asked on

SACL Watcher error after Exch 2010 SP1 upgrade

Getting the following Warning in my Application events log after Exchange 2010 upgrade to SP1:
SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account S-1-5-21-4238427144-3071849471-1614350421-3235.

steinmto

To resolve: Added the group having problems to the Manage Auditing and
security log user right on the default domain controllers policy in
group policy management.

dcsned

ASKER

Steinmto,

Thank you for your response. I saw this solution online, and went to Group Policy and didn't know how to do what you stated. Could you walk me through this?

thanks!

steinmto

steinmto

That is where you would add the group at.

steinmto

Do you know what account S-1-5-21-4238427144-3071849471-1614350421-3235 is?

steinmto

It sounds like it is a deleted account since it is not showing the username. Here is a tool to show the username to sid name.

http://technet.microsoft.com/en-us/sysinternals/bb897417

dcsned

ASKER

Thank you...that was very helpful.
How do I find out which group the SID refers to?

steinmto

Here is a list of all sids that are default in windows.

http://support.microsoft.com/kb/243330

steinmto

This is most likely an account that was deleted.

steinmto

Here is a soultion I found on technet.

http://social.technet.microsoft.com/Forums/en/exchange2010/thread/f699b6f1-2945-46f9-94f5-26e6e1572946

dcsned

ASKER

The SID was for "Exchange Servers"
In my "Manage auditing and Security Log" the group "Exchange Enterprise Servers" is in there.
Do I also add the "Exchange servers" group to that policy?

ASKER CERTIFIED SOLUTION

steinmto

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

dcsned

ASKER

Thanks! You have been very helpful!

steinmto

Glad to help.