: Desktop Lockdown
Policy OK
============================================================
Policy {62327026-DC70-481E-A6CC-EF9FB2A09E1B}
Friendly name: Users_Lockdown_New
Policy OK
============================================================
Policy {6818A05D-CA11-486E-A1DD-B77563AD17D0}
Friendly name: Additional Settings
Policy OK
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Controllers Policy
Error: server3  server4
mismatch
Error: server3-server4 mismatch
Error: server3-server4
Details:
------------------------------------------------------------
DC: server3
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:06:06 PM
DS version:     0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0
7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803
0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: server2
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:12:54 PM
DS version:     0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0
7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803
0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: server1
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:05:54 PM
DS version:     0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0
7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803
0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: server4
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/08/2008 9:55:20 PM
DS version:     0(user) 159(machine)
Sysvol version: 0(user) 159(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{8
0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: server5
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:06:00 PM
DS version:     0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0
7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803
0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {932C5AAA-FBDA-4111-8E0E-86978F22F599}
Friendly name: New Group Policy Object
Error: Policy {932C5AAA-FBDA-4111-8E0E-86978F22F599} not foun
Details:
------------------------------------------------------------
DC: server3
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:03:50 PM
DS version:     0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: server2
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:10:50 PM
DS version:     0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: server1
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:03:37 PM
DS version:     0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: server4
Friendly name: (null)
Created: (null)
Changed: (null)
DS version: (null)
Sysvol version: (null)
Flags: (null)
User extensions: (null)
Machine extensions: (null)
Functionality version: (null)
------------------------------------------------------------
------------------------------------------------------------
DC: server5
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:03:55 PM
DS version:     0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {A5320506-4B69-416C-822C-277296682105}
Friendly name: Public Settings
Policy OK
============================================================
Policy {A7B8683D-2A85-4EFA-B9A9-C04D3923129E}
Friendly name: Daci CSE Installation
Policy OK
============================================================
Policy {BAF0A64A-6A28-4063-90FA-21EDFA61E1F8}
Friendly name: Password Policy
Policy OK
============================================================
Policy {CC167D02-7BED-4FCC-B938-19AC6DA4B77A}
Friendly name: DA Client Setup GPO
Policy OK
============================================================
Policy {D7086905-F4C8-41B7-ACE6-F00DEBEE9CCA}
Friendly name: Users_Lockdown
Policy OK
============================================================
Policy {D8F124D5-3211-463B-9272-10061840DC86}
Friendly name: Audit
Policy OK
============================================================

Errors found
ASKER CERTIFIED SOLUTION
Avatar of Henrik Johansson
Henrik Johansson
Flag of Sweden image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dcitdir
dcitdir
Flag of United States of America image

ASKER

Thank you for your help that worked great.  Problem Solved