dcitdir
asked on
security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Since Friday I have been getting logs on all my servers related to the issue security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
I did a find /i "cannot find" %ystemroot%\security\logs\ winlogin.l og and found the problem is TsInternetUser. My problem is what to do next. Everything I found says to remove the user from Group policy but I can't find a group policy that uses this user. I am at a loss of how to correct this error. Thanks
I did a find /i "cannot find" %ystemroot%\security\logs\
ASKER
When I try to run the gpotool i get 'gpotool' is not recognized as an internal or external command, operable program or batch file. Any suggestions?
---------- C:\WINDOWS\SECURITY\TEMPLA TES\POLICI ES\GPT0000 0.DOM
SeInteractiveLogonRight = *S-1-5-32-548,*S-1-5-32-54 4,*S-1-5-3 2-551,*S-1 -5-21-60
2162358-1659004503-8395221 15-6190,*S -1-5-21-60 2162358-16 59004503-8 39522115-5 13,*
S-1-5-21-602162358-1659004 503-839522 115-5604,* S-1-5-21-6 02162358-1 659004503- 8395
22115-3105,*S-1-5-21-60216 2358-16590 04503-8395 22115-6129 ,IUSR_NT4, *S-1-5-32- 550,
*S-1-5-32-549,TsInternetUs er,*S-1-5- 21-6021623 58-1659004 503-839522 115-4124
---------- C:\WINDOWS\SECURITY\TEMPLA TES\POLICI ES\GPT0000 1.DOM
---------- C:\WINDOWS\SECURITY\TEMPLA TES\POLICI ES\GPT0000 2.INF
SeInteractiveLogonRight = *S-1-5-32-548,*S-1-5-32-54 4,*S-1-5-3 2-551,*S-1 -5-21-60
2162358-1659004503-8395221 15-6190,*S -1-5-21-60 2162358-16 59004503-8 39522115-5 13,*
S-1-5-21-602162358-1659004 503-839522 115-5604,* S-1-5-21-6 02162358-1 659004503- 8395
22115-3105,*S-1-5-21-60216 2358-16590 04503-8395 22115-6129 ,IUSR_NT4, *S-1-5-32- 550,
*S-1-5-32-549,TsInternetUs er,*S-1-5- 21-6021623 58-1659004 503-839522 115-4124
---------- C:\WINDOWS\SECURITY\TEMPLA
SeInteractiveLogonRight = *S-1-5-32-548,*S-1-5-32-54
2162358-1659004503-8395221
S-1-5-21-602162358-1659004
22115-3105,*S-1-5-21-60216
*S-1-5-32-549,TsInternetUs
---------- C:\WINDOWS\SECURITY\TEMPLA
---------- C:\WINDOWS\SECURITY\TEMPLA
SeInteractiveLogonRight = *S-1-5-32-548,*S-1-5-32-54
2162358-1659004503-8395221
S-1-5-21-602162358-1659004
22115-3105,*S-1-5-21-60216
*S-1-5-32-549,TsInternetUs
Sorry, I forgot that you nead to install resource kit to get the gpotool.exe
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD
You can also click yourself through the GPOs in GPMC and on the Details-tab compare the "Unique ID" with the value of GPOPath-line in the gpt-file.
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD
You can also click yourself through the GPOs in GPMC and on the Details-tab compare the "Unique ID" with the value of GPOPath-line in the gpt-file.
ASKER
Ok once I have found the policy but I don't see any TSInternetUsers in the policy at all. Here is the results of the gpotool.
Validating DCs...
Available DCs:
Server1
Server2
Server3
Server4
Server5
Searching for policies...
Found 17 policies
========================== ========== ========== ========== ====
Policy {0664B55C-31F2-4518-BE83-E 31CEDDB2C8 9}
Friendly name: windows update
Policy OK
========================== ========== ========== ========== ====
Policy {0F6255D8-050A-49AA-A596-2 E8C59C4195 2}
Friendly name: Webroot Registry Update
Policy OK
========================== ========== ========== ========== ====
Policy {14590DF9-2EAA-4202-8AEC-9 607F52B7AF 3}
Friendly name: Basic_Lockdown
Policy OK
========================== ========== ========== ========== ====
Policy {17B966DC-8059-496E-AC36-0 D18BC4F76A D}
Friendly name: Users_Lockdown_07
Policy OK
========================== ========== ========== ========== ====
Policy {26FFC456-11B9-4D53-97CB-D 2380081945 5}
Friendly name: INTERNET RESTRICT
Policy OK
========================== ========== ========== ========== ====
Policy {31B2F340-016D-11D2-945F-0 0C04FB984F 9}
Friendly name: Default Domain Policy
Policy OK
========================== ========== ========== ========== ====
Policy {3A52C8B4-F4FD-4326-8BA3-3 8FC0383AE0 4}
Friendly name: Desktop Lockdown
Policy OK
========================== ========== ========== ========== ====
Policy {62327026-DC70-481E-A6CC-E F9FB2A09E1 B}
Friendly name: Users_Lockdown_New
Policy OK
========================== ========== ========== ========== ====
Policy {6818A05D-CA11-486E-A1DD-B 77563AD17D 0}
Friendly name: Additional Settings
Policy OK
========================== ========== ========== ========== ====
Policy {6AC1786C-016F-11D2-945F-0 0C04FB984F 9}
Friendly name: Default Domain Controllers Policy
Error: server3 server4
mismatch
Error: server3-server4 mismatch
Error: server3-server4
Details:
-------------------------- ---------- ---------- ---------- ----
DC: server3
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:06:06 PM
DS version: 0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A- 00C04FBBCF A2}{0
7CC-0000F87571E3}][{827D31 9E-6EAC-11 D2-A4EA-00 C04F79F83A }{803
0-00A0C90F574B}]
Functionality version: 2
-------------------------- ---------- ---------- ---------- ----
-------------------------- ---------- ---------- ---------- ----
DC: server2
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:12:54 PM
DS version: 0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A- 00C04FBBCF A2}{0
7CC-0000F87571E3}][{827D31 9E-6EAC-11 D2-A4EA-00 C04F79F83A }{803
0-00A0C90F574B}]
Functionality version: 2
-------------------------- ---------- ---------- ---------- ----
-------------------------- ---------- ---------- ---------- ----
DC: server1
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:05:54 PM
DS version: 0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A- 00C04FBBCF A2}{0
7CC-0000F87571E3}][{827D31 9E-6EAC-11 D2-A4EA-00 C04F79F83A }{803
0-00A0C90F574B}]
Functionality version: 2
-------------------------- ---------- ---------- ---------- ----
-------------------------- ---------- ---------- ---------- ----
DC: server4
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/08/2008 9:55:20 PM
DS version: 0(user) 159(machine)
Sysvol version: 0(user) 159(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA- 00C04F79F8 3A}{8
0D0-00A0C90F574B}]
Functionality version: 2
-------------------------- ---------- ---------- ---------- ----
-------------------------- ---------- ---------- ---------- ----
DC: server5
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:06:00 PM
DS version: 0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A- 00C04FBBCF A2}{0
7CC-0000F87571E3}][{827D31 9E-6EAC-11 D2-A4EA-00 C04F79F83A }{803
0-00A0C90F574B}]
Functionality version: 2
-------------------------- ---------- ---------- ---------- ----
========================== ========== ========== ========== ====
Policy {932C5AAA-FBDA-4111-8E0E-8 6978F22F59 9}
Friendly name: New Group Policy Object
Error: Policy {932C5AAA-FBDA-4111-8E0E-8 6978F22F59 9} not foun
Details:
-------------------------- ---------- ---------- ---------- ----
DC: server3
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:03:50 PM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
-------------------------- ---------- ---------- ---------- ----
-------------------------- ---------- ---------- ---------- ----
DC: server2
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:10:50 PM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
-------------------------- ---------- ---------- ---------- ----
-------------------------- ---------- ---------- ---------- ----
DC: server1
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:03:37 PM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
-------------------------- ---------- ---------- ---------- ----
-------------------------- ---------- ---------- ---------- ----
DC: server4
Friendly name: (null)
Created: (null)
Changed: (null)
DS version: (null)
Sysvol version: (null)
Flags: (null)
User extensions: (null)
Machine extensions: (null)
Functionality version: (null)
-------------------------- ---------- ---------- ---------- ----
-------------------------- ---------- ---------- ---------- ----
DC: server5
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:03:55 PM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
-------------------------- ---------- ---------- ---------- ----
========================== ========== ========== ========== ====
Policy {A5320506-4B69-416C-822C-2 7729668210 5}
Friendly name: Public Settings
Policy OK
========================== ========== ========== ========== ====
Policy {A7B8683D-2A85-4EFA-B9A9-C 04D3923129 E}
Friendly name: Daci CSE Installation
Policy OK
========================== ========== ========== ========== ====
Policy {BAF0A64A-6A28-4063-90FA-2 1EDFA61E1F 8}
Friendly name: Password Policy
Policy OK
========================== ========== ========== ========== ====
Policy {CC167D02-7BED-4FCC-B938-1 9AC6DA4B77 A}
Friendly name: DA Client Setup GPO
Policy OK
========================== ========== ========== ========== ====
Policy {D7086905-F4C8-41B7-ACE6-F 00DEBEE9CC A}
Friendly name: Users_Lockdown
Policy OK
========================== ========== ========== ========== ====
Policy {D8F124D5-3211-463B-9272-1 0061840DC8 6}
Friendly name: Audit
Policy OK
========================== ========== ========== ========== ====
Errors found
Validating DCs...
Available DCs:
Server1
Server2
Server3
Server4
Server5
Searching for policies...
Found 17 policies
==========================
Policy {0664B55C-31F2-4518-BE83-E
Friendly name: windows update
Policy OK
==========================
Policy {0F6255D8-050A-49AA-A596-2
Friendly name: Webroot Registry Update
Policy OK
==========================
Policy {14590DF9-2EAA-4202-8AEC-9
Friendly name: Basic_Lockdown
Policy OK
==========================
Policy {17B966DC-8059-496E-AC36-0
Friendly name: Users_Lockdown_07
Policy OK
==========================
Policy {26FFC456-11B9-4D53-97CB-D
Friendly name: INTERNET RESTRICT
Policy OK
==========================
Policy {31B2F340-016D-11D2-945F-0
Friendly name: Default Domain Policy
Policy OK
==========================
Policy {3A52C8B4-F4FD-4326-8BA3-3
Friendly name: Desktop Lockdown
Policy OK
==========================
Policy {62327026-DC70-481E-A6CC-E
Friendly name: Users_Lockdown_New
Policy OK
==========================
Policy {6818A05D-CA11-486E-A1DD-B
Friendly name: Additional Settings
Policy OK
==========================
Policy {6AC1786C-016F-11D2-945F-0
Friendly name: Default Domain Controllers Policy
Error: server3 server4
mismatch
Error: server3-server4 mismatch
Error: server3-server4
Details:
--------------------------
DC: server3
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:06:06 PM
DS version: 0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A-
7CC-0000F87571E3}][{827D31
0-00A0C90F574B}]
Functionality version: 2
--------------------------
--------------------------
DC: server2
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:12:54 PM
DS version: 0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A-
7CC-0000F87571E3}][{827D31
0-00A0C90F574B}]
Functionality version: 2
--------------------------
--------------------------
DC: server1
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:05:54 PM
DS version: 0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A-
7CC-0000F87571E3}][{827D31
0-00A0C90F574B}]
Functionality version: 2
--------------------------
--------------------------
DC: server4
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/08/2008 9:55:20 PM
DS version: 0(user) 159(machine)
Sysvol version: 0(user) 159(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-
0D0-00A0C90F574B}]
Functionality version: 2
--------------------------
--------------------------
DC: server5
Friendly name: Default Domain Controllers Policy
Created: 11/28/2001 11:25:15 PM
Changed: 05/27/2008 5:06:00 PM
DS version: 0(user) 162(machine)
Sysvol version: 0(user) 162(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A-
7CC-0000F87571E3}][{827D31
0-00A0C90F574B}]
Functionality version: 2
--------------------------
==========================
Policy {932C5AAA-FBDA-4111-8E0E-8
Friendly name: New Group Policy Object
Error: Policy {932C5AAA-FBDA-4111-8E0E-8
Details:
--------------------------
DC: server3
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:03:50 PM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
--------------------------
--------------------------
DC: server2
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:10:50 PM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
--------------------------
--------------------------
DC: server1
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:03:37 PM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
--------------------------
--------------------------
DC: server4
Friendly name: (null)
Created: (null)
Changed: (null)
DS version: (null)
Sysvol version: (null)
Flags: (null)
User extensions: (null)
Machine extensions: (null)
Functionality version: (null)
--------------------------
--------------------------
DC: server5
Friendly name: New Group Policy Object
Created: 05/27/2008 5:03:36 PM
Changed: 05/27/2008 5:03:55 PM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
--------------------------
==========================
Policy {A5320506-4B69-416C-822C-2
Friendly name: Public Settings
Policy OK
==========================
Policy {A7B8683D-2A85-4EFA-B9A9-C
Friendly name: Daci CSE Installation
Policy OK
==========================
Policy {BAF0A64A-6A28-4063-90FA-2
Friendly name: Password Policy
Policy OK
==========================
Policy {CC167D02-7BED-4FCC-B938-1
Friendly name: DA Client Setup GPO
Policy OK
==========================
Policy {D7086905-F4C8-41B7-ACE6-F
Friendly name: Users_Lockdown
Policy OK
==========================
Policy {D8F124D5-3211-463B-9272-1
Friendly name: Audit
Policy OK
==========================
Errors found
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your help that worked great. Problem Solved
C:\>find /i "tsinternetuser" %systemroot%\security\temp
Run a find for "GPOPath=" on the gpt-file you found in the previous step.
This will return a line with "GPOPath=<GUID>\MACHINE". Run the following command to find the user-friendly name for the GPO.
C:\>gpotool/gpo:<GUID>
.