Security policies are propagated with warning 0x534

awsome, will try this tonight
also if your lookin for another challenge check out

https://www.experts-exchange.com/questions/20369511/2K-Server-Router-question.html

well i followed these steps exactly and still have that exact error message and warning filling up my application log.
 
Resolution
To resolve this issue, add a Group Policy object link for the Default Domain Controller policy to the Domain Controllers organizational unit:

Start the Active Directory Users and Computers snap-in.


Right-click the Domain Controllers organizational unit and click Properties.


Click the Group Policy tab, and then click Add.


Click the All tab, click Default Domain Controllers policy and then click OK.


Quit the Active Directory Users and Computers snap-in.

yup...
definatley still filling it up

well i found the real resolution.

ocon827: the reason your fix didnt work is because it was for error 0x6fc - mine is error 0x534

this is what i found:

Error Message: Security Policies Are Propagated with Warning. 0x534
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server

This article was previously published under Q247482
SYMPTOMS
Every five minutes the following event error messages are added to the Application log in Event Viewer:

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 10/16/1999
Time: 10:13:10 am
User: N/A
Computer: COMPUTERNAME

Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help.


-and-



Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 10/16/1999
Time: 10:13:11 am
User: NT AUTHORITY\SYSTEM
Computer: COMPUTERNAME

Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).
CAUSE
This issue can occur for any of the following reasons:
You installed a program, which creates user accounts and assigns rights to those user accounts. Later, you remove the program, which deletes the user accounts, but does not remove the rights from policy before the accounts are deleted.

-or-
You add a user account and assign rights to the account. Later, you delete the account, but you do not remove the account from the user rights policy.
RESOLUTION
To resolve this issue, follow these steps:
Add the ExtensionDebugLevel DWORD value with the value data 2 to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtension\{827...}

NOTE: In the registry key, any GUID starting with "{827".


Under the command window, type secedit /refreshpolicy machine_policy /enforce to generate the Winlogon.log file in the Windows_folder\Security\Logs folder.
Restart the Netlogon service.
Search the Winlogon.log file for deleted user accounts.
Confirm that this user account is not located in any of the User Rights Assignments in the Default Domain Controllers policy as well as in the Local Security Policy, under the effective settings column.
For additional information about the User Rights Policy, click the article number below to view the article in the Microsoft Knowledge Base:

234237 Assign Log On locally Rights to Windows 2000 Domain Controller

NOTE: The preceding article describes how to add a user to the list. In this case you use the same procedure except you delete a user account from the list.
STATUS
Microsoft has confirmed that this is a problem in Microsoft Windows 2000.


since i have resolved my own problem i might request this question be closed.

Yeah, I was going to get back to you on this.  There's quite a few technet articles on this problem.  I had posted the first I found, didn't notice your error 0x534.  Congrats on finding the solution!!

still havent got around to fixing this
ive been way too busy lately, just started a new business and am still in the development phase.

i will award the points to you once i get this fixed since you did put forth the effort :)

i still havent got around to trying the fix above...
are you sure its the exact error 0x534?

im pretty sure this will fix mine but have been unable to get into the building.
sorry ocon, didnt forget about ya

Not mine. I have done the above instructions many times, but my PDC will not make the Winlogon.log file. The errors keep coming. Is there another way to find the problematic account?

ive still not had a chance to get this done...
im gonna try for sure to get it done this weekend.

I added ExtensionDebugLevel in HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtension\827* with the DWORD value with the value data 2 and restarted the Netlogon service and my server will still not make the Winlogon.log file?!?!?! Is there another way to get the the problematic account? Or is there another way to create the Winlogon.log file?

Just wanted you to know that there is SOMEONE out there that has done the procedures many times and does NOT work!

Now my errors are back... I can clearly recreate the error los winlogon.log and see the "bad account" but I can find it NOWHERE in the group policy... especialy in the user rights assignments.

Any Ideas...?

You might end up doing what I'm doing this week; I'm reinstalling my server and filled with disgust once again at Micrschwag.

pritchie: I have done that many many times, but thanks for the comment since I did not state that in my initial correspondence.

ExpLR; Did you delete the account rights from the various policies?

"Once a user account has been deleted, all permissions and memberships associated with that user account are deleted."  - Windows 2000 Help

Think again.

Etherboy, i honestly just thought you couldnt generate the Winlogon...sorry. But to be honest, this problem is/was a HUGE pain in the BUTT for me too. I actually gave up on the "microsoft provided" solution and did this...

Just an FYI..This is my HOME Network, so i have no real downside to any of my actions. Anyway, i went into the Default Domain Policy and Disabled it. Did the same for my Defaul Domain Controllers Policy. After they were disabled, i went into the propoerties sheets for each policy and checked those 2 boxes to help "Improve performance". After i did that, i just redid all the Reccomended microsoft steps and then REBOOTED the server with NO policies defined. After i rebooted it, i created new policies for both the Default Domain And the Domain Controllers policies. Then i rebooted again and its been over 24 hours with NO more application log entries!!

Granted, this hosed my Def. Domain Policy and my Domain Controllers Policy but i really didnt have anything specific defined and i just wanted to get it taken care of any way i could.

Did you remember to check the Local Security Policy? Unless you have modified the User Rights Assignment in Local Policies, it will most likely contain the Power Users group.

Cheers,
TB

Here's my way: I've installed back IIS and then disabled the service itself (as recommended by MS when it's not in use).
compushane, your solution is also works on my configuration

Hi I got the same problem with the 5min occurances 1000 / 1202 -
just in my logfile - the only thing he´s murning about is missing netshowservices,
never heard about that one before.

thx in advance for any suggestions

thx anyway :D - looks like I am that stupid - there really were rights assigned to an account named netshowservices. can´t believe it. where did that account come from. anyway problem solved.

lol