Solved

Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Posted on 2010-08-27
5
4,668 Views
Last Modified: 2012-06-27
On a Small Business Server 2008 server - with SQL Server 2008 installed - I am getting the following message TWICE every five minutes in the application log:


Log Name:      Application
Source:        SceCli
Date:          28/08/2010 7:25:23 AM
Event ID:      1202
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SGS03.SolventGreen.local
Description:
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.      Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.      Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.      Start -> Run -> RSoP.msc
b.      Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.      For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.      Remove unresolved accounts from Group Policy

a.      Start -> Run -> MMC.EXE
b.      From the File menu select "Add/Remove Snap-in..."
c.      From the "Add/Remove Snap-in" dialog box select "Add..."
d.      In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.      In the "Select Group Policy Object" dialog box click the "Browse" button.
f.      On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.      For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="SceCli" />
    <EventID Qualifiers="32768">1202</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-08-27T21:25:23.000Z" />
    <EventRecordID>374850</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SGS03.SolventGreen.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.      Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.      Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.      Start -&gt; Run -&gt; RSoP.msc
b.      Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.      For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.      Remove unresolved accounts from Group Policy

a.      Start -&gt; Run -&gt; MMC.EXE
b.      From the File menu select "Add/Remove Snap-in..."
c.      From the "Add/Remove Snap-in" dialog box select "Add..."
d.      In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.      In the "Select Group Policy Object" dialog box click the "Browse" button.
f.      On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.      For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.</Data>
  </EventData>
</Event>




When I run the following command per the instructions above:
C:\Windows>FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

I get the following output:

---------- C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
etc


When I use Rsop.msc to find out which policies have these 'bad' accounts in them it lists :
Adjust memory quotas for a process
Bypass traverse checking
Log on a service
Replace a process level token

Each of the four policies above has MSSQLSERVER and SQLSERVERAGENT listed as accounts - when they are obviously not accounts but Windows Service names for the two primary services for SQL Server

What do I need to do to fix these four policies so these error messages stop appearing ?
0
Comment
Question by:Michael Green
  • 3
  • 2
5 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 33548063
Just to get an initial idea of how things got this way, was this a migration?
 
0
 

Author Comment

by:Michael Green
ID: 33548066
Yes - migrated from Small Business Server 2003.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 33548089
Aye. As I suspected.
1) Have a backup.
2) Delete the accounts from the security permissions listed in the GPOs listed.
Should resolve your problem. Looks like some SQL service accounts didn't survive the migration. The SQL Server 2008 services are likely using different accounts (which you can verify if you desire) so removing the old accounts from the GPOs that are attempting to grant them permissions will complete that cleanup.
-Cliff
 
0
 

Author Comment

by:Michael Green
ID: 33548146
The SQL Server instance on the old Small Business Server 2003 server used a dedicated domain account to run its services - NOT called MSSQLSERVER or SQLSERVERAGENT.

So I'm a little puzzled as to why these service names would be specfiied in the 'Default Domain Controllers Policy' - instead of the actual account name used to run the SQL Server services.

Any ideas ?  Is there some way to specify a service name in a group policy object or reference the account name used to run the service ?
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 33548282
Security policies always reference account names. So no, at some point those account names got inserted into the security policy. They do not reference service names.
HOW that got to be in such a fashion is a speculation that wouldn't help resolve the issue and where the answers are too varied to be performed with any accuracy. But the resolution still stands. Just make sure you have a backup and clean out the invalid data.
 
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now