[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 633
  • Last Modified:

Domain authentication issue event 1202 - urgent

Hi Guys, got a bit of an urgent one here.

I'll run down the structure quickly:

2000 mixed mode domain structure, Parent domain and then a child domain for each site we have.

One of our sites just started reporting problems this week that users we have trouble authenticating to shares on another domain. Now users are having trouble authenticating to our centralised ISA proxy server to get out onto the Internet (users belong to an AD group in their domain which is on the authenticated list for access on the proxy server).

So obviously we are having major authentication issues, but is only affecting this one domain.

The only warning that is new in the event log and really stands out to me is the following:

____________________________________________________
Event Type:      Warning
Event Source:      SceCli
Event Category:      None
Event ID:      1202
Date:            01/08/2007
Time:            15:23:26
User:            N/A
Computer:      PRSCGLW2DPR1
Description:
Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done.

For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "troubleshooting 1202 events".
A user account in one or more Group policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped nor deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.Identify accounts that could not be resolved to a SID: From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.Identify the GPOs that contain the unresolvable account name:
From the command prompt type FIND /I "JohnDough" %SYSTEMROOT%\Security\templates\policies\gpt*.*
      The output of the FIND command will resemble the following:
      ---------- GPT00000.DOM
      ---------- GPT00001.DOM
      SeRemoteShutdownPrivilege=JohnDough
      This indicates that of all the GPOs being applied to this machine,  the unresolvable account exists only in one GPO.  Specifically, the cached GPO named GPT00001.DOM.
      Now we need to determine the friendly name of this GPO in the next step.

3. Locate the friendly names of each of the GPOs that contain an unresolvable account name.  These GPOs were identified in the previous step.
From the command prompt, type: FIND /I "[Mapping]" %SYSTEMROOT%\Security\Logs\winlogon.log
      The string following "[Mapping] gpt0000?.dom =" in the FIND output identifies the friendly names for all GPOs being applied to this machine.
      Example: [Mapping] gpt00001.dom = User Rights Policy
      In this case, the GPO that contains the unresolvable account (gpt00001.dom) has a friendly name of "User Rights Policy".

4. Remove unresolved accounts from each GPO that contains an unresolvable account.
      a. Start -> Run -> MMC.EXE
      b. From the File menu select "Add/Remove Snap-in"
      c. From the "Add/Remove Snap-in" dialog box select "Add"
      d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
      e. In the "Select Group Policy Object" dialog box click the "Browse" button.
      f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab
      g. Right click on the first policy identified in step 3 and choose edit
      h.      Review each setting under Computer Configuration/ Windows Settings/ Security Settings/ Local Policies/ User Rights
       Assignment or Computer Configuration/ Windows Settings/ SecuritySettings/ Restricted Groups for accounts identified in step 1.
      i. Repeat steps 3g and 3h for all subsequent GPOs identified in step 3.
_______________________________________________________________




Now i have made the registry change to debug the GP events and followed step 1 & 2 in that resolution above with the following results (see below):

__________________________________________________
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator>cd..

C:\Documents and Settings>cd..

C:\>find /i "cannot find" %systemroot%\security\logs\winlogon.log

---------- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.
        Cannot find Power Users.
        Cannot find domain administrators.

C:\>find /i "account name" %systemroot%\security\templates\policies\gpt*.*

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.INF

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.DOM

C:\>
________________________________________________________


Now i am a bit stumped, i expected to see individual user accounts causing a problem but instead i get domain admins and power users.

Now i dont know if this is what the problem is, but like i say its the only event that really stands out and is new.

Can anyone help at all?

0
he_who_dares
Asked:
he_who_dares
  • 2
  • 2
1 Solution
 
Walter PadrónCommented:
This is not a critical error, just a policy referencing a non-existent local group is applied. Open your policies, go to Windows Settings / Security Settings / Local Policies / User Rights Assignments and check if there is a Power Users group around.

If i understand your real problem is another, the parent domain can't authenticate users in a child domain. I suggest run dcdiag and netdiag on the child domain and look for errors. Post results.

Regards
0
 
he_who_daresAuthor Commented:
Well the ISA proxy server is in the parent domain and there seems to be authentication issues there.

The file server is in another child domain and there are serious authentication issues on that.

Here are the DC/Netdiag results from the child domain that the users are in:


___________________________________________

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\PRSCGLW2DPR1
      Starting test: Connectivity
         ......................... PRSCGLW2DPR1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\PRSCGLW2DPR1
      Starting test: Replications
         ......................... PRSCGLW2DPR1 passed test Replications
      Starting test: NCSecDesc
         ......................... PRSCGLW2DPR1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... PRSCGLW2DPR1 passed test NetLogons
      Starting test: Advertising
         ......................... PRSCGLW2DPR1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... PRSCGLW2DPR1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... PRSCGLW2DPR1 passed test RidManager
      Starting test: MachineAccount
         ......................... PRSCGLW2DPR1 passed test MachineAccount
      Starting test: Services
         ......................... PRSCGLW2DPR1 passed test Services
      Starting test: ObjectsReplicated
         ......................... PRSCGLW2DPR1 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... PRSCGLW2DPR1 passed test frssysvol
      Starting test: kccevent
         ......................... PRSCGLW2DPR1 passed test kccevent
      Starting test: systemlog
         ......................... PRSCGLW2DPR1 passed test systemlog

   Running enterprise tests on : eu.primus
      Starting test: Intersite
         ......................... eu.primus passed test Intersite
      Starting test: FsmoCheck
         ......................... eu.primus passed test FsmoCheck

C:\Documents and Settings\Administrator>

________________________________________________________




C:\Documents and Settings\Administrator>netdiag

............................................

    Computer Name: PRSCGLW2DPR1
    DNS Host Name: prscglw2dpr1.sc.eu.primus
    System info : Windows 2000 Server (Build 2195)
    Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
    List of installed hotfixes :
        KB329115
        KB820888
        KB822343
        KB822831
        KB823182
        KB823559
        KB824105
        KB824151
        KB825119
        KB826232
        KB828035
        KB828741
        KB828749
        KB832353
        KB832359
        KB835732
        KB837001
        KB839643-DirectX9
        KB839645
        KB840315
        KB840987
        KB841356
        KB841533
        KB841872
        KB841873
        KB842526
        KB842773
        KB867282-IE6SP1-20050127.163319
        KB870763
        KB871250
        KB873333
        KB873339
        KB885250
        KB885834
        KB885835
        KB885836
        KB888113
        KB890046
        KB890047
        KB890175
        KB891711
        KB891781
        KB893756
        KB893803v2
        KB896358
        KB896422
        KB896423
        KB899587
        KB899589
        KB899591
        KB900725
        KB901017
        KB901214
        KB904706
        KB905414
        KB905495-IE6SP1-20050805.184113
        KB905749
        KB908519
        KB908531
        KB911280
        KB911564
        KB913580
        KB914388
        KB914389
        KB917008
        KB917734_WMP9
        KB917736
        KB917953
        KB918118
        KB920213
        KB920670
        KB920683
        KB920685
        KB921398
        KB922582
        KB923191
        KB923414
        KB923689
        KB923694-OE6SP1-20061106.120000
        KB923980
        KB924191
        KB924270
        KB924667
        KB925398_WMP64
        KB925902
        KB926122
        KB926247
        KB926436
        KB927891
        KB928843
        KB929969-IE6SP1-20061220.120000
        KB930178
        KB931784
        KB932168
        KB933566-IE6SP1-20070417.120000
        KB935839
        KB935840
        KB935966
        Q147222
        Q828026
        Update Rollup 1


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection 3

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : prscglw2dpr1
        IP Address . . . . . . . . : 172.17.32.11
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 172.17.32.1
        Primary WINS Server. . . . : 172.17.32.11
        Secondary WINS Server. . . : 172.17.29.39
        Dns Servers. . . . . . . . : 172.17.32.11
                                     172.17.29.39
                                     172.16.100.15
                                     172.17.29.37


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{9CC2283A-95B1-4F31-9CD5-06BE61C80946}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '172.17.32.11
' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '172.17.29.39
' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '172.16.100.1
5' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '172.17.29.37
' and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{9CC2283A-95B1-4F31-9CD5-06BE61C80946}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{9CC2283A-95B1-4F31-9CD5-06BE61C80946}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
    IPSec policy service is active, but no policy is assigned.


The command completed successfully

C:\Documents and Settings\Administrator>



___________________________________________________
0
 
Walter PadrónCommented:
he_who_dares i see no problems at all with your child domain, can you check if ISA server is not denying connections to domain controllers in your child domain.
0
 
he_who_daresAuthor Commented:
wpadron > I believe the ISA is part of the problem so giving you the points for this.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now