Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Posted on 2010-08-27
5
Medium Priority
?
5,010 Views
Last Modified: 2012-06-27
On a Small Business Server 2008 server - with SQL Server 2008 installed - I am getting the following message TWICE every five minutes in the application log:


Log Name:      Application
Source:        SceCli
Date:          28/08/2010 7:25:23 AM
Event ID:      1202
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SGS03.SolventGreen.local
Description:
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.      Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.      Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.      Start -> Run -> RSoP.msc
b.      Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.      For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.      Remove unresolved accounts from Group Policy

a.      Start -> Run -> MMC.EXE
b.      From the File menu select "Add/Remove Snap-in..."
c.      From the "Add/Remove Snap-in" dialog box select "Add..."
d.      In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.      In the "Select Group Policy Object" dialog box click the "Browse" button.
f.      On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.      For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="SceCli" />
    <EventID Qualifiers="32768">1202</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-08-27T21:25:23.000Z" />
    <EventRecordID>374850</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SGS03.SolventGreen.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.      Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.      Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.      Start -&gt; Run -&gt; RSoP.msc
b.      Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.      For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.      Remove unresolved accounts from Group Policy

a.      Start -&gt; Run -&gt; MMC.EXE
b.      From the File menu select "Add/Remove Snap-in..."
c.      From the "Add/Remove Snap-in" dialog box select "Add..."
d.      In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.      In the "Select Group Policy Object" dialog box click the "Browse" button.
f.      On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.      For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.</Data>
  </EventData>
</Event>




When I run the following command per the instructions above:
C:\Windows>FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

I get the following output:

---------- C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
        Cannot find MSSQLSERVER.
        Cannot find SQLSERVERAGENT.
etc


When I use Rsop.msc to find out which policies have these 'bad' accounts in them it lists :
Adjust memory quotas for a process
Bypass traverse checking
Log on a service
Replace a process level token

Each of the four policies above has MSSQLSERVER and SQLSERVERAGENT listed as accounts - when they are obviously not accounts but Windows Service names for the two primary services for SQL Server

What do I need to do to fix these four policies so these error messages stop appearing ?
0
Comment
Question by:Michael Green
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 33548063
Just to get an initial idea of how things got this way, was this a migration?
 
0
 

Author Comment

by:Michael Green
ID: 33548066
Yes - migrated from Small Business Server 2003.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 33548089
Aye. As I suspected.
1) Have a backup.
2) Delete the accounts from the security permissions listed in the GPOs listed.
Should resolve your problem. Looks like some SQL service accounts didn't survive the migration. The SQL Server 2008 services are likely using different accounts (which you can verify if you desire) so removing the old accounts from the GPOs that are attempting to grant them permissions will complete that cleanup.
-Cliff
 
0
 

Author Comment

by:Michael Green
ID: 33548146
The SQL Server instance on the old Small Business Server 2003 server used a dedicated domain account to run its services - NOT called MSSQLSERVER or SQLSERVERAGENT.

So I'm a little puzzled as to why these service names would be specfiied in the 'Default Domain Controllers Policy' - instead of the actual account name used to run the SQL Server services.

Any ideas ?  Is there some way to specify a service name in a group policy object or reference the account name used to run the service ?
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1000 total points
ID: 33548282
Security policies always reference account names. So no, at some point those account names got inserted into the security policy. They do not reference service names.
HOW that got to be in such a fashion is a speculation that wouldn't help resolve the issue and where the answers are too varied to be performed with any accuracy. But the resolution still stands. Just make sure you have a backup and clean out the invalid data.
 
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question