Event ID 1202 SceCli

Here is a condition I run into quite frequently:

These are the details of the event:
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".
Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions...

As a consultant that sees a lot of environments, I run into this often. It is easy to fix, but you really have to understand what is going on here. When the GPO is processed, it tries to enumerate the accounts listed in the GPOs. If it finds one that is invalid, you get this error. I recently helped an associate that was laboriously navigating KBs to try and resolve these errors. He was enabling extensive logging, searching logs, and otherwise getting nowhere. I solved the issue in three minutes by using the GUI.

You can try to follow these links to get rid of this error:




I have found a much simpler method to determine which SIDs aren't found in the directory when this policy is applied.  I simply open the policies and examine the most common settings for old or mistyped account names.

  1. Open the Group Policy Management snap-in.
  2. Near the bottom of the left-hand pane, you will see a Group Policy Objects container.  Expand this container.  It will contain all your GPOs for that domain.
  3. Click on each GPO that is applied to the computer displaying the error and examine the settings.  Navigate to the "Log-in as a service" setting by expanding Computer Configuration==;Policies==;Windows Settings==;Security Settings==;Local Policies/User Rights Assignments.  The likely user or service accounts will most likely be in this setting, but there are other settings in User Rights Assignments you may have to examine if you fail to find invalid accounts here.
  4. What you are looking for is typos or old account entries.  I add each account again, but browse to it with the browse button.  If I can't find it, I remove the account name.  I often find that the account has been renamed or deleted when it was added.
  5. There is often more than one bad account so don't stop as soon as you find an invalid account entry.
If this doesn't make sense to you, feel free to follow the links above and make direct edits to the INF files you may or may not find by examining logs.  Better yet, post a comment and we'll try to clear it up together.

Note to AD administrators, it is a good practice to periodically examine your GPOs for old settings which will avoid these errors.  Active Directory is not completely self-healing.  It takes some upkeep to keep it running without an error.


Comments

Popular posts from this blog

ADMT fails to migrate SID History

Exchange 2010 event errors 2601, 2604, 2501

Robocopy Error 31 A device attached to the system is not functioning