Solved

Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Posted on 2010-08-27
5
4,641 Views
Last Modified: 2012-06-27
On a Small Business Server 2008 server - with SQL Server 2008 installed - I am getting the following message TWICE every five minutes in the application log:


Log Name:      Application
Source:        SceCli
Date:          28/08/2010 7:25:23 AM
Event ID:      1202
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SGS03.SolventGreen.local
Description:
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.      Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.      Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.      Start -> Run -> RSoP.msc
b.      Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.      For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.      Remove unresolved accounts from Group Policy

a.      Start -> Run -> MMC.EXE
b.      From the File menu select "Add/Remove Snap-in..."
c.      From the "Add/Remove Snap-in" dialog box select "Add..."
d.      In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.      In the "Select Group Policy Object" dialog box click the "Browse" button.
f.      On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.      For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="SceCli" />
    <EventID Qualifiers="32768">1202</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-08-27T21:25:23.000Z" />
    <EventRecordID>374850</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SGS03.SolventGreen.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.      Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.      Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.      Start -&gt; Run -&gt; RSoP.msc
b.      Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.      For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.      Remove unresolved accounts from Group Policy

a.      Start -&gt; Run -&gt; MMC.EXE
b.      From the File menu select "Add/Remove Snap-in..."
c.      From the "Add/Remove Snap-in" dialog box select "Add..."
d.      In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.      In the "Select Group Policy Object" dialog box click the "Browse" button.
f.      On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.      For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.</Data>
  </EventData>
</Event>




When I run the following command per the instructions above:
C:\Windows>FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

I get the following output:

---------- C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
etc


When I use Rsop.msc to find out which policies have these 'bad' accounts in them it lists :
Adjust memory quotas for a process
Bypass traverse checking
Log on a service
Replace a process level token

Each of the four policies above has MSSQLSERVER and SQLSERVERAGENT listed as accounts - when they are obviously not accounts but Windows Service names for the two primary services for SQL Server

What do I need to do to fix these four policies so these error messages stop appearing ?
0
Comment
Question by:SGSMikeG
  • 3
  • 2
5 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 33548063
Just to get an initial idea of how things got this way, was this a migration?
 
0
 

Author Comment

by:SGSMikeG
ID: 33548066
Yes - migrated from Small Business Server 2003.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 33548089
Aye. As I suspected.
1) Have a backup.
2) Delete the accounts from the security permissions listed in the GPOs listed.
Should resolve your problem. Looks like some SQL service accounts didn't survive the migration. The SQL Server 2008 services are likely using different accounts (which you can verify if you desire) so removing the old accounts from the GPOs that are attempting to grant them permissions will complete that cleanup.
-Cliff
 
0
 

Author Comment

by:SGSMikeG
ID: 33548146
The SQL Server instance on the old Small Business Server 2003 server used a dedicated domain account to run its services - NOT called MSSQLSERVER or SQLSERVERAGENT.

So I'm a little puzzled as to why these service names would be specfiied in the 'Default Domain Controllers Policy' - instead of the actual account name used to run the SQL Server services.

Any ideas ?  Is there some way to specify a service name in a group policy object or reference the account name used to run the service ?
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 33548282
Security policies always reference account names. So no, at some point those account names got inserted into the security policy. They do not reference service names.
HOW that got to be in such a fashion is a speculation that wouldn't help resolve the issue and where the answers are too varied to be performed with any accuracy. But the resolution still stands. Just make sure you have a backup and clean out the invalid data.
 
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Having an SQL database can be a big investment for a small company. Hardware, setup and of course, the price of software all add up to a big bill that some companies may not be able to absorb.  Luckily, there is a free version SQL Express, but does …
Introduction In my previous article (http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/SSIS/A_9150-Loading-XML-Using-SSIS.html) I showed you how the XML Source component can be used to load XML files into a SQL Server database, us…
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now