AD Problems

[The_KiD]

We have 2 AD servers, one primary and one backup.

On both servers we have started getting this error in the event logs.

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 12/10/2006
Time: 09:44:09
User: N/A
Computer: SERVERFILE
Description:
Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Thankfully it gives you fairly detailed instructions on on how to fix it:

1.Identify accounts that could not be resolved to a SID: From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.Identify the GPOs that contain the unresolvable account name:
From the command prompt type FIND /I "JohnDough" %SYSTEMROOT%\Security\templates\policies\gpt*.*
The output of the FIND command will resemble the following:
---------- GPT00000.DOM
---------- GPT00001.DOM
SeRemoteShutdownPrivilege=JohnDough
This indicates that of all the GPO’s being applied to this machine, the unresolvable account exists only in one GPO. Specifically, the cached GPO named GPT00001.DOM.
Now we need to determine the friendly name of this GPO in the next step.

3. Locate the friendly names of each of the GPOs that contain an unresolvable account name. These GPOs were identified in the previous step.
From the command prompt, type: FIND /I "[Mapping]" %SYSTEMROOT%\Security\Logs\winlogon.log
The string following "[Mapping] gpt0000?.dom =" in the FIND output identifies the friendly names for all GPO’s being applied to this machine.
Example: [Mapping] gpt00001.dom = User Rights Policy
In this case, the GPO that contains the unresolvable account (gpt00001.dom) has a friendly name of "User Rights Policy".

4. Remove unresolved accounts from each GPO that contains an unresolvable account.
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in…"
c. From the "Add/Remove Snap-in" dialog box select "Add…"
d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse" button.
f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g. Right click on the first policy identified in step 3 and choose edit
h. Review each setting under Computer Configuration/ Windows Settings/ Security Settings/ Local Policies/ User Rights
Assignment or Computer Configuration/ Windows Settings/ SecuritySettings/ Restricted Groups for accounts identified in step 1.
i. Repeat steps 3g and 3h for all subsequent GPOs identified in step 3.

However in Step 1 where they find user John Doe, mine is coming back with "Cannot find Power Users".

I cannot find a policy which relates to power users and dont seem to have a power users group within AD?

 

[gooner_47]

This won't help, sorry but the reason it's not finding power users is because that group only exists on local computers

 

[The_KiD]

Well at least it gives me the reason why there is no power users group on my AD

Thanks Gooner, anyone else shed some light.