ViRoy
asked on
Security policies are propagated with warning 0x534
I get a repeating warning then error in the Application Log of Event Viewer.
I am using Win2kAdv Server.
It is setup as a router with DHCP and FTP
I get these errors exactly 5 minutes from each other.
So i get a warning and error at the exact same time then 5 minutes later and then 5 minutes later......
This is the warning:
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 11/2/2002
Time: 8:59:06 PM
User: N/A
Computer: 2KPROXY
Description:
Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Please look for more details in TroubleShooting section in Security Help.
-------------------------- ---------- ---------- ---------- --
And this is the error:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 11/2/2002
Time: 8:59:06 PM
User: NT AUTHORITY\SYSTEM
Computer: 2KPROXY
Description:
The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).
I am using Win2kAdv Server.
It is setup as a router with DHCP and FTP
I get these errors exactly 5 minutes from each other.
So i get a warning and error at the exact same time then 5 minutes later and then 5 minutes later......
This is the warning:
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 11/2/2002
Time: 8:59:06 PM
User: N/A
Computer: 2KPROXY
Description:
Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Please look for more details in TroubleShooting section in Security Help.
--------------------------
And this is the error:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 11/2/2002
Time: 8:59:06 PM
User: NT AUTHORITY\SYSTEM
Computer: 2KPROXY
Description:
The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
well i followed these steps exactly and still have that exact error message and warning filling up my application log.
Resolution
To resolve this issue, add a Group Policy object link for the Default Domain Controller policy to the Domain Controllers organizational unit:
Start the Active Directory Users and Computers snap-in.
Right-click the Domain Controllers organizational unit and click Properties.
Click the Group Policy tab, and then click Add.
Click the All tab, click Default Domain Controllers policy and then click OK.
Quit the Active Directory Users and Computers snap-in.
Resolution
To resolve this issue, add a Group Policy object link for the Default Domain Controller policy to the Domain Controllers organizational unit:
Start the Active Directory Users and Computers snap-in.
Right-click the Domain Controllers organizational unit and click Properties.
Click the Group Policy tab, and then click Add.
Click the All tab, click Default Domain Controllers policy and then click OK.
Quit the Active Directory Users and Computers snap-in.
ASKER
yup...
definatley still filling it up
definatley still filling it up
ASKER
well i found the real resolution.
ocon827: the reason your fix didnt work is because it was for error 0x6fc - mine is error 0x534
this is what i found:
Error Message: Security Policies Are Propagated with Warning. 0x534
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
This article was previously published under Q247482
SYMPTOMS
Every five minutes the following event error messages are added to the Application log in Event Viewer:
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 10/16/1999
Time: 10:13:10 am
User: N/A
Computer: COMPUTERNAME
Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help.
-and-
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 10/16/1999
Time: 10:13:11 am
User: NT AUTHORITY\SYSTEM
Computer: COMPUTERNAME
Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).
CAUSE
This issue can occur for any of the following reasons:
You installed a program, which creates user accounts and assigns rights to those user accounts. Later, you remove the program, which deletes the user accounts, but does not remove the rights from policy before the accounts are deleted.
-or-
You add a user account and assign rights to the account. Later, you delete the account, but you do not remove the account from the user rights policy.
RESOLUTION
To resolve this issue, follow these steps:
Add the ExtensionDebugLevel DWORD value with the value data 2 to the following registry key:
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\WindowsN T\CurrentV ersion\Win logon\GPEx tension\{8 27...}
NOTE: In the registry key, any GUID starting with "{827".
Under the command window, type secedit /refreshpolicy machine_policy /enforce to generate the Winlogon.log file in the Windows_folder\Security\Lo gs folder.
Restart the Netlogon service.
Search the Winlogon.log file for deleted user accounts.
Confirm that this user account is not located in any of the User Rights Assignments in the Default Domain Controllers policy as well as in the Local Security Policy, under the effective settings column.
For additional information about the User Rights Policy, click the article number below to view the article in the Microsoft Knowledge Base:
234237 Assign Log On locally Rights to Windows 2000 Domain Controller
NOTE: The preceding article describes how to add a user to the list. In this case you use the same procedure except you delete a user account from the list.
STATUS
Microsoft has confirmed that this is a problem in Microsoft Windows 2000.
since i have resolved my own problem i might request this question be closed.
ocon827: the reason your fix didnt work is because it was for error 0x6fc - mine is error 0x534
this is what i found:
Error Message: Security Policies Are Propagated with Warning. 0x534
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
This article was previously published under Q247482
SYMPTOMS
Every five minutes the following event error messages are added to the Application log in Event Viewer:
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 10/16/1999
Time: 10:13:10 am
User: N/A
Computer: COMPUTERNAME
Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help.
-and-
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 10/16/1999
Time: 10:13:11 am
User: NT AUTHORITY\SYSTEM
Computer: COMPUTERNAME
Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).
CAUSE
This issue can occur for any of the following reasons:
You installed a program, which creates user accounts and assigns rights to those user accounts. Later, you remove the program, which deletes the user accounts, but does not remove the rights from policy before the accounts are deleted.
-or-
You add a user account and assign rights to the account. Later, you delete the account, but you do not remove the account from the user rights policy.
RESOLUTION
To resolve this issue, follow these steps:
Add the ExtensionDebugLevel DWORD value with the value data 2 to the following registry key:
HKEY_LOCAL_MACHINE\Softwar
NOTE: In the registry key, any GUID starting with "{827".
Under the command window, type secedit /refreshpolicy machine_policy /enforce to generate the Winlogon.log file in the Windows_folder\Security\Lo
Restart the Netlogon service.
Search the Winlogon.log file for deleted user accounts.
Confirm that this user account is not located in any of the User Rights Assignments in the Default Domain Controllers policy as well as in the Local Security Policy, under the effective settings column.
For additional information about the User Rights Policy, click the article number below to view the article in the Microsoft Knowledge Base:
234237 Assign Log On locally Rights to Windows 2000 Domain Controller
NOTE: The preceding article describes how to add a user to the list. In this case you use the same procedure except you delete a user account from the list.
STATUS
Microsoft has confirmed that this is a problem in Microsoft Windows 2000.
since i have resolved my own problem i might request this question be closed.
Yeah, I was going to get back to you on this. There's quite a few technet articles on this problem. I had posted the first I found, didn't notice your error 0x534. Congrats on finding the solution!!
ASKER
still havent got around to fixing this
ive been way too busy lately, just started a new business and am still in the development phase.
i will award the points to you once i get this fixed since you did put forth the effort :)
ive been way too busy lately, just started a new business and am still in the development phase.
i will award the points to you once i get this fixed since you did put forth the effort :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i still havent got around to trying the fix above...
are you sure its the exact error 0x534?
im pretty sure this will fix mine but have been unable to get into the building.
sorry ocon, didnt forget about ya
are you sure its the exact error 0x534?
im pretty sure this will fix mine but have been unable to get into the building.
sorry ocon, didnt forget about ya
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not mine. I have done the above instructions many times, but my PDC will not make the Winlogon.log file. The errors keep coming. Is there another way to find the problematic account?
ASKER
ive still not had a chance to get this done...
im gonna try for sure to get it done this weekend.
im gonna try for sure to get it done this weekend.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I added ExtensionDebugLevel in HKEY_LOCAL_MACHINE\Softwar e\Microsof t\WindowsN T\CurrentV ersion\Win logon\GPEx tension\82 7* with the DWORD value with the value data 2 and restarted the Netlogon service and my server will still not make the Winlogon.log file?!?!?! Is there another way to get the the problematic account? Or is there another way to create the Winlogon.log file?
Just wanted you to know that there is SOMEONE out there that has done the procedures many times and does NOT work!
Just wanted you to know that there is SOMEONE out there that has done the procedures many times and does NOT work!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Now my errors are back... I can clearly recreate the error los winlogon.log and see the "bad account" but I can find it NOWHERE in the group policy... especialy in the user rights assignments.
Any Ideas...?
Any Ideas...?
You might end up doing what I'm doing this week; I'm reinstalling my server and filled with disgust once again at Micrschwag.
pritchie: I have done that many many times, but thanks for the comment since I did not state that in my initial correspondence.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ExpLR; Did you delete the account rights from the various policies?
"Once a user account has been deleted, all permissions and memberships associated with that user account are deleted." - Windows 2000 Help
Think again.
Etherboy, i honestly just thought you couldnt generate the Winlogon...sorry. But to be honest, this problem is/was a HUGE pain in the BUTT for me too. I actually gave up on the "microsoft provided" solution and did this...
Just an FYI..This is my HOME Network, so i have no real downside to any of my actions. Anyway, i went into the Default Domain Policy and Disabled it. Did the same for my Defaul Domain Controllers Policy. After they were disabled, i went into the propoerties sheets for each policy and checked those 2 boxes to help "Improve performance". After i did that, i just redid all the Reccomended microsoft steps and then REBOOTED the server with NO policies defined. After i rebooted it, i created new policies for both the Default Domain And the Domain Controllers policies. Then i rebooted again and its been over 24 hours with NO more application log entries!!
Granted, this hosed my Def. Domain Policy and my Domain Controllers Policy but i really didnt have anything specific defined and i just wanted to get it taken care of any way i could.
Just an FYI..This is my HOME Network, so i have no real downside to any of my actions. Anyway, i went into the Default Domain Policy and Disabled it. Did the same for my Defaul Domain Controllers Policy. After they were disabled, i went into the propoerties sheets for each policy and checked those 2 boxes to help "Improve performance". After i did that, i just redid all the Reccomended microsoft steps and then REBOOTED the server with NO policies defined. After i rebooted it, i created new policies for both the Default Domain And the Domain Controllers policies. Then i rebooted again and its been over 24 hours with NO more application log entries!!
Granted, this hosed my Def. Domain Policy and my Domain Controllers Policy but i really didnt have anything specific defined and i just wanted to get it taken care of any way i could.
Did you remember to check the Local Security Policy? Unless you have modified the User Rights Assignment in Local Policies, it will most likely contain the Power Users group.
Cheers,
TB
Cheers,
TB
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here's my way: I've installed back IIS and then disabled the service itself (as recommended by MS when it's not in use).
compushane, your solution is also works on my configuration
compushane, your solution is also works on my configuration
Hi I got the same problem with the 5min occurances 1000 / 1202 -
just in my logfile - the only thing he´s murning about is missing netshowservices,
never heard about that one before.
thx in advance for any suggestions
just in my logfile - the only thing he´s murning about is missing netshowservices,
never heard about that one before.
thx in advance for any suggestions
thx anyway :D - looks like I am that stupid - there really were rights assigned to an account named netshowservices. can´t believe it. where did that account come from. anyway problem solved.
ASKER
lol
ASKER
also if your lookin for another challenge check out
https://www.experts-exchange.com/questions/20369511/2K-Server-Router-question.html